install finishes but cannot find mbam.exe, following is hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:59 PM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...CCYUnEIWEFtF6uw
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O1 - Hosts: 70.38.73.25 www.downloadinga2.com
O1 - Hosts: 70.38.73.25 downloadinga2.com
O1 - Hosts: 70.38.73.25 secure.extrabilling.com
O1 - Hosts: 70.38.73.25 updateyourprotection.com
O1 - Hosts: 70.38.73.25 www.updateyourprotection.com
O1 - Hosts: 70.38.73.25 securedownloadcenter.com
O1 - Hosts: 70.38.73.25 www.securedownloadcenter.com
O1 - Hosts: 70.38.73.25 www.woodpckr-a2.com
O1 - Hosts: 70.38.73.25 woodpckr-a2.com
O1 - Hosts: 70.38.73.25 www.fastupdateserver.com
O1 - Hosts: 70.38.73.25 fastupdateserver.com
O1 - Hosts: 70.38.73.25 www.antivirusa2.com
O1 - Hosts: 70.38.73.25 antivirusa2.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 microsoft.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 browsersecuritycenter.com
O1 - Hosts: 70.38.73.25 www.free-viruscan.com
O1 - Hosts: 70.38.73.25 www.microsoft.browsersecuritycenter.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gomidijon] Rundll32.exe "c:\windows\system32\felazako.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm993VAUS
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {02a3a40b-43a0-46dc-b74a-b6848498b260} - C:\WINDOWS\system32\mst122.dll
O20 - AppInit_DLLs: gudikabo.dll c:\windows\system32\sedulepi.dll c:\windows\system32\felazako.dll c:\windows\system32\wowafuha.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O21 - SSODL: mafudokuh - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O21 - SSODL: ziyojeguk - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O21 - SSODL: yafuyofom - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O22 - SharedTaskScheduler: tokatiluy - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: gahurihor - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: tokatiluy - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Client - EMC - C:\Program Files\Retrospect\Retrospect Client\RemotSvc.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect Client\rthlpsvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
--
End of file - 13788 bytes
Full Version: Cannot install
Hi byondhlp, welcome to Malwarebytes 
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...CCYUnEIWEFtF6uw
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gomidijon] Rundll32.exe "c:\windows\system32\felazako.dll",a
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm993VAUS
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O21 - SSODL: mafudokuh - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O21 - SSODL: ziyojeguk - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O21 - SSODL: yafuyofom - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O22 - SharedTaskScheduler: tokatiluy - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: gahurihor - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: tokatiluy - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
After that, Reboot
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...CCYUnEIWEFtF6uw
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gomidijon] Rundll32.exe "c:\windows\system32\felazako.dll",a
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm993VAUS
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O21 - SSODL: mafudokuh - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O21 - SSODL: ziyojeguk - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O21 - SSODL: yafuyofom - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O22 - SharedTaskScheduler: tokatiluy - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: gahurihor - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: tokatiluy - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
After that, Reboot
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
QUOTE (SpySentinel @ Oct 20 2009, 03:10 PM) 
Hi byondhlp, welcome to Malwarebytes
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...CCYUnEIWEFtF6uw
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gomidijon] Rundll32.exe "c:\windows\system32\felazako.dll",a
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm993VAUS
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O21 - SSODL: mafudokuh - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O21 - SSODL: ziyojeguk - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O21 - SSODL: yafuyofom - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O22 - SharedTaskScheduler: tokatiluy - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: gahurihor - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: tokatiluy - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
After that, Reboot
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/...CCYUnEIWEFtF6uw
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [gomidijon] Rundll32.exe "c:\windows\system32\felazako.dll",a
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm993VAUS
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O21 - SSODL: mafudokuh - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O21 - SSODL: ziyojeguk - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O21 - SSODL: yafuyofom - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O22 - SharedTaskScheduler: tokatiluy - {4c7f346c-1a0c-4559-9901-c021465a75ed} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: gahurihor - {1625f4ec-a704-46b2-b302-14e26aba0e52} - c:\windows\system32\wowafuha.dll
