1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

MyWebSearch infection HJT logfile

Discussion in 'Virus & Other Malware Removal' started by dickydolittle, Jan 18, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. dickydolittle

    dickydolittle Thread Starter

    Joined:
    Apr 20, 2006
    Messages:
    18
    hi,
    I think my machine has a MyWebSearch infection - could someone please review my HJT log.
    Any assistance would be great.
    thanks

    rich

    Logfile of HijackThis v1.99.1
    Scan saved at 20:17:52, on 18/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adecco.co.uk/associate
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138984975234
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
     
  2. rookie147

    rookie147

    Joined:
    Jan 16, 2007
    Messages:
    40
    Hello dickydolittle, and welcome to TSG. My name is Charles and I will be dealing with your log today.
    Make a list of all the programs installed on your computer:
    Open HijackThis
    Click the Config... button, then go to the Misc Tools section.
    Press Open Uninstall Manager. You'll see a list of programs.
    Select Save List... - save it to your Desktop.
    The file "uninstall_list.txt" will be created.
    Copy and paste the contents of this file to your next reply.
    Post me the uninstall list,
    Thanks,
    Charles
     
  3. dickydolittle

    dickydolittle Thread Starter

    Joined:
    Apr 20, 2006
    Messages:
    18
    hi charles,
    thanks very much for your assistance, here is the uninstall list,

    Ad-Aware SE Personal
    Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0
    Adobe Shockwave Player
    Ashampoo PowerUp XP Platinum
    ATI Control Panel
    ATI Display Driver
    Audacity 1.2.4
    AVG Anti-Spyware 7.5
    AVG Free Edition
    Belkin 54g USB Network Adapter
    Brother MFL-Pro Suite
    CCleaner (remove only)
    C-Media WDM Audio Driver
    Cutter 4.5
    FastStone Capture 4.7
    FastStone Photo Resizer 2.3
    Flickr Uploadr 2.3
    Flock 0.7
    Football Manager 2006
    GIMPshop .1 beta
    Google Earth
    Google SketchUp
    GTK+ 2.8.13 runtime environment
    High Definition Audio Driver Package - KB888111
    Hijackthis 1.99.1
    HijackThis 1.99.1
    Hotfix for Windows XP (KB889527)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB896344)
    Hotfix for Windows XP (KB903234)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB928388)
    Hotfix for Windows XP (KB929120)
    IKEA Home Planner Kitchen
    InterVideo WinDVD
    J2SE Runtime Environment 5.0 Update 9
    Juice 2.2
    Kaspersky Online Scanner
    Lavasoft VX2 Cleaner
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Flash MX 2004
    McAfee SiteAdvisor for Internet Explorer
    Messenger-Control plug-in for Ad-Aware SE
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office XP Professional with FrontPage
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    Mozilla Firefox (2.0.0.1)
    Mozilla Thunderbird (1.5.0.9)
    MSN
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    Nero BurnRights
    Nero Digital
    Nero OEM
    NeroVision Express Content
    Paint.NET v2.72
    PaperPort 8.0 SE
    Picasa 2
    QuarkXPress 5.01
    QuickTime
    S204 Biology: Uniformity and Diversity
    S204 Guide to Living Organisms
    S204: Guide to living organisms
    Security Update for Microsoft .NET Framework 2.0 (KB917283)
    Security Update for Microsoft .NET Framework 2.0 (KB922770)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB900930)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB926255)
    SiSoftware Sandra Lite 2005.SR3 (Win64/32/CE)
    Soft Data Fax Modem with SmartCP
    Spybot - Search & Destroy 1.4
    SpywareBlaster v3.5.1
    Sunbelt CounterSpy
    Turbo Lister
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB897663)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925876)
    Winamp (remove only)
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Hotfix - KB895181
    Windows Media Player 10 Hotfix - KB888656
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883529
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB884018
    Windows XP Hotfix - KB884020
    Windows XP Hotfix - KB884575
    Windows XP Hotfix - KB884868
    Windows XP Hotfix - KB884883
    Windows XP Hotfix - KB885222
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885523
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB885887
    Windows XP Hotfix - KB885894
    Windows XP Hotfix - KB885932
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB886677
    Windows XP Hotfix - KB886716
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB887797
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888240
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB888402
    Windows XP Hotfix - KB889016
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890831
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891070
    Windows XP Hotfix - KB891220
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB892050
    Windows XP Hotfix - KB892627
    Windows XP Hotfix - KB893056
    Windows XP Hotfix - KB893086
    Windows XP Hotfix - KB896626
    WinPatrol
    ZipGenius 6 (6.0.3.1130)
    Zune Desktop Theme

    thanks

    rich
     
  4. rookie147

    rookie147

    Joined:
    Jan 16, 2007
    Messages:
    40
    Hey rich,
    Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
    We are going to boot into Safe Mode later in the fix, and there is no internet access.

    You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
    Go to Start | Control Panel | Add/Remove Programs
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: [​IMG]
    Select it and click Remove.
    Then download and install the newest version from here:
    Java Runtime Environment (JRE) 6

    Disable WinPatrol
    - Right Click the 'Scotty Dog' icon in the system tray
    - Click "Always Run Winpatrol"
    - When WinPatrol dialog comes up asking about Startup change, click "Yes"
    - Reboot your machine for the changes to take effect before running HJT.

    Please disable Spybot's "TeaTimer" function as it may hinder the removal of the infection:
    Open Spybot and click on Mode and check Advanced Mode
    Check Yes to next window.
    Click on Tools in bottom left hand corner.
    Press on System Startup icon.
    Uncheck Teatimer box.
    Click Allow Change box.
    Please remember to re-enable it after you're clean.

    Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe


    Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    Now, please reboot your computer into Safe Mode.
    This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
    Then select Safe Mode from the list.

    Set your system to show all files.
    Navigate to Start | My Computer | Tools | Folder Options.
    Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.

    Next, please find and delete the following folder (if present):

    C:\Program Files\MyWebSearch

    Reboot into Normak Mode again.

    Please run Panda's ActiveScan.
    Once you are on the Panda site click the Scan your PC button
    A new window will open, click the Check Now button.
    Enter your personal details.
    Click the big Scan Now button.
    It will ask to install various content - please allow this.
    It will start downloading the files it requires for the scan, which may take a while.
    When download is complete, click on Local Disks to start the scan.
    When the scan completes, click the See Report button.
    Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

    Please post me back the Panda report, along with a new HijackThis log.
    Thanks,
    Charles
     
  5. dickydolittle

    dickydolittle Thread Starter

    Joined:
    Apr 20, 2006
    Messages:
    18
    hi charles,
    thanks for your assistance, the instructions you gave were very good.
    the JRE download was a bit tricky - lots of options - but I'm pretty sure I got the correct one.
    here are the new HJT log and the Panda report:-

    Logfile of HijackThis v1.99.1
    Scan saved at 19:37:54, on 19/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\BRMFRSMG.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adecco.co.uk/associate
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138984975234
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
    O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe



    Incident Status Location

    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\RICH.YOUR-261B60FB97\Application Data\Flock\Browser\Profiles\d5e88k9x.default\cookies.txt[.atwola.com/]
    Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\VON\Cookies\[email protected][2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.adtech.de/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.advertising.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.statcounter.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.247realmedia.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.atdmt.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.adtech.de/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.advertising.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.statcounter.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.247realmedia.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[.serving-sys.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\cookiesnew.txt[ad.yieldmanager.com/]
    Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\Local Settings\Application Data\Mozilla\Firefox\Profiles\4ome8za4.default\Cache\7AA87E39d01
    Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\VON.YOUR-261B60FB97\My Documents\school\SmileyCentralPFSetup2.2.60.4.ZNfox000.exe

    regards

    rich
     
  6. rookie147

    rookie147

    Joined:
    Jan 16, 2007
    Messages:
    40
    Hey again Rich,
    Please print off these instructions again, since we are going to boot into Safe Mode again.
    Yep, you got the right one :)

    Please download ATF Cleaner. Don't run it yet.

    Scan again with HijackThis and put a checkmark next to the following entry (if present):

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


    Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    Now, please reboot your computer into Safe Mode.
    This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
    Then select Safe Mode from the list.

    Find and delete this file:

    C:\Documents and Settings\VON.YOUR-261B60FB97\My Documents\school\SmileyCentralPFSetup2.2.60.4.ZNfox000.exe

    Double click ATF-Cleaner.exe to run the program.
    Under Main choose Select All
    Click the Empty Selected button.

    If you use Firefox browser
    Click Firefox at the top and choose Select All
    Click the Empty Selected button.
    Note: If you would like to keep your saved passwords, please click "No" at the prompt.

    If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    Note: If you would like to keep your saved passwords, please click "No" at the prompt.

    Click Exit on the main menu to close the program.

    Reboot into Normal Mode again.
    Then let me know- how are things running?
    Thanks,
    Charles
     
  7. dickydolittle

    dickydolittle Thread Starter

    Joined:
    Apr 20, 2006
    Messages:
    18
    hi charles,
    thanks for your prompt reply, I've followed all your instructions, and they all seemed to work fine, I've gone back into normal mode and everything seems good, but I'm on early shift tomorrow (4.30am start) so I will give the machine a thorough test tomorrow afternoon and let you know how things are.
    thanks again for your excellent help, it's very much appreciated,

    regards

    rich
     
  8. rookie147

    rookie147

    Joined:
    Jan 16, 2007
    Messages:
    40
    Sounds good, I look forward to your reply :)
    You're very welcome for all the help; it's my pleasure..
    Charles
     
  9. dickydolittle

    dickydolittle Thread Starter

    Joined:
    Apr 20, 2006
    Messages:
    18
    hi charles,

    sorry for the delay in replying - I took me a bit longer than I intended to get back on this machine and give it a reasonable test.

    Anyway, it seems fine now - no warnings from WinPatrol or SpyBot - I have also done another scan with Panda Activescan and it showed up nothing except some tracking cookies.

    I've done some research using the siteadvisor Firefox Extension to discover MyWebSearch sites and it's affiliates so I can add them to my hosts file, and my Windows/Linux Test Machine is nearly up and running, so I can learn a bit more about protecting my machines effectively!

    Thanks once again for your help - "frame and match to rookie147" I think!

    regards

    rich
     
  10. rookie147

    rookie147

    Joined:
    Jan 16, 2007
    Messages:
    40
    Great job! Glad I could help.
    Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

    Set your system to not show all files.
    Navigate to Start | My Computer | Tools | Folder Options.
    Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
    Check: Hide file extensions for known file types
    Check the Hide protected operating system files (recommended) option.
    Click Yes to confirm.

    Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
    Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

    In order to protect yourself against spyware, you should consider installing and running the following free programs:
    Ad-Aware SE
    A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
    Spybot-Search & Destroy
    A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
    SpywareBlaster
    A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
    Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

    Please also read Tony Klein's excellent article: How I got Infected in the First Place
    If, of course, you encounter any more problems, please let me know and I'll try my best to sort them out for you.
    Thanks and happy computing,
    Charles
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - MyWebSearch infection logfile
  1. Scudstorm
    Replies:
    13
    Views:
    805
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/536357

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice