Win32.mywebsearch-O [Tool]--Help please.

I have been plagued by this virus and it seems to keep changing places in my file system. But regardless of where it goes, it seems to slow Internet Explorer way down to the point of freezing up my computer and I have to restart. Just when I think I have it either deleted or locked in a virus chest, it shows up somewhere else. I am using XP Home, IE7 SP3.

Virus Info: A0070149.dll Win32.mywebsearch-O [Tool] Restore sector. file size 28672

I have run and/or installed Spybot S & D, Lavasoft Adaware, MBAM, SpywareBlaster, Rogue Remover Free, ClearProg, SUPERantispyware & ATF Cleaner. Some of the programs found problems which I removed according to instructions that I found on other posts here. I have removed all traces of Norton with the Norton Remover Tool. I have run a boot scan with Avast and it does not show anything, however when I ran a thorough scan including the archives, it showed up in the restore sector. I have turned off restore and will leave it off until I am sure that this thing is gone.

Here is the HJT log that I just ran after starting to read the forum:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:24 PM, on 9/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Airlink101\AWLL3028\RtWLan.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus7.hpwis.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [WCOLOREAL] “C:\Program Files\Coloreal\coloreal.exe”
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM..\Run: [itype] “C:\Program Files\Microsoft IntelliType Pro\itype.exe”
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Airlink101 USB Wireless Configuration Utility.lnk = C:\Program Files\Airlink101\AWLL3028\RtWLan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217229623515
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


End of file - 5948 bytes

unfortunately your hjt looks too good
what is your firewall?

Win32.mywebsearch-O
could you go to virustotal and then navigate to this virus and upload the file
if in the AVAST CHEST make a new folder called “suspicious”
C:\suspicious
exclude C:\suspicious from avast scanning then export the virus to
c:\suspicious
then go to virustotal and navigate to your folder and upload the file
post the results

You do not run spywareblaster- just install it and update occasionally

A-Squared anti Malware claims to get the o variant
and
SuperAntispyware are worth as shot update and clean- quarantine do not remove- delete
post the log but edit out cookies if any

Spybot updates tomorrow-- update Wednesday and immunize
do you have sd-helper and t-timer turned on?
if so turn it off while cleaning

you can use SDFIX to scan and to look for rootkits
Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

  • Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

  • Restart your computer

  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

  • Instead of Windows loading as normal, a menu with options should appear;

  • Select the first option, to run Windows in Safe Mode, then press “Enter”.

  • Choose your usual account.

  • In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.

  • Type Y to begin the script.

  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.

  • Press any Key and it will restart the PC.

  • Your system will take longer that normal to restart as the fixtool will be running and removing files.

  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

WE really need to see the logs to see exactly what we are dealing with

you have not yet had a second AV opinion
try a Dr web Cure it scan

wyrmrider,

I have a 2wire548 router that was sent to me by my ISP (Embarq). I do like their service. Never much of a problem with them, but the original router finally bit the dust and they sent me this one.

I just ran the Avast! Virus Cleaner Tool and this is what it said:

avast! Virus Cleaner Tool - version 1.0.211 Unicode

Creating log file: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JTO8BLGJ\aswclnr[1].log

9/23/2008, 6:29:00 PM
Memory scanning started…
No virus body found in memory.
Memory scanning finished (74.1s).

Files scanning started…
C:\Documents and Settings\Owner\Local Settings\Temp~DFE467.tmp… file could not be scanned!
C:\Documents and Settings\Owner\Local Settings\Temp~DFE479.tmp… file could not be scanned!
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3716… file could not be scanned!
C:\WINDOWS\system32\CatRoot2\edb.log… file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb… file could not be scanned!
No virus body found.
Files scanning finished (56897 files, 0 infected, 1026.5s).
Drives scanned: C: D:

I will start working on the other things you have suggested and post back (It may not be until the morning that I am able to post though.) Thanks for your help.

http://www.suggestafix.com/index.php?showtopic=14280

google around on some of those other names when you get a chance

VirusTotal
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 ADSPY/Mywebsearch.28672.2
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.26 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 AdTool.MyWebSearch.cv (Not a Virus)
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 AdTool.Win32.MyWebSearch.cv
Fortinet 3.14.0.0 2008.08.26 Adware/MyWebSearch
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 AdWare.Mywebsearch.28672.2
K7AntiVirus 7.10.428 2008.08.25 not-a-virus:AdTool.Win32.MyWebSearch.cv
Kaspersky 7.0.0.125 2008.08.27 not-a-virus:AdTool.Win32.MyWebSearch.cv
McAfee 5370 2008.08.26 potentially unwanted program MWS
Microsoft 1.3807 2008.08.25 -
NOD32v2 3392 2008.08.27 Win32/Toolbar.MyWebSearch
Norman 5.80.02 2008.08.26 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.26 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.32.0 2008.08.27 MyWebSearch
Sunbelt 3.1.1582.1 2008.08.26 MyWebSearch Toolbar
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 Aplicacion/MyWebSearch.cv
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.26 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.26 -
Webwasher-Gateway 6.6.2 2008.08.27 Ad-Spyware.Mywebsearch.28672.2
Additional information
File size: 28672 bytes
MD5…: 1375586480385cfdd91a0f27b2e28f3e
SHA1…: 511defd57d3b3d083697039b7cab9d1fff1f3c72
SHA256: 36f6ecf4ceee2a36cdba179cddad42e8dbaae8d8346c87e66222324ea2f1708a
SHA512: 29a761052d256f672af4518494938b9616816d2350da6c00b28b0ee135c9078e
6557e535fbbf1a6404ed29df619fd549348c05f2924aea6d461399d3be7843e6
PEiD…: -
TrID…: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001260
timedatestamp…: 0x481f3128 (Mon May 05 16:09:12 2008)
machinetype…: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x11a0 0x2000 4.02 27b2399656dbd4995de7c12e68a97297
.rdata 0x3000 0x409 0x1000 1.72 9fbd3a37929ee8f4d3df722831bcdd23
.data 0x4000 0x3ee 0x1000 1.31 d5d7b3525616aa8009e61dc9bbe18ad9
.rsrc 0x5000 0x3b0 0x1000 0.98 54ff2dc8f33c483c8001be36ee7ccf40
.reloc 0x6000 0x27a 0x1000 1.20 e2b9ad57d39a28398b2ff690aed03f47

( 2 imports )

KERNEL32.dll: InitializeCriticalSection, DeleteCriticalSection, HeapAlloc, GetProcessHeap, HeapReAlloc, HeapFree, LeaveCriticalSection, VirtualQuery, LoadLibraryExA, GetSystemDirectoryA, GetProcAddress, lstrcatA, GetModuleFileNameA, VirtualProtect, GetModuleHandleA, lstrcmpiA, IsBadReadPtr, GetVersionExA, lstrlenA, EnterCriticalSection, lstrcpyA
ADVAPI32.dll: RegQueryValueExA, RegCloseKey, RegOpenKeyExA

( 5 exports )
AlphaBlend, DllInitialize, GradientFill, TransparentBlt, vSetDdrawflag

A2SCAN

a-squared Anti-Malware - Version 3.5
Last update: 9/23/2008 8:03:11 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:, D:
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 9/23/2008 8:03:24 PM

c:\windows\system32\fonts detected: Trace.Directory.IamBigBrother
Key: HKEY_CLASSES_ROOT\interface{549f957d-2f89-11d6-8cfe-00c04f52b225} detected: Trace.Registry.CoolSavings
Key: HKEY_CLASSES_ROOT\interface{549f957f-2f89-11d6-8cfe-00c04f52b225} detected: Trace.Registry.CoolSavings
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/cpnmgr.dll detected: Trace.Registry.CoolSavings
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls → c:\windows\downloaded program files\cpnmgr.dll detected: Trace.Registry.CoolSavings
(Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run → reminder detected: Trace.Registry.FTPAttack

Cookies Edited)

C:\hp\bin\CorelWP\src\intro.exe detected: Trojan.Win32.RC5_Dropper.e
C:\hp\bin\KillWind.exe detected: Riskware.RiskTool.Win32.PsKill.p
C:\Suspicious\A0070149.dll detected: Riskware.AdTool.Win32.MyWebSearch.cv

Scanned

Files: 75486
Traces: 440839
Cookies: 61
Processes: 30

Found

Files: 3
Traces: 6
Cookies: 6
Processes: 0
Registry keys: 0

Scan end: 9/23/2008 9:11:12 PM
Scan time: 1:07:48

C:\hp\bin\CorelWP\src\intro.exe Quarantined Trojan.Win32.RC5_Dropper.e
C:\Suspicious\A0070149.dll Quarantined Riskware.AdTool.Win32.MyWebSearch.cv
C:\hp\bin\KillWind.exe Quarantined Riskware.RiskTool.Win32.PsKill.p

(cookies edited)

alue: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run → reminder Quarantined Trace.Registry.FTPAttack
Key: HKEY_CLASSES_ROOT\interface{549f957d-2f89-11d6-8cfe-00c04f52b225} Quarantined Trace.Registry.CoolSavings
Key: HKEY_CLASSES_ROOT\interface{549f957f-2f89-11d6-8cfe-00c04f52b225} Quarantined Trace.Registry.CoolSavings
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/cpnmgr.dll Quarantined Trace.Registry.CoolSavings
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls → c:\windows\downloaded program files\cpnmgr.dll Quarantined Trace.Registry.CoolSavings
c:\windows\system32\fonts Quarantined Trace.Directory.IamBigBrother

Quarantined

Files: 2
Traces: 6
Cookies: 6

SuperAntispyware
No virus

SDFIX & DR WEB CURE IT next post

Dr Web Cure It Scan: (I did delete two items but was unsure what to do with the other two…one of them is listed under “hack tools” I think it was SDFix)

Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
msnfixjs.js;C:\hp\patches\32WW5MSN\msnfix;Probably SCRIPT.Virus;;
EN_CA-ie.reg;C:\hp\region;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;

Finally found my SDFix from last night. I think, with this post, I have everything you asked for:

SDFix: Version 1.228
Run by Administrator on Tue 09/24/2008 at

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-23 22:19:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Windows Live\Messenger\livecall.exe”="C:\Program Files\Windows Live\Messenger\livecall.exe:
:Enabled:Windows Live Messenger (Phone)”
“C:\Program Files\Messenger\msmsgs.exe”=“C:\Program Files\Messenger\msmsgs.exe::Enabled:Windows Messenger"
“C:\Program Files\Common Files\AOL\Loader\aolload.exe”="C:\Program Files\Common Files\AOL\Loader\aolload.exe:
:Enabled:AOL Loader”
“C:\Program Files\AIM6\aim6.exe”=“C:\Program Files\AIM6\aim6.exe::Enabled:AIM"
“C:\Program Files\Internet Explorer\iexplore.exe”="C:\Program Files\Internet Explorer\iexplore.exe:
:Enabled:Internet Explorer”
“C:\Documents and Settings\Owner\Local Settings\Temp\WZSE0.TMP\SymNRT.exe”=“C:\Documents and Settings\Owner\Local Settings\Temp\WZSE0.TMP\SymNRT.exe:*:Enabled:Norton Removal Tool”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%windir%\Network Diagnostic\xpnetdiag.exe”="%windir%\Network Diagnostic\xpnetdiag.exe:
:Enabled:@xpsp3res.dll,-20000”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Windows Live\Messenger\livecall.exe”="C:\Program Files\Windows Live\Messenger\livecall.exe:
:Enabled:Windows Live Messenger (Phone)”

Remaining Files :

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 …SH. — “C:\Program Files\Messenger\msmsgs.exe”
Mon 7 Jul 2008 1,429,840 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe”
Mon 7 Jul 2008 4,891,472 A.SHR — “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
Mon 18 Aug 2008 1,832,272 A.SHR — “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe”
Tue 20 May 2003 0 A.SH. — “C:\WINDOWS\SMINST\HPCD.SYS”
Tue 29 Jul 2008 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”

Finished!

well A-squared did it’s job
SD fix was left with nothing to find also shows no rootkit

looking at virus total
myweb search is variant cv
we can see that Dr Web does not target it nor Avast
however fsecure does and I think that they have a free scanner
lets check out the F-Secure website–
anyone have a link or experience with F-secure?

you can google thing that you are not sure of I think you did fine but I’d appreciate it if someone else would look at the Dr Cure it deletions

Thanks for the help, wyrmrider! I really appreciate it. I wouldn’t have known what else to do without you. I will keep an eye out for a post concerning the Dr. Web Cure It deletions.

you did do everything
sometime if you want a second opinion that a-squared got all of that one item you could try the f-secure on line av scan just do it instead of your next avast scan

let’s go back over some of the older posts
did you get spywareblaster installed?
spybot search and destroy install sd-helper update and immunize run a scan-
these two and your new firewall are for prevention

did you look at this?
http://www.suggestafix.com/index.php?showtopic=14280

No, you gave me some extra tools I had no idea were available. They were very helpful in getting rid of a couple of Trojans that no other program had found. Kudos to you wyrmrider!

Yep, Spywareblaster is installed and working. I installed Spybot S & D’s sd-helper and immunized again. Then ran a scan. It came up clean.

I checked the url that you sent about hsperfdata_Owner. Since going through the rest of the scans and deleting some Google files as well, I don’t see it anywhere. I will keep an eye out for it in the future – just in case. I don’t plan on using any Google related items any time soon, beyond an email account, so maybe I won’t have that “little critter” again.

I am going to run an f-secure on line scan after I leave here. I am kind of paranoid about this now.( ::slight_smile: ) Will let you know what comes up. Thanks again.

Download CCleaner and clean out IE’s Temporary Internet Files:
http://www.ccleaner.com

9/23/2008, 6:29:00 PM Memory scanning started... No virus body found in memory. Memory scanning finished (74.1s). ---------- Files scanning started... C:\Documents and Settings\Owner\Local Settings\Temp\~DFE467.tmp... file could not be scanned! C:\Documents and Settings\Owner\Local Settings\Temp\~DFE479.tmp... file could not be scanned!
Those are normal
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3716... file could not be scanned!
Have a look at: http://www.annoyances.org/exec/forum/winxp/1203962715
C:\WINDOWS\system32\CatRoot2\edb.log... file could not be scanned! C:\WINDOWS\system32\CatRoot2\tmp.edb... file could not be scanned! No virus body found. Files scanning finished (56897 files, 0 infected, 1026.5s). Drives scanned: C: D: ---------- I will start working on the other things you have suggested and post back (It may not be until the morning that I am able to post though.) Thanks for your help.
The last two are because you are running Windows Server 2003 SP1

Google is your friend.

YoKenny,

I downloaded the CCleaner to my computer and it removed 103.8MB of flash trash, java junk and cookie “crumbs”.

I read the post at http://www.annoyances.org/exec/forum/winxp/1203962715 and unfortunately I don’t understand most of it, but I did gather that hsperfdata_“whatever” relates to java. My question now is: Do I leave java and that file on my computer and is it safe? Or is it better, since I don’t use it that often, to just remove it?

Also, I really do like Google. I use them as my homepage. I do like their search engine and am always using it to look up computer related info. But as far as downloading any programs from ANY site, I will be very careful if I download anything at all from anywhere. I am more likely to buy a cd of anything that I need or want from now on, unless I know or ask if a site and their software is safe to download from. (I didn’t download that many but there were a few.)

Beyond the java question, it looks like my computer is ready then?

Is it a file or a folder?

This is how the Avast Virus Cleaner Tool result read:

C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3716… file could not be scanned!

I can’t find a folder called hsperfdata in my computer… If it is a Java folder, maybe you have downloaded something… needing or nor, you can delete the folder, uninstall Java, install again.
Maybe JavaRa could help you on this (http://raproducts.org/javara.html).

this came up in the Avast removal tool scan see page 1
C:\Documents and Settings\Owner\Local Settings\Temp\hsperfdata_Owner\3716… file could not be scanned!
just trying to figure out what it was/is

I traced it back to Sun Java and here is the url: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5073453. Now can someone translate this for me, please?

Go to Add/Remove programs and un-install all old versions of Sun Java then reboot.

Download JavaRa then run it to check that all Sun Java remnants are gone:
http://raproducts.org

Download the latest Sun Java JRE then install it:
http://www.java.com/en/download/manual.jsp

Run Secunia Online Software Inspector to check for other vulnerable applications:
http://secunia.com/vulnerability_scanning/online

Went and uninstalled all the old versions of Sun Java and rebooted. JavaRa did not show any remnants of Java. Downloaded latest version and installed it. Ran Secunia Online and it showed something interesting. Flash player was NOT secure. I uninstalled it and reinstalled it. Then ran Secunia again. This time I ran a thorough scan. (This is where the interesting part came in) It showed two instances of IE 7 installed. One secure and one not…only one showed in add/remove programs. I went and deleted the unsecure version’s folder and contents according to what Secunia told me the folder and version were. Restarted the computer. I am going to run another scan in the morning and will post the results.