O22 - SharedTaskScheduler: tokatiluy - {731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\felazako.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
After that, Reboot
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
This corrected the problem(s) thank you!!!!! the combo fix post is below
ComboFix 09-10-19.04 - bladner 10/21/2009 6:10.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.100 [GMT -4:00]
Running from: c:\documents and settings\bladner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\caxezo.reg
c:\documents and settings\All Users\Application Data\wyfi.vbs
c:\documents and settings\All Users\Documents\ydovypox.vbs
c:\documents and settings\bladner\Application Data\kyhyqat.vbs
c:\documents and settings\bladner\Application Data\yruwuwalaw.vbs
c:\documents and settings\bladner\Cookies\fypa.db
c:\documents and settings\bladner\Cookies\gimahonu.com
c:\documents and settings\bladner\Cookies\idygadum._sy
c:\documents and settings\bladner\Cookies\meliserepe._sy
c:\documents and settings\bladner\Cookies\mupuqi.lib
c:\documents and settings\bladner\Cookies\opoga.reg
c:\documents and settings\bladner\Cookies\siqa.vbs
c:\documents and settings\bladner\Cookies\umedybyl.lib
c:\documents and settings\bladner\Cookies\yfecilica.scr
c:\documents and settings\bladner\Cookies\ytyh.bat
c:\documents and settings\bladner\Cookies\ziwuzala.bin
c:\documents and settings\bladner\Local Settings\Application Data\kowiputu.inf
c:\documents and settings\bladner\Local Settings\Application Data\vyguqo.vbs
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\ezihuga._sy
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\gapatava.sys
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\hycekibypi.reg
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\ipaxyna.com
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\katibewiv.pif
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\laxax.ban
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\ohugugimu.reg
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\puxypece.com
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\rizucugo.vbs
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\uzan.ban
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\wimisaje.dat
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\wowoherywe.dat
c:\documents and settings\bladner\Local Settings\Temporary Internet Files\yvolury.lib
C:\ekxfnpkm.exe
c:\program files\Common Files\cikux.bat
c:\program files\Common Files\rojasaty.vbs
c:\program files\Common Files\utiqebap.vbs
c:\program files\Common
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\1.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\1.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\864DF2A0
c:\program files\MyWebSearch\bar\Cache\864DF8BA
c:\program files\MyWebSearch\bar\Cache\864DF9C4.bin
c:\program files\MyWebSearch\bar\Cache\864DFABE.bin
c:\program files\MyWebSearch\bar\Cache\864DFDCB.bin
c:\program files\MyWebSearch\bar\Cache\864DFE67.bin
c:\program files\MyWebSearch\bar\Cache\8BA8DC8B.bin
c:\program files\MyWebSearch\bar\Cache\8BA8DDC3.bin
c:\program files\MyWebSearch\bar\Cache\8BA8DECD.bin
c:\program files\MyWebSearch\bar\Cache\8BA8E063.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZJ.png
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZR.png
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\reb_bg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnbg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebclose.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebut.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut2.htm
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\recycler\S-1-5-21-1209540307-44574804-1349154618-500
c:\windows\anumyze.reg
c:\windows\avydik.reg
c:\windows\buby.exe
c:\windows\evuhevewo.dll
c:\windows\inivinij.vbs
c:\windows\liqo.reg
c:\windows\ofonos.exe
c:\windows\owovopaca.scr
c:\windows\punena.vbs
c:\windows\system32\adol.reg
c:\windows\system32\bffvemel.ini
c:\windows\system32\bifojezo.exe
c:\windows\system32\bolapuno.dll.tmp
c:\windows\system32\cuuacymm.ini
c:\windows\system32\dikekuro.dll
c:\windows\system32\enedidaw.vbs
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\fedozuta.dll
c:\windows\system32\felazako.dll
c:\windows\system32\fezahoyu.dll
c:\windows\system32\fimukoto.dll
c:\windows\system32\gokoluvo.dll
c:\windows\system32\gudikabo.dll
c:\windows\system32\guvaruja.dll
c:\windows\system32\hezamohe.dll
c:\windows\system32\hxrnpsag.ini
c:\windows\system32\ijhdfgoe.ini
c:\windows\system32\jazehode.dll
c:\windows\system32\jejobadi.dll
c:\windows\system32\jobijari.exe
c:\windows\system32\lbcdvwcv.ini
c:\windows\system32\LmnUxyxx.ini
c:\windows\system32\LmnUxyxx.ini2
c:\windows\system32\mumayeje.dll
c:\windows\system32\pekuveme.exe
c:\windows\system32\powohefa.dll
c:\windows\system32\pufuniso.dll.tmp
c:\windows\system32\puvepilu.dll
c:\windows\system32\ruhisaba.dll
c:\windows\system32\sazuviyu.dll
c:\windows\system32\sedulepi.dll
c:\windows\system32\uEhNUvut.ini
c:\windows\system32\uEhNUvut.ini2
c:\windows\system32\vetinofu.dll
c:\windows\system32\waduyeso.exe
c:\windows\system32\warevimo.dll
c:\windows\system32\wowafuha.dll
c:\windows\system32\yisusasi.dll.tmp
c:\windows\system32\yoyiliye.exe
c:\windows\ubadulavu.dll
c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.
