Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Attacked by hundreds of trojans [Solved]


  • This topic is locked This topic is locked

#1
lilsweetness94

lilsweetness94

    Member

  • Member
  • PipPip
  • 24 posts
I have been having a probelm with my PC for a few days now. Getting many pop ups and computer would freeze. My task manager would not come on when I hit Ctrl-ALt-Dlt-.to get rid of pop ups.....it would say task manager was diabled by administrator, which we never disabled. My desktop background finally turned into a warning that I had to fully scan my computer for infectious virus and then it turned blue. Norton Antivirus was finding and healing things but nothing would work. Finally when i tried to connect to the internet it said page cannot be displayed and I ran a diagnostic through windows, it came up that a WEB Guardian was not letting me access my internet for me to remove yes or no. so i clicked yes and then I was prompted to restart and i was able to access computer. How can i keep these from attacking my computer? i ran malware bytes and have a log if you would like to see that. I cleaned over 300 infected objects on my PC.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:09:43 AM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo....?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {AACD7047-0D61-450C-BC22-5A8C59228DBE} - (no file)
O2 - BHO: (no name) - {E89B71D5-1173-4250-835D-3CFEE9E713C8} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe" /run
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "c:\documents and settings\hp_administrator\application data\install_en[1].exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [yuwawegodi] Rundll32.exe "C:\WINDOWS\system32\sinayupo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuwawegodi] Rundll32.exe "C:\WINDOWS\system32\sinayupo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O15 - Trusted Zone: www.select2perform.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/...erInstaller.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: c:\windows\system32\mirajuva.dll,c:\windows\system32\hebisiga.dll,c:\windows\system32\mupalahu.dll,C:\WINDOWS\system32\sumovena.dll,c:\windows\system32\bonalopi.dll,xuflhn.dll
O20 - Winlogon Notify: ddcAppmn - ddcAppmn.dll (file missing)
O20 - Winlogon Notify: fccaaba - fccaaba.dll (file missing)
O20 - Winlogon Notify: fihhigrw - fihhigrw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 8547 bytes



Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Adobe Reader Chinese Simplified Fonts
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
Blackhawk Striker 2 from HP Media Center (remove only)
Blasterball 2 from HP Media Center (remove only)
Blasterball 2 Holidays from HP Media Center (remove only)
Blasterball 2 Remix from HP Media Center (remove only)
Bonjour
Bounce Symphony from HP Media Center (remove only)
CleanUp!
Crystal Maze from HP Media Center (remove only)
DVD Shrink 3.2
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Final Drive Nitro from HP Media Center (remove only)
GemMaster Mystic
Help and Support Additions
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet Printer Preload
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.5
HP PSC & OfficeJet 4.7
HP Software Update
HPIZplus450
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 12
Java™ 6 Update 7
Lexibox Deluxe from HP Media Center (remove only)
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton AntiVirus
Otto
Overball from HP Media Center (remove only)
PC-Doctor for Windows
Phoenix Assault from HP Media Center (remove only)
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from HP Media Center (remove only)
Polar Golfer from HP Media Center (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Safari
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Shooting Stars Pool from HP Media Center (remove only)
Slyder from HP Media Center (remove only)
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Super Granny from HP Media Center (remove only)
Tradewinds from HP Media Center (remove only)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
Updates from HP
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB895678
Windows XP Service Pack 3
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

Edited by lilsweetness94, 20 January 2009 - 03:17 AM.

  • 0

Advertisements


#2
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hello lilsweetness94 !

Welcome to the site! :) My nickname is heir and I'll be helping clean up your computer. :)

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal - HijackThis™ Logs Go Here.
  • Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
  • Make sure you reply to this thread using the Add Reply button: Posted Image

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.

i ran malware bytes and have a log if you would like to see that. I cleaned over 300 infected objects on my PC

Please do that, while I review your log.
  • 0

#3
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/19/2009 11:03:45 PM
mbam-log-2009-01-19 (23-03-45).txt

Scan type: Quick Scan
Objects scanned: 57363
Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 169
Registry Values Infected: 17
Registry Data Items Infected: 2
Folders Infected: 26
Files Infected: 119

