MyWebSearch and FunWebProducts popups

[jwayne73]

hi,

I'm reopening previous with the same title and with updated info. thanks.

ComboFix 08-09-15.02 - john 2008-09-16 14:14:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.264 [GMT -4:00]
Running from: C:\Documents and Settings\john\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\john\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\test.txt
C:\WINDOWS\system32\__c002BBCD.dat
C:\WINDOWS\system32\__c00430C4.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-05 08:03 . 2008-09-08 09:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-30 02:27 . 2008-08-30 02:27 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-18 17:58 . 2008-08-30 01:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 17:58 . 2008-08-30 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 10:37 . 2008-08-18 10:37 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 18:08 --------- d-----w C:\Documents and Settings\john\Application Data\Skype
2008-09-16 13:34 --------- d-----w C:\Program Files\LogMeIn
2008-09-16 13:34 --------- d-----w C:\Documents and Settings\john\Application Data\skypePM
2008-08-25 22:17 --------- d-----w C:\Program Files\LightSpeed
2008-07-17 20:20 --------- d-----w C:\Program Files\Audacity
2008-07-01 16:21 249,856 ----a-w C:\VPN_Login_1.0.0.12.exe
2007-06-14 17:38 76,564,977 ----a-w C:\Documents and Settings\john\ms-recording.zip
2007-06-14 15:20 48,653,317 ----a-w C:\Documents and Settings\john\intro-recording.zip
2007-06-14 14:53 205,496 ----a-w C:\Documents and Settings\john\exercises.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-03-16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-24e48def382 - C:\WINDOWS\system32\__c00430C4.dat
Notify-__c002BBCD - C:\WINDOWS\system32\__c002BBCD.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://login.yahoo.com/config/login...?&.src=ym&rl=1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 14:20:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\SCARDSVR.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-16 14:24:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 18:24:02

Pre-Run: 40,648,052,736 bytes free
Post-Run: 40,803,700,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

140 --- E O F --- 2008-09-11 12:29:56

[129260]

you need to go back to your thread here:

http://forums.spybot.info/showthread.php?t=32863

And pm shaba asking for your thread to be reopened so that the issue can be continued to be worked on. I am sure you can reopen your thread if you pm Shaba. Let them know you are back from vacation and you need the thread reopened to continue the cleaning.

"If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required."