2009-10-21 10:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-10-21 10:18 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-10-20 18:51 . 2009-10-20 18:51 -------- d-----w- c:\program files\Trend Micro
2009-10-17 13:31 . 2009-10-20 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\02766526
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 18:43 . 2009-08-31 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 17:55 . 2009-05-23 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-18 04:00 . 2008-02-21 15:27 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-09-30 13:32 . 2008-02-28 01:13 -------- d-----w- c:\program files\Google
2009-09-17 01:34 . 2009-08-18 13:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-15 13:44 . 2009-09-15 13:44 -------- d-----w- c:\documents and settings\bladner\Application Data\AVG8
2009-09-14 20:42 . 2008-02-21 15:42 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 19:15 . 2008-02-27 02:14 -------- d-----w- c:\documents and settings\bladner\Application Data\Yahoo!
2009-09-11 19:15 . 2008-02-27 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-11 14:18 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-08-31 17:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-31 17:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 12:52 . 2009-09-09 12:52 13308 ----a-w- c:\windows\system32\ruxo.bin
2009-09-09 12:52 . 2009-09-09 12:52 12334 ----a-w- c:\program files\Common Files\piqiquji.dl
2009-09-09 12:52 . 2009-09-09 12:52 19444 ----a-w- c:\windows\system32\afamasev.sys
2009-09-09 12:52 . 2009-09-09 12:52 17940 ----a-w- c:\program files\Common Files\ycopo._dl
2009-09-09 12:52 . 2009-09-09 12:52 16356 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\covit.dll
2009-09-09 12:52 . 2009-09-09 12:52 16040 ----a-w- c:\program files\Common Files\kewig.bin
2009-09-09 12:52 . 2009-09-09 12:52 14266 ----a-w- c:\documents and settings\bladner\Application Data\myrop.com
2009-09-09 12:52 . 2009-09-09 12:52 12211 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\pibaqa.pif
2009-09-08 18:45 . 2009-09-08 18:45 18875 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\vejygoxum.scr
2009-09-08 18:45 . 2009-09-08 18:45 18478 ----a-w- c:\program files\Common Files\dyhizokus._sy
2009-09-08 18:45 . 2009-09-08 18:45 17826 ----a-w- c:\windows\odedevo.com
2009-09-08 18:45 . 2009-09-08 18:45 17194 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\wiciqu.dll
2009-09-08 18:45 . 2009-09-08 18:45 16212 ----a-w- c:\documents and settings\bladner\Application Data\suqo.pif
2009-09-08 18:45 . 2009-09-08 18:45 15175 ----a-w- c:\program files\Common Files\ewajeso._sy
2009-09-08 18:45 . 2009-09-08 18:45 13388 ----a-w- c:\windows\tuqacanuc.sys
2009-09-08 18:45 . 2009-09-08 18:45 12911 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\ytin.dat
2009-09-08 18:45 . 2009-09-08 18:45 12509 ----a-w- c:\program files\Common Files\vygecuxuz._dl
2009-09-08 18:45 . 2009-09-08 18:45 12183 ----a-w- c:\windows\uruqola.bin
2009-09-07 22:04 . 2009-09-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-07 22:03 . 2009-09-07 22:03 -------- d-----w- c:\program files\NOS
2009-09-04 21:03 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 19:09 . 2009-08-31 19:09 -------- d-----w- c:\program files\MSBuild
2009-08-31 19:09 . 2009-08-31 19:09 -------- d-----w- c:\program files\Reference Assemblies
2009-08-31 17:13 . 2009-08-31 17:13 -------- d-----w- c:\documents and settings\bladner\Application Data\Malwarebytes
2009-08-31 17:13 . 2009-08-31 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-29 08:08 . 2006-04-30 06:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-28 19:52 . 2009-08-28 19:52 17784 ----a-w- c:\windows\itiwiv.dat
2009-08-28 19:52 . 2009-08-28 19:52 16335 ----a-w- c:\documents and settings\bladner\Application Data\cegip.bin
2009-08-28 19:52 . 2009-08-28 19:52 14743 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\anywum.dat
2009-08-28 19:52 . 2009-08-28 19:52 13818 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\avakygahuh.sys
2009-08-28 19:52 . 2009-08-28 19:52 12717 ----a-w- c:\windows\system32\dofu.scr
2009-08-28 19:52 . 2009-08-28 19:52 12561 ----a-w- c:\documents and settings\bladner\Application Data\fukepozaw.com
2009-08-26 08:00 . 2006-04-30 06:56 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-23 12:49 . 2009-08-23 12:49 18830 ----a-w- c:\program files\Common Files\ipuwokywy.ban
2009-08-23 12:49 . 2009-08-23 12:49 15529 ----a-w- c:\windows\system32\duwibobivi.scr
2009-08-23 12:49 . 2009-08-23 12:49 13802 ----a-w- c:\documents and settings\bladner\Local Settings\Application Data\siboramit.exe
2009-08-23 12:49 . 2009-08-23 12:49 13158 ----a-w- c:\program files\Common Files\tuvyjeku.sys
2009-08-23 12:49 . 2009-08-23 12:49 10527 ----a-w- c:\program files\Common Files\muhow.db
2009-08-23 03:32 . 2009-08-23 03:32 0 ----a-w- C:\yihw.exe
2009-08-05 09:01 . 2006-04-30 06:55 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2006-04-30 06:55 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 14:15 . 2009-05-23 02:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-31 14:15 . 2009-05-23 02:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-31 14:15 . 2008-02-25 12:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-29 04:37 . 2006-04-30 06:56 119808 ------w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2006-04-30 06:55 81920 ------w- c:\windows\system32\fontsub.dll
2009-07-19 02:35 . 2009-07-19 02:35 1051682 --sha-w- c:\windows\system32\jesatavu.exe
2009-07-20 02:07 . 2009-07-20 02:07 1051170 --sha-w- c:\windows\system32\wiwonahu.exe
2009-07-19 02:12 . 2009-07-19 02:12 1051682 --sha-w- c:\windows\system32\wunufuzo.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pdfSaver3"="c:\program files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [2004-08-10 380928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-25 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-25 118784]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-22 136600]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-19 196696]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-02-20 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-02-20 110592]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-03-15 421888]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-20 2025752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2006-03-16 106496]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-02-20 00:03 32768 ------w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-31 14:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 03:20 40448 ----a-w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ----a-w- c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ----a-w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^bladner^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\bladner\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Client\\retroclient.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/22/2009 10:17 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/22/2009 10:17 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/22/2009 10:17 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/22/2009 10:17 PM 297752]
R2 Retrospect Client;Retrospect Client;c:\program files\Retrospect\Retrospect Client\RemotSvc.exe [12/1/2008 5:36 PM 61440]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 7:55 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/25/2006 11:00 PM 3456]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/18/2009 9:25 AM 133104]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [4/30/2006 2:56 AM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2009-10-20 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 23:54]
2009-10-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-28 13:30]
2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 13:25]
2009-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 13:25]
2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{1D4BF3CD-16DA-49FD-84E4-67C47856A97B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZCxdm993VAUS&ptb=3zO8zXxCCYUnEIWEFtF6uw
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
BHO-{31486f72-2329-42e4-8841-1703f54fc489} - gokoluvo.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-gomidijon - c:\windows\system32\wowafuha.dll
HKLM-Run-rivomimafa - fimukoto.dll
SharedTaskScheduler-{731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\sedulepi.dll
SharedTaskScheduler-{37743f4e-8163-4100-913f-67e02b7f7675} - c:\windows\system32\wowafuha.dll
SSODL-yafuyofom-{731820ba-2090-4a14-a339-99728bbe4fe7} - c:\windows\system32\sedulepi.dll
SSODL-vijetihus-{37743f4e-8163-4100-913f-67e02b7f7675} - c:\windows\system32\wowafuha.dll
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 06:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,91,4a,25,c1,c5,a4,40,94,1f,5f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ce,91,4a,25,c1,c5,a4,40,94,1f,5f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1336)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
- - - - - - - > 'lsass.exe'(1392)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