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fd1e6bf-01a4-439b-a2c2-d1b50079a618} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fd1e6bf-01a4-439b-a2c2-d1b50079a618} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bndshell3.bho.1 (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingsoftware.pornpro_bho (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingsoftware.pornpro_bho.1 (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{875a1348-7674-42aa-adac-b4f36a004a2d} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mywebsearchservice (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\browsingsoftware (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fdc8e4c (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{11a69ae4-fbed-4832-a2bf-45af82825583} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bbb05d9e-0297-404d-a6bf-d8f2876b84a6} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my web search bar search scope monitor (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\4.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\5.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Insider (Adware.DnsInsider) -> Quarantined and deleted successfully.
C:\Program Files\Insider\bak (Adware.DnsInsider) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingSoftware (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fihhigrw.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tppyjjiy.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3IMSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\4.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000776B4 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\04787831 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\047882FE.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\04788ABF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\04788BD8.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\04788D8D.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\14B334DC.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\14B337AB.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\14B33A4B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\14B346BF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1524CB89.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1524D06B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1524D194.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1524D2DC.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\1524D405 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History\allowed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\PopSwatr\History\notallow (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\0618B2E1.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\16B0598F.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\0617CCB7.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\1C969E77.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn-new.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingSoftware\BrowsingSoftware.dat (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingSoftware\pcre3.dll (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingSoftware\uninstall.exe (Adware.PlayMP3Z-biz) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyAtRiJ.dll (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMeETlI.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBstrqN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnlifeC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efccdbAS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifcYSMC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifgDsTK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJCTMca.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxwXnk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqRIXPg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlihFU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk (Rogue.Link) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/19/2009 11:35:19 PM
mbam-log-2009-01-19 (23-35-19).txt

Scan type: Quick Scan
Objects scanned: 57412
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
  • 0

#4
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's start cleaning this mess up then. :)

Step 1.
Run ComboFix:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
Scan with Lop S&D:

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here and save it to the desktop

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Step 3.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of C:\lopR.txt from step 2.

  • 0

#5
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here are the logs for C:\ComboFix.txt from step 1.
The content of C:\lopR.txt from step 2.





ComboFix 09-01-19.05 - HP_Administrator 2009-01-20 1:29:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.579 [GMT -8:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\HP_Administrator\Application Data\FunWebProducts
c:\windows\system32\aahatlhy.dll
c:\windows\system32\adbyglnt.dll
c:\windows\system32\adilukil.ini
c:\windows\system32\afijipok.ini
c:\windows\system32\atudadij.ini
c:\windows\system32\avafiyer.ini
c:\windows\system32\ayodalip.ini
c:\windows\system32\ccbeg.ini
c:\windows\system32\ccbeg.ini2
c:\windows\system32\civsadev.ini
c:\windows\system32\csrpde.dll
c:\windows\system32\devspdyn.ini
c:\windows\system32\dffMlnpo.ini
c:\windows\system32\dffMlnpo.ini2
c:\windows\system32\djgcenhq.ini
c:\windows\system32\ebenimit.ini
c:\windows\system32\efureyiy.ini
c:\windows\system32\eskgofvk.ini
c:\windows\system32\hnoknl.dll
c:\windows\system32\htvhaojc.ini
c:\windows\system32\igawusuw.ini
c:\windows\system32\ijeyukid.ini
c:\windows\system32\iwitesod.ini
c:\windows\system32\iwudebez.ini
c:\windows\system32\jbjyvnap.ini
c:\windows\system32\kpmkrmwa.ini
c:\windows\system32\lkixtdch.dll
c:\windows\system32\mwgwiybj.ini
c:\windows\system32\nfhqllaa.ini
c:\windows\system32\nqngjasw.ini
c:\windows\system32\ogakofop.ini
c:\windows\system32\ojkwtlud.dll
c:\windows\system32\onipiyis.ini
c:\windows\system32\opafafuf.ini
c:\windows\system32\osojegey.ini
c:\windows\system32\pkerltqu.ini
c:\windows\system32\rupbkipd.ini
c:\windows\system32\sacjyknl.ini
c:\windows\system32\test.ttt
c:\windows\system32\tncxgoba.dll
c:\windows\system32\tvcfcpbm.ini
c:\windows\system32\uditezay.ini
c:\windows\system32\uduburuh.ini
c:\windows\system32\umezozak.ini
c:\windows\system32\umuwenak.ini
c:\windows\system32\uniboyil.ini
c:\windows\system32\uniq.tll
c:\windows\system32\uyiyugon.ini
c:\windows\system32\vxhotjet.ini
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wyredc.dll
c:\windows\system32\xntpbaeu.ini
c:\windows\system32\yxlbhcgh.ini
c:\windows\system32\YxyayGgh.ini
c:\windows\system32\YxyayGgh.ini2
c:\windows\Tasks\ephndtne.job
D:\Autorun.inf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-20 00:09 . 2009-01-20 00:09 <DIR> d-------- c:\program files\Trend Micro
2009-01-19 22:55 . 2009-01-19 22:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 22:55 . 2009-01-19 22:55 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-01-19 22:55 . 2009-01-19 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 22:55 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 22:55 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 21:14 . 2009-01-19 21:14 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-19 21:11 . 2009-01-19 21:11 <DIR> d-------- c:\windows\ERUNT
2009-01-19 20:59 . 2009-01-19 21:34 <DIR> d-------- C:\SDFix
2009-01-19 18:12 . 2009-01-19 18:12 <DIR> d-------- c:\program files\Symantec
2009-01-19 18:12 . 2009-01-19 18:12 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-19 18:12 . 2009-01-19 18:12 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-01-19 18:12 . 2009-01-19 18:11 36,272 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-01-19 18:12 . 2009-01-19 18:12 10,635 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-19 18:12 . 2009-01-19 18:12 806 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-01-19 18:11 . 2009-01-19 18:11 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-01-19 18:11 . 2009-01-19 18:11 <DIR> d-------- c:\program files\Windows Sidebar
2009-01-19 18:11 . 2009-01-19 18:11 <DIR> d-------- c:\program files\NortonInstaller
2009-01-19 18:11 . 2009-01-19 18:11 <DIR> d-------- c:\program files\Norton AntiVirus
2009-01-19 18:01 . 2009-01-19 18:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-19 02:00 . 2009-01-19 02:00 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-01-07 01:01 . 2009-01-18 18:37 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-07 00:59 . 2009-01-07 00:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-07 00:39 . 2009-01-19 00:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-05 17:47 . 2009-01-19 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-01-05 17:44 . 2009-01-05 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-25 20:46 . 2008-12-25 20:46 <DIR> d-------- c:\program files\Sony Setup
2008-12-25 20:46 . 2008-12-25 20:46 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Sony Setup
2008-12-21 18:53 . 2008-12-21 18:53 <DIR> d-------- c:\windows\system32\LogFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 02:13 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-20 02:13 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-07 23:46 --------- d-----w c:\program files\MSN Messenger
2009-01-07 08:26 --------- d-----w c:\program files\MySpace
2009-01-06 01:23 --------- d-----w c:\program files\Norton 360
2008-12-28 06:51 --------- d-----w c:\program files\InterActual
2008-12-20 02:00 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Symantec
2008-11-07 09:35 1,520 -c--a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 61,440 2005-02-03 00:44:24 c:\hp\KBD\bak\KBD.EXE

-c--a-w 106,496 2004-09-27 15:09:06 c:\program files\CA\eTrust PestPatrol\bak\PPActiveDetection.exe

-c--a-w 180,269 2005-05-27 19:46:58 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

-c--a-w 579,072 2007-12-20 20:50:05 c:\program files\Grisoft\AVG7\bak\avgcc.exe

-c--a-w 41 2008-02-06 16:55:37 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv
-c--a-w 5,601 2008-02-04 21:49:16 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv

----a-w 6,435 2009-01-20 07:59:37 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv
-c--a-w 5,601 2008-02-04 21:49:16 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv

----a-w 245,760 2005-02-26 05:34:02 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe

----a-w 6,435 2009-01-20 07:59:37 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv
-c--a-w 41 2008-02-06 16:55:37 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv

----a-w 245,760 2005-02-26 05:34:02 c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe

-c--a-w 1,694,208 2004-10-13 23:24:38 c:\program files\Messenger\bak\msmsgs.exe
------w 1,695,232 2008-04-14 00:12:28 c:\program files\Messenger\msmsgs.exe

-c--a-w 98,304 2005-05-27 19:57:29 c:\program files\QuickTime\bak\qttask.exe
----a-w 413,696 2008-09-06 22:09:14 c:\program files\QuickTime\QTTask.exe

-c--a-w 4,670,704 2007-08-31 01:43:18 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,670,704 2007-08-31 00:43:18 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

-c--a-w 59,392 2004-08-10 18:04:42 c:\windows\ehome\bak\ehtray.exe
----a-w 59,392 2004-08-10 18:04:42 c:\windows\ehome\ehtray.exe

-c--a-w 15,360 2004-08-10 12:00:00 c:\windows\system32\bak\ctfmon.exe
----a-w 15,360 2008-04-14 00:12:16 c:\windows\system32\ctfmon.exe

-c--a-w 77,824 2005-04-05 21:19:18 c:\windows\system32\bak\hkcmd.exe

-c--a-w 659,456 2004-06-07 18:42:30 c:\windows\system32\bak\hphmon06.exe

-c--a-w 114,688 2005-04-05 21:23:14 c:\windows\system32\bak\igfxpers.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [N/A]
"Persistence"="c:\windows\system32\igfxpers.exe" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe" [2005-02-25 245760]
"IcoSet"="c:\hp\bin\cloaker.exe" [1999-11-06 27136]
"regcmdcons"="c:\hp\bin\cloaker.exe" [1999-11-06 27136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"KBD"="c:\hp\KBD\KBD.EXE" [N/A]
"NI.UGA6P_0001_N122M2210"="c:\documents and settings\hp_administrator\application data\install_en[1].exe" [N/A]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [N/A]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"RTHDCPL"="RTHDCPL.EXE" [2005-04-12 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
c:\program files\MalwareAlarm\MalwareAlarm.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
c:\program files\MySpace\IM\MySpaceIM.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\Ymsgr_tray.exe"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1002000.007\SymEFA.sys [2009-01-19 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1002000.007\BHDrvx86.sys [2009-01-19 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1002000.007\cchpx86.sys [2009-01-19 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090115.001\IDSxpx86.sys [2009-01-19 274808]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-19 99376]
R4 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2009-01-19 115560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{AACD7047-0D61-450C-BC22-5A8C59228DBE} - (no file)
BHO-{E89B71D5-1173-4250-835D-3CFEE9E713C8} - (no file)
Notify-ddcAppmn - ddcAppmn.dll
Notify-fccaaba - fccaaba.dll
Notify-fihhigrw - fihhigrw.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.aol.com/?src=customie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.select2perform.com
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 01:35:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4166429689-3702264920-1142536906-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-20 1:40:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-20 09:40:03

Pre-Run: 210,847,711,232 bytes free
Post-Run: 210,750,722,048 bytes free

281 --- E O F --- 2009-01-05 16:01:05





--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® D CPU 2.80GHz )
BIOS : Phoenix - Award BIOS v6.00PG
USER : HP_Administrator ( Administrator )
BOOT : Normal boot
Antivirus : Norton AntiVirus 16.2.0.7 (Not Activated)
C:\ (Local Disk) - NTFS - Total:271 Go (Free:196 Go)
D:\ (Local Disk) - FAT32 - Total:8 Go (Free:1 Go)
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (USB)
H:\ (USB)
I:\ (USB)
J:\ (USB)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Tue 01/20/2009| 1:46 )

--------------------\\ Listing folders in APPLIC~1

[05/27/2005|11:57] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Apple Computer
[01/27/2005|05:44] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[05/27/2005|12:17] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> InterMute
[01/19/2009|06:01] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[05/27/2005|11:47] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Real
[05/27/2005|12:12] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> SampleView
[05/27/2005|12:21] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Symantec

[09/15/2008|01:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[06/24/2008|03:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[12/04/2007|12:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[05/21/2006|12:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[02/28/2008|02:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[02/28/2008|02:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[10/06/2008|07:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Applications
[03/24/2006|12:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ArcSoft
[01/19/2009|06:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avg8
[12/03/2007|07:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CA
[09/23/2008|09:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> DVD Shrink
[12/04/2007|12:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[05/27/2005|12:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard
[05/27/2005|11:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[01/19/2009|10:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[01/19/2009|12:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[03/03/2008|07:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[09/21/2006|08:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSScanAppDataDir
[12/14/2005|03:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> muvee Technologies
[01/19/2009|06:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Norton
[01/05/2009|05:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NortonInstaller
[08/25/2005|10:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks
[05/27/2005|11:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[11/15/2006|10:54] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> RoboForm
[04/28/2006|12:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Roxio
[05/27/2005|11:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[01/07/2009|12:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SiteAdvisor
[01/19/2009|06:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[10/06/2008|06:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trend Micro
[01/21/2007|02:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Verizon
[04/14/2007|03:21] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[02/08/2008|11:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[07/11/2008|03:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!

