system
December 5, 2009, 12:48am
1
If you see something significant showing up in the log can you please tell me?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:15 PM, on 12/4/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16916)
Boot mode: Normal
Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MyWebSearch\bar\d.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\HP\HP Software Update\HPWUCli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optimum.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Dell\MediaDirect\PCMService.exe”
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\d.bin\M3PLUGIN.DLL,UPF
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\d.bin\m3SrchMn.exe” /m=2 /w /h
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
system
December 5, 2009, 12:51am
2
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)” -“http://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6 ”
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-21-3110149626-1531363465-549697862-1013..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User ‘lala’)
O4 - HKUS\S-1-5-21-3110149626-1531363465-549697862-1013..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)” -“http://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6 ” (User ‘lala’)
O4 - HKUS\S-1-5-18..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘Default user’)
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwssvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
–
End of file - 11537 bytes
Pondus
December 5, 2009, 12:58am
3
Are you running Avast antivirus?
system
December 5, 2009, 1:06am
4
Did you install mywebsearch on your own? If not you need to remove it.
see This
Removal of :
C:\Program Files\MyWebSearch\bar\d.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\d.bin\MWSOEMON.EXE
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O4 - HKLM..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\d.bin\M3PLUGIN.DLL,UPF
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\d.bin\m3SrchMn.exe” /m=2 /w /h
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘Default user’)
O8 - Extra context menu item: &Search - hxxp://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwssvc.exe
It would also be recommended to check control panel to see if it is installed and remove it. then re run hijack this to see if any of the entries are gone and remove the remaining ones. However, Its debated that MWS(MyWebSearch) is safe as long as YOU installed it. I disagree and consider it malware.
P.S. Please remove the entries : O4 - HKCU..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)” -“hxxp://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6”
and
O4 - HKUS\S-1-5-21-3110149626-1531363465-549697862-1013..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)” -“hxxp://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6” (User ‘lala’)
As zwinky is a malicious website and it appears it hijacked the above entry (the -“hxxp://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6”) is an indication that its redirecting to zwinky.
See the below results for zwinky.(Which installs MyWebSearch)
Result 1
Result 2(See comments on the right)
Result 3
P.S.S. If removing the above two entries (for zwinky) cause your adobe shockwave to stop working you may re-download and re-install it from Here
Pondus
December 5, 2009, 1:14am
5
I can not see any Avast files, and this is a Avast forum…
I see files from Norton anti virus and TrendMicro firewall, If you are running Norton Internet security you already have a firewall and should remove Trend as running multiple firewalls can create mysterious windows errors
You also have Malwarebytes Antimalware, update it and run a quick scan, and click “remove selected” to quarantine anything found
This HijackThis auto analyze indicate that you may have some bugs
http://www.hijackthis.de/#anl
system
December 5, 2009, 1:19am
6
It’s ok Pondus. Not all of the people that come here (for help or not) use avast. I still don’t mind helping someone out if I am able to.
@TeddyGal
Please see my above post
system
December 5, 2009, 1:28am
8
@Pondus
That wasn’t what I was saying at all =( and yes.
@TeddyGal
After you make the pending changes / advice given from pondus and myself please post back here with any other information (New HJT,MBAM logs, etc.)
Hope we can and did help
system
December 5, 2009, 1:37am
9
Vista SP1 jas been available since April 15, 2008
http://technet.microsoft.com/en-us/windows/bb738089.aspx
Vista SP2 has been available since May 25 2009
http://www.microsoft.com/downloads/details.aspx?FamilyID=a4dd31d5-f907-4406-9012-a5c3199ea2b3&displaylang=en
You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.
Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.
IE8 is more secure than IE7 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx
Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online
system
December 5, 2009, 3:08am
10
Thanks Pondus and Dark Legend, @Dark Legend…I couldn’t find
O4 - HKUS\S-1-5-21-3110149626-1531363465-549697862-1013..\RunOnce: [Shockwave Updater] C:\Windows\System32\Adobe\SHOCKW~1\SWHELP~3.EXE -Update -1103472 -“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)” -“hxxp://edits.zwinky.com/zwinky-world/GamePlayer/play.jhtml?gameID=6” (User ‘lala’)
Is that ok?
system
December 5, 2009, 7:59am
11
Did you remove the others? As it is possible it was auto-removed if it was dependent on some of the other entries.To answer your question , if it’s gone then you should be ok…I don’t think it would be hiding (I don’t see how it would anyway).
But you can go ahead and re-run HJT and produce new logs for us to take a look at you have done everything else.
If you re-post with your new HJT,MBAM and other logs go ahead and save the log (.txt) to an easily accessible location and in a new response to this thread click “additional options” at the bottom left and under the “attach” button find those logs and upload them here and hit post.
If you can’t do it this way then you can go ahead and just copy and paste the logs here.
But only generate new logs for us to take a look at after you have fixed everything else. Like doing MBAM and other scans that have been recommended. That also gives others to look through the existing ones and pick out the stuff I may have missed :D.
I also missed one it seems…
Please remove O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
(I replaced the http address with hxxp as it is a malicious download.)
and ANY indications of the above file. It is being flagged by many AV’s as malware(Trojans,spyware,adware etc.) and / or potentially unwanted or dangerous.
You may see the below scans of the above file (i went to it and downloaded and scanned the file.)
Virus Total Result for ZwinkyInitialSetup
Jotti Malware Scan Result for Zwinky
You may visit Virus Total and Jotti Malware Scan to upload and scan any files you deem suspicious. It scans the file with 40 other anti-viruses. This gives you a greater understanding of whether or not a file is malicious or safe.
P.S. No problem, Glad I could help :D.
system
December 7, 2009, 10:28pm
12
Sorry for the late reply, I have been a little busy…I attached the log.
Larc
December 8, 2009, 3:21am
13
[font=Segoe UI]Please proceed to to this in Safe Mode :
1 Press Windows Key + R
2 Type in: appwiz.cpl
3 Uninstall every instaces of those with the keyword: MyWebSearch , Search Assistant - My Way or My Way Speedbar . If you fond some other
installation entries that you find suspicious or related to My Web, proceed to uninstall.
4 Please post another HJT log.
Larc
December 9, 2009, 12:31pm
15
[font=Segoe UI]Thank you for following the first steps. Now, please reopen hijack this and select Do a system scan only . Then put a check beside this items:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\d.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\d.bin\MWSBAR.DLL
O4 - HKLM..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\d.bin\M3PLUGIN.DLL,UPF
O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] “C:\PROGRA~1\MYWEBS~1\bar\d.bin\m3SrchMn.exe” /m=2 /w /h
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe
O4 - HKUS\S-1-5-18..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwsoemon.exe (User ‘Default user’)
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm128YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1 .0.1.1.cab
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\d.bin\mwssvc.exe
Afterwards, reboot into Safe Mode and delete this folder:
C:\Program Files[b]MyWebSearch[/b]
Post a new HJT log.
system
December 9, 2009, 10:54pm
17
Go back and do the steps recommended:
http://forum.avast.com/index.php?topic=51809.msg438453#msg438453
and by L’ arc :. Today at 07:31:27 AM
Larc
December 10, 2009, 11:21am
18
[font=Segoe UI]It appears like you didn’t fix the entries or uninstall the programs afterall or did it just reappear?
system
December 10, 2009, 11:59pm
19
I did fix the entries maybe there just reappearing…Also when I tried to do the windows update it only installed one and then showed an error message http://img17.imageshack.us/img17/8193/windowsupdatemessage.jpg I tried again several times and still the same result. And right now I just finished a secunia scan and it said that Adobe Reader 8, Adobe Flash Player 10 and 9,and Sun Java JRE 1.6x are insecure programs and that I need to install the newer version. Is this scanner accurate?