- - - - - - - > 'explorer.exe'(2068)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Retrospect\Retrospect Client\retroclient.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF8532.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 6:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 10:28
Pre-Run: 38,264,033,280 bytes free
Post-Run: 40,332,562,432 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - C31D909FE0D05ED21DB76C8B57682C78
Glad to hear. ComboFix cleared out a lot of the nasty stuff.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Then:
Please download Malwarebytes' Anti-Malware
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
\
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
http://www.malwarebytes.org/forums/index.php?showtopic=28398
Collect::
c:\documents and settings\All Users\Application Data\02766526
c:\windows\system32\ruxo.bin
c:\program files\Common Files\piqiquji.dl
c:\windows\system32\afamasev.sys
c:\program files\Common Files\ycopo._dl
c:\documents and settings\bladner\Local Settings\Application Data\covit.dll
c:\program files\Common Files\kewig.bin
c:\documents and settings\bladner\Application Data\myrop.com
c:\documents and settings\bladner\Local Settings\Application Data\pibaqa.pif
c:\documents and settings\bladner\Local Settings\Application Data\vejygoxum.scr
c:\program files\Common Files\dyhizokus._sy
c:\windows\odedevo.com
c:\documents and settings\bladner\Local Settings\Application Data\wiciqu.dll
c:\documents and settings\bladner\Application Data\suqo.pif
c:\program files\Common Files\ewajeso._sy
c:\windows\tuqacanuc.sys
c:\documents and settings\bladner\Local Settings\Application Data\ytin.dat
c:\program files\Common Files\vygecuxuz._dl
c:\windows\uruqola.bin
c:\windows\itiwiv.dat
c:\documents and settings\bladner\Application Data\cegip.bin
c:\documents and settings\bladner\Local Settings\Application Data\anywum.dat
c:\documents and settings\bladner\Local Settings\Application Data\avakygahuh.sys
c:\windows\system32\dofu.scr
c:\documents and settings\bladner\Application Data\fukepozaw.com
c:\windows\system32\strmdll.dll
c:\program files\Common Files\ipuwokywy.ban
c:\windows\system32\duwibobivi.scr
c:\documents and settings\bladner\Local Settings\Application Data\siboramit.exe
c:\program files\Common Files\tuvyjeku.sys
c:\program files\Common Files\muhow.db
C:\yihw.exe
c:\windows\system32\jesatavu.exe
c:\windows\system32\wiwonahu.exe
c:\windows\system32\wunufuzo.exe
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
Collect::
c:\documents and settings\All Users\Application Data\02766526
c:\windows\system32\ruxo.bin
c:\program files\Common Files\piqiquji.dl
c:\windows\system32\afamasev.sys
c:\program files\Common Files\ycopo._dl
c:\documents and settings\bladner\Local Settings\Application Data\covit.dll
c:\program files\Common Files\kewig.bin
c:\documents and settings\bladner\Application Data\myrop.com
c:\documents and settings\bladner\Local Settings\Application Data\pibaqa.pif
c:\documents and settings\bladner\Local Settings\Application Data\vejygoxum.scr
c:\program files\Common Files\dyhizokus._sy
c:\windows\odedevo.com
c:\documents and settings\bladner\Local Settings\Application Data\wiciqu.dll
c:\documents and settings\bladner\Application Data\suqo.pif
c:\program files\Common Files\ewajeso._sy
c:\windows\tuqacanuc.sys
c:\documents and settings\bladner\Local Settings\Application Data\ytin.dat
c:\program files\Common Files\vygecuxuz._dl
c:\windows\uruqola.bin
c:\windows\itiwiv.dat
c:\documents and settings\bladner\Application Data\cegip.bin
c:\documents and settings\bladner\Local Settings\Application Data\anywum.dat
c:\documents and settings\bladner\Local Settings\Application Data\avakygahuh.sys
c:\windows\system32\dofu.scr
c:\documents and settings\bladner\Application Data\fukepozaw.com
c:\windows\system32\strmdll.dll
c:\program files\Common Files\ipuwokywy.ban
c:\windows\system32\duwibobivi.scr
c:\documents and settings\bladner\Local Settings\Application Data\siboramit.exe
c:\program files\Common Files\tuvyjeku.sys
c:\program files\Common Files\muhow.db
C:\yihw.exe
c:\windows\system32\jesatavu.exe
c:\windows\system32\wiwonahu.exe
c:\windows\system32\wunufuzo.exe
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Then:
Please download Malwarebytes' Anti-Malware
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
\
Due to lack of feedback this topic has been closed.
If you need this topic reopened, please contact a Moderator with the original link.
Everyone else please start a new topic.
If you need this topic reopened, please contact a Moderator with the original link.
Everyone else please start a new topic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.