[04/11/2007|09:00] C:\DOCUME~1\APPLIC~1\APPLIC~1\<DIR> Microsoft

[05/27/2005|11:57] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Apple Computer
[01/27/2005|05:44] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[05/27/2005|12:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> InterMute
[05/27/2005|12:31] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[05/27/2005|11:47] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Real
[05/27/2005|12:12] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> SampleView
[05/27/2005|12:21] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[02/16/2008|11:09] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Adobe
[06/24/2008|03:38] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> AdobeUM
[08/26/2005|08:11] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> AOL
[07/11/2008|10:25] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Apple Computer
[03/24/2006|12:29] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> ArcSoft
[02/05/2008|05:10] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> bak
[02/09/2006|06:35] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> EBookSys
[01/13/2009|08:26] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Google
[02/23/2006|07:58] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Help
[08/26/2005|12:37] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Hewlett-Packard
[05/30/2006|06:59] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> ICAClient
[01/27/2005|05:44] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Identities
[05/27/2005|12:17] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> InterMute
[04/14/2006|06:34] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> InterVideo
[10/11/2005|12:20] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Leadertech
[01/23/2008|06:26] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Macromedia
[01/19/2009|10:55] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Malwarebytes
[05/22/2008|09:57] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Microsoft
[10/26/2008|03:15] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Move Networks
[08/31/2006|03:38] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> MSNInstaller
[12/14/2005|03:04] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> muvee Technologies
[11/26/2006|12:26] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> MySpace
[10/13/2007|02:02] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Real
[10/07/2006|08:54] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Roxio
[05/27/2005|12:12] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> SampleView
[05/23/2007|10:32] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Snapfish
[10/11/2005|12:20] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Sonic
[12/25/2008|08:46] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Sony Setup
[09/19/2005|10:08] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Sun
[12/19/2008|06:00] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Symantec
[10/17/2005|07:38] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Template
[01/10/2008|08:48] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> U3
[10/21/2006|08:20] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Verizon
[04/14/2007|03:21] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Viewpoint
[07/11/2008|03:47] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> Yahoo!
[08/25/2005|10:14] C:\DOCUME~1\HP_ADM~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

[01/19/2009|06:01] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[01/18/2009|06:37] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> SACore
[02/28/2006|09:25] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Symantec

