PDA

View Full Version : MyWebSearch and FunWebProducts popups


jwayne73
2008-09-16, 20:51
hi,

I'm reopening previous with the same title and with updated info. thanks.

ComboFix 08-09-15.02 - john 2008-09-16 14:14:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.264 [GMT -4:00]
Running from: C:\Documents and Settings\john\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\john\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\FunWebProducts
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.htm.bak
C:\test.txt
C:\WINDOWS\system32\__c002BBCD.dat
C:\WINDOWS\system32\__c00430C4.dat
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-16 to 2008-09-16 )))))))))))))))))))))))))))))))
.

2008-09-05 08:03 . 2008-09-08 09:01 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-30 02:27 . 2008-08-30 02:27 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-18 17:58 . 2008-08-30 01:45 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-18 17:58 . 2008-08-30 16:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-18 10:37 . 2008-08-18 10:37 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 18:08 --------- d-----w C:\Documents and Settings\john\Application Data\Skype
2008-09-16 13:34 --------- d-----w C:\Program Files\LogMeIn
2008-09-16 13:34 --------- d-----w C:\Documents and Settings\john\Application Data\skypePM
2008-08-25 22:17 --------- d-----w C:\Program Files\LightSpeed
2008-07-17 20:20 --------- d-----w C:\Program Files\Audacity
2008-07-01 16:21 249,856 ----a-w C:\VPN_Login_1.0.0.12.exe
2007-06-14 17:38 76,564,977 ----a-w C:\Documents and Settings\john\ms-recording.zip
2007-06-14 15:20 48,653,317 ----a-w C:\Documents and Settings\john\intro-recording.zip
2007-06-14 14:53 205,496 ----a-w C:\Documents and Settings\john\exercises.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2005-03-18 196608]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-03-16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 18:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 12:32 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-24e48def382 - C:\WINDOWS\system32\__c00430C4.dat
Notify-__c002BBCD - C:\WINDOWS\system32\__c002BBCD.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym&rl=1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/keyword/%s

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 14:20:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\SCARDSVR.EXE
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee.com\Agent\Mcdetect.exe
C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-16 14:24:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-16 18:24:02

Pre-Run: 40,648,052,736 bytes free
Post-Run: 40,803,700,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

140 --- E O F --- 2008-09-11 12:29:56
129260
2008-09-16, 22:49
you need to go back to your thread here:

http://forums.spybot.info/showthread.php?t=32863

And pm shaba asking for your thread to be reopened so that the issue can be continued to be worked on. :) I am sure you can reopen your thread if you pm Shaba. Let them know you are back from vacation and you need the thread reopened to continue the cleaning. :)

"If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required."