pythonw.exe/Webshots Desktop Search

We cannot properly help you until you attach the logs from ComboFix and MGtools that were requested. However it just sounds like you have something protecting your default search engine. Is the C:\Program Files\AGI\Python25\pythonw.exe software something you or someone else installed. Python is a valid program. Did someone install it as an addon to FireFox.

 

No problem. We'll be here. But you need to attend to this quickly since one infection you have could be Trojan.LegMir-CA The file wincontrol.dll seen in your log monitors user Internet activity and private information and it could send stolen data to a hacker site. See the More Information tab on this link: http://www.sophos.com/security/analyses/viruses-and-spyware/trojlegmirca.html

Python is a programming language and it is probably being used to support some addon to FireFox. Try removing all addons and see what happens.

Addons are meant to change the way your browser works.

 

You are basically clean but have some minor items to fix and then we can do final steps.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - (no file)

And you can optionally fix the below unnecessary startup. Manually run it only when needed.
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

After clicking Fix, exit HJT.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Your welcome. Surf safely!