[01/19/2009|06:01] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/13/2009 01:55 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[01/20/2009 01:34 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 10:00 AM][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[02/03/2008|06:28] C:\Program Files\<DIR> Adobe
[11/27/2006|10:02] C:\Program Files\<DIR> America Online 9.0
[12/04/2007|12:54] C:\Program Files\<DIR> AOL
[09/15/2008|01:18] C:\Program Files\<DIR> Apple Software Update
[02/09/2006|08:02] C:\Program Files\<DIR> ArcSoft
[01/05/2006|08:58] C:\Program Files\<DIR> AviSynth 2.5
[05/27/2005|12:01] C:\Program Files\<DIR> BackWeb
[09/15/2008|01:15] C:\Program Files\<DIR> Bonjour
[12/03/2007|02:13] C:\Program Files\<DIR> CA
[03/21/2006|01:59] C:\Program Files\<DIR> Canon
[05/13/2007|06:54] C:\Program Files\<DIR> Challenger Tetris
[05/30/2006|06:54] C:\Program Files\<DIR> Citrix
[11/15/2008|05:08] C:\Program Files\<DIR> CleanUp!
[01/20/2009|01:31] C:\Program Files\<DIR> Common Files
[12/04/2007|04:59] C:\Program Files\<DIR> ComPlus Applications
[09/23/2008|09:29] C:\Program Files\<DIR> DVD Shrink
[11/12/2007|03:17] C:\Program Files\<DIR> Easy Internet signup
[05/27/2005|11:49] C:\Program Files\<DIR> EnglishOtto
[05/27/2005|11:49] C:\Program Files\<DIR> GemMaster
[07/07/2008|08:10] C:\Program Files\<DIR> Google
[10/12/2007|11:52] C:\Program Files\<DIR> Grisoft
[05/27/2005|12:28] C:\Program Files\<DIR> Hewlett-Packard
[05/27/2005|11:40] C:\Program Files\<DIR> HP
[05/27/2005|12:02] C:\Program Files\<DIR> HPQ
[02/26/2008|07:39] C:\Program Files\<DIR> InstallShield Installation Information
[05/27/2005|11:53] C:\Program Files\<DIR> IntelliMover Data Transfer Demo
[12/27/2008|10:51] C:\Program Files\<DIR> InterActual
[05/27/2005|12:00] C:\Program Files\<DIR> InterMute
[01/05/2009|08:28] C:\Program Files\<DIR> Internet Explorer
[05/27/2005|12:30] C:\Program Files\<DIR> InterVideo
[09/15/2008|01:17] C:\Program Files\<DIR> iPod
[09/15/2008|01:17] C:\Program Files\<DIR> iTunes
[07/11/2008|09:52] C:\Program Files\<DIR> Java
[08/25/2005|10:14] C:\Program Files\<DIR> Learn2.com
[09/05/2006|02:43] C:\Program Files\<DIR> LEGO Media
[01/19/2009|10:55] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[12/10/2006|11:00] C:\Program Files\<DIR> MARS
[09/25/2008|04:42] C:\Program Files\<DIR> Messenger
[05/27/2005|11:56] C:\Program Files\<DIR> Microsoft ActiveSync
[01/27/2005|05:46] C:\Program Files\<DIR> microsoft frontpage
[12/06/2006|07:38] C:\Program Files\<DIR> Microsoft Money 2005
[10/06/2008|07:12] C:\Program Files\<DIR> Microsoft Office
[05/27/2005|11:54] C:\Program Files\<DIR> Microsoft Plus! Dancer LE
[05/27/2005|11:54] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[05/27/2005|11:54] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE
[05/27/2005|11:55] C:\Program Files\<DIR> Microsoft Visual Studio
[11/07/2008|01:34] C:\Program Files\<DIR> Microsoft Works
[05/27/2005|11:55] C:\Program Files\<DIR> Microsoft.NET
[04/04/2006|05:17] C:\Program Files\<DIR> Motorola
[09/25/2008|04:36] C:\Program Files\<DIR> Movie Maker
[01/27/2005|05:46] C:\Program Files\<DIR> MSN
[09/21/2005|08:27] C:\Program Files\<DIR> MSN Apps
[05/27/2005|11:46] C:\Program Files\<DIR> MSN Encarta Standard
[01/27/2005|05:47] C:\Program Files\<DIR> MSN Gaming Zone
[01/07/2009|03:46] C:\Program Files\<DIR> MSN Messenger
[11/15/2006|03:27] C:\Program Files\<DIR> MSXML 4.0
[02/26/2008|07:40] C:\Program Files\<DIR> muvee Technologies
[01/07/2009|12:26] C:\Program Files\<DIR> MySpace
[09/25/2008|04:34] C:\Program Files\<DIR> NetMeeting
[01/05/2009|05:23] C:\Program Files\<DIR> Norton 360
[01/19/2009|06:11] C:\Program Files\<DIR> Norton AntiVirus
[01/19/2009|06:11] C:\Program Files\<DIR> NortonInstaller
[05/27/2005|12:10] C:\Program Files\<DIR> Online Services
[09/25/2008|04:33] C:\Program Files\<DIR> Outlook Express
[05/27/2005|12:06] C:\Program Files\<DIR> PC-Doctor for DOS
[05/27/2005|12:06] C:\Program Files\<DIR> PC-Doctor for Windows
[12/03/2007|07:41] C:\Program Files\<DIR> PCPitstop
[10/21/2006|08:22] C:\Program Files\<DIR> PlayLinc
[08/25/2005|10:14] C:\Program Files\<DIR> Pure Networks
[09/15/2008|01:15] C:\Program Files\<DIR> QuickTime
[05/27/2005|11:46] C:\Program Files\<DIR> Real
[04/28/2006|12:18] C:\Program Files\<DIR> Roxio
[07/11/2008|09:58] C:\Program Files\<DIR> Safari
[11/15/2006|10:52] C:\Program Files\<DIR> Siber Systems
[05/27/2005|11:51] C:\Program Files\<DIR> Sonic
[12/25/2008|08:46] C:\Program Files\<DIR> Sony Setup
[01/19/2009|06:12] C:\Program Files\<DIR> Symantec
[01/20/2009|12:09] C:\Program Files\<DIR> Trend Micro
[01/27/2005|01:38] C:\Program Files\<DIR> Uninstall Information
[05/27/2005|12:01] C:\Program Files\<DIR> Updates from HP
[10/21/2006|08:22] C:\Program Files\<DIR> Verizon
[10/21/2006|08:28] C:\Program Files\<DIR> Verizon Online
[08/25/2005|10:14] C:\Program Files\<DIR> Viewpoint
[03/08/2007|09:08] C:\Program Files\<DIR> Virtools
[05/27/2005|11:49] C:\Program Files\<DIR> WildTangent
[10/13/2007|01:17] C:\Program Files\<DIR> Windows Media Player
[09/25/2008|04:33] C:\Program Files\<DIR> Windows NT
[01/27/2005|05:47] C:\Program Files\<DIR> Windows Plus
[01/19/2009|06:11] C:\Program Files\<DIR> Windows Sidebar
[01/27/2005|01:38] C:\Program Files\<DIR> WindowsUpdate
[01/27/2005|05:48] C:\Program Files\<DIR> xerox
[07/13/2007|02:20] C:\Program Files\<DIR> Xvid
[07/18/2008|11:50] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[06/24/2008|03:39] C:\Program Files\Common Files\<DIR> Adobe
[07/06/2006|05:01] C:\Program Files\Common Files\<DIR> AOL
[08/25/2005|10:14] C:\Program Files\Common Files\<DIR> aolshare
[09/15/2008|01:14] C:\Program Files\Common Files\<DIR> Apple
[05/27/2005|11:55] C:\Program Files\Common Files\<DIR> DESIGNER
[05/27/2005|11:38] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[05/27/2005|11:34] C:\Program Files\Common Files\<DIR> HP
[05/27/2005|11:59] C:\Program Files\Common Files\<DIR> InstallShield
[05/27/2005|12:31] C:\Program Files\Common Files\<DIR> InterVideo
[05/27/2005|11:15] C:\Program Files\Common Files\<DIR> Java
[05/27/2005|11:56] C:\Program Files\Common Files\<DIR> L&H
[08/25/2005|10:05] C:\Program Files\Common Files\<DIR> LightScribe
[10/06/2008|07:12] C:\Program Files\Common Files\<DIR> Microsoft Shared
[10/21/2006|08:28] C:\Program Files\Common Files\<DIR> MotiveBrowser
[01/27/2005|05:46] C:\Program Files\Common Files\<DIR> MSSoap
[08/25/2005|10:14] C:\Program Files\Common Files\<DIR> Nullsoft
[01/27/2005|05:46] C:\Program Files\Common Files\<DIR> ODBC
[05/27/2005|11:47] C:\Program Files\Common Files\<DIR> Real
[04/28/2006|12:20] C:\Program Files\Common Files\<DIR> Roxio Shared
[07/07/2008|09:12] C:\Program Files\Common Files\<DIR> Scanner
[10/13/2007|01:17] C:\Program Files\Common Files\<DIR> Services
[05/27/2005|11:46] C:\Program Files\Common Files\<DIR> Sonic Shared
[01/27/2005|05:46] C:\Program Files\Common Files\<DIR> SpeechEngines
[10/21/2006|07:49] C:\Program Files\Common Files\<DIR> SupportSoft
[05/27/2005|11:46] C:\Program Files\Common Files\<DIR> SureThing Shared
[11/10/2006|03:47] C:\Program Files\Common Files\<DIR> SWF Studio
[01/19/2009|06:13] C:\Program Files\Common Files\<DIR> Symantec Shared
[09/25/2008|04:33] C:\Program Files\Common Files\<DIR> System
[05/27/2005|11:51] C:\Program Files\Common Files\<DIR> TiVo Shared
[10/21/2006|08:28] C:\Program Files\Common Files\<DIR> Verizon Online
[05/27/2005|11:47] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 42 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 01:47:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\HP_ADM~1\My Documents\My Music\The Notorious B.I.G\Life After Death Disc 2\05 Ten Crack Commandments.mp3
C:\DOCUME~1\HP_ADM~1\My Documents\My Music\The Notorious B.I.G\Life After Death Disc 2\05 Ten Crack Commandments.wma


[F:1][D:1]-> C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp
[F:45][D:0]-> C:\DOCUME~1\HP_ADM~1\Cookies
[F:199][D:4]-> C:\DOCUME~1\HP_ADM~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 01/20/2009| 1:49 - Option : [1]

--------------------\\ Scan completed at 1:49:12
  • 0

#6
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hello again!

That should have taken care of some of your issues.
More to do though before we're finished. So let's move on.
We have to deal with an old infection that I haven't seen for a while.

Let's do this.

First Approach:

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#7
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok I did the steps as stated. Here is the final notebad text it gave me.

I really appreciate your help. Thanks a bunch for your time! :)



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 01/20/2009
The current time is: 17:39:54.64


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 04:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 03:24 PM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/27/2005 11:57 AM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/10/2004 10:04 AM 59,392 ehtray.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 04:00 AM 15,360 ctfmon.exe
04/05/2005 01:19 PM 77,824 hkcmd.exe
06/07/2004 10:42 AM 659,456 hphmon06.exe
04/05/2005 01:23 PM 114,688 igfxpers.exe
4 File(s) 867,328 bytes

Directory of C:\DOCUME~1\HP_ADM~1\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\CA\ETRUST~1\BAK

09/27/2004 07:09 AM 106,496 PPActiveDetection.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

12/20/2007 12:50 PM 579,072 avgcc.exe
1 File(s) 579,072 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/06/2008 08:55 AM 41 HPBootOp.csv
1 File(s) 41 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/30/2007 05:43 PM 4,670,704 YahooMessenger.exe
1 File(s) 4,670,704 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

05/27/2005 11:46 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK\BAK

01/20/2009 03:27 AM 6,481 HPBootOp.csv
02/25/2005 09:34 PM 245,760 HPBootOp.exe
2 File(s) 252,241 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
1695232 Apr 13 2008 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
413696 Sep 6 2008 "C:\Program Files\QuickTime\QTTask.exe"
98304 May 27 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Apr 5 2005 "C:\hp\drivers\video_Intel\hkcmd.exe"
77824 Apr 5 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Apr 5 2005 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
114688 Apr 5 2005 "C:\hp\drivers\video_Intel\igfxpers.exe"
114688 Apr 5 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
114688 Apr 5 2005 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxpers.exe"
106496 Sep 27 2004 "C:\Program Files\CA\eTrust PestPatrol\bak\PPActiveDetection.exe"
579072 Dec 20 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
5601 Feb 4 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv"
41 Feb 6 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
6481 Jan 20 2009 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
5601 Feb 4 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv"
41 Feb 6 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
6481 Jan 20 2009 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
180269 May 27 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
5601 Feb 4 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv"
41 Feb 6 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
6481 Jan 20 2009 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe"


end of report
  • 0

#8
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

ok I did the steps as stated. Here is the final notebad text it gave me.

I really appreciate your help. Thanks a bunch for your time! :)

2xThanks!
My pleasure :).

Let's clean that up now, we might more then one "run" to clean it

Step 1.
Run CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

KillAll::
Folder::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
C:\DOCUME~1\HP_ADM~1\APPLIC~1\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\WildTangent
c:\program files\MalwareAlarm

AWF::
c:\hp\KBD\bak\KBD.EXE   
c:\program files\CA\eTrust PestPatrol\bak\PPActiveDetection.exe
c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Grisoft\AVG7\bak\avgcc.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.csv
c:\program files\Hewlett-Packard\HP Boot Optimizer\bak\bak\HPBootOp.exe
c:\program files\Messenger\bak\msmsgs.exe
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe
c:\windows\ehome\bak\ehtray.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\hphmon06.exe
c:\windows\system32\bak\igfxpers.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareAlarm]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also let me know how your computer is running now.

  • 0

#9
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I followed the steps as requested. I am attaching it as a zip file, because the file is too large.Please let me know that you were able to retreive the file.
As for my computer it is running faster and I have not had anymore problems with it. No more pop ups and no virus problems so far.


Attached File  log_combofix2.zip   53.7KB   137 downloads
  • 0

#10
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Usually you should not attach logs. this time it was OK though.(It was long - many deletions)

Do you use HP Boot Optimizer?

Is it functioning as it should?

An entry related to that software has become orphan and therefore removed.


And please do this again:

First Approach:

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Edited by heir, 21 January 2009 - 06:10 PM.

  • 0

Advertisements


#11
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here is the text report .


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 01/21/2009
The current time is: 16:18:21.43


bak folders found
~~~~~~~~~~~


Directory of C:\DOCUME~1\HP_ADM~1\APPLIC~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

01/20/2009 07:18 PM 6,530 HPBootOp.csv
02/25/2005 09:34 PM 245,760 HPBootOp.exe
2 File(s) 252,290 bytes

Directory of C:\QOOBOX\QUARAN~1\C\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

02/06/2008 08:55 AM 41 HPBootOp.csv.vir
1 File(s) 41 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

5601 Feb 4 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.csv"
6530 Jan 20 2009 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
245760 Feb 25 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
41 Feb 6 2008 "C:\Qoobox\Quarantine\C\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv.vir"


end of report
  • 0

#12
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
And your answer to these question, please.:

Do you use HP Boot Optimizer?

Is it functioning as it should?

An entry related to that software has become orphan and therefore removed.
  • 0

#13
lilsweetness94

lilsweetness94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
HP Boot Optimizer... Not sure what that program even is. Maybe somthing that came factory with the computer? i never used it before, that I am aware of.
  • 0

#14
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
I'm going to restore that entry to what it should have been, but now I'm tired.
Going to get some sleep now.
I'll get back to you tomorrow. Then we'll proceed cleaning you computer from malware.
  • 0

#15
heir

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Let's restore that entry then.

Step 1.
Move file in place:

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.csv"
    "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"


  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.


Step 2.
Find registrybackup:

Please download DirLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
Link 3
  • Double-click DirLook.exe to run it (Vista Users should right-click and select Run As Administrator...).
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    C:\QooBox\Quarantine\Registry_Backups /n*.dat
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\DirLook.txt)
Note: Scanning may take longer for large folders.

Step 3.
Things I would like to see in your reply:

  • The content of AWF.txt from step 1.
  • The content of C:\DirLook.txt from step 2.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP