Options
Nexplore pop ups...
I'm getting pop ups galore! Found you guys by Googling "Nexplore"
Here's the Highjack This log. Thanks for your help!
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:56:09 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [rotatigov] Rundll32.exe "c:\windows\system32\watifeho.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: nuhugofe.dll c:\windows\system32\layezefu.dll fagefute.dll C:\WINDOWS\TEMP\tmp100.dll sadezaji.dll c:\windows\system32\watifeho.dll
O21 - SSODL: sakoserig - {b708bcf3-036a-4d66-8c36-b1dbd8ad79d2} - c:\windows\system32\layezefu.dll (file missing)
O21 - SSODL: mujakitek - {6e36f682-b313-4fea-b0b0-8f9748f160cf} - c:\windows\system32\watifeho.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {b708bcf3-036a-4d66-8c36-b1dbd8ad79d2} - c:\windows\system32\layezefu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {6e36f682-b313-4fea-b0b0-8f9748f160cf} - c:\windows\system32\watifeho.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6122 bytes
Here's the Highjack This log. Thanks for your help!
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:56:09 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acer\Acer eMode Management\AspireService.exe
C:\Program Files\Acer\Acer eConsole\MediaSync.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AspireService] C:\Program Files\Acer\Acer eMode Management\AspireService.exe
O4 - HKLM\..\Run: [MediaSync] C:\Program Files\Acer\Acer eConsole\MediaSync.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [rotatigov] Rundll32.exe "c:\windows\system32\watifeho.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: nuhugofe.dll c:\windows\system32\layezefu.dll fagefute.dll C:\WINDOWS\TEMP\tmp100.dll sadezaji.dll c:\windows\system32\watifeho.dll
O21 - SSODL: sakoserig - {b708bcf3-036a-4d66-8c36-b1dbd8ad79d2} - c:\windows\system32\layezefu.dll (file missing)
O21 - SSODL: mujakitek - {6e36f682-b313-4fea-b0b0-8f9748f160cf} - c:\windows\system32\watifeho.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {b708bcf3-036a-4d66-8c36-b1dbd8ad79d2} - c:\windows\system32\layezefu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {6e36f682-b313-4fea-b0b0-8f9748f160cf} - c:\windows\system32\watifeho.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 6122 bytes
0
Comments
A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)
Please download Malwarebytes' Anti-Malware by clicking the link below:
Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
For now, the download link is:
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe
Please also ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
"Unable to execute file...
Create process failed code 2
The system cannot find the file specified."
I tried to find & open it anyway, but couldn't open it, so I uninstalled it & re-installed it. Same message,
If that doesn't work, go on with running ComboFix.
I'll go back to Bleeping Computer & copy the report I pasted there & paste it here in another post, just in case this not the right report.
ComboFix 09-12-25.04 - Tim 12/26/2009 7:04.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1470.901 [GMT -8:00]
Running from: c:\documents and settings\Tim\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tim\Application Data\FunWebProducts
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\avatar.dat
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\outfit.dat
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\zbucks.dat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\00F1603C.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\4.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\4.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\4.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\4.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\4.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\4.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\4.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\4.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\4.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\4.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\4.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\4.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\4.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\4.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\4.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\4.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\4.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\4.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\4.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\4.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\4.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\4.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\4.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\4.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\4.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\4.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\00EEE597
c:\program files\MyWebSearch\bar\Cache\00EEEC9C.bin
c:\program files\MyWebSearch\bar\Cache\00EEF382.bin
c:\program files\MyWebSearch\bar\Cache\00EEF6ED.bin
c:\program files\MyWebSearch\bar\Cache\00EEF9FA.bin
c:\program files\MyWebSearch\bar\Cache\00EEFAB6.bin
c:\program files\MyWebSearch\bar\Cache\01BC1453
c:\program files\MyWebSearch\bar\Cache\01BC397F
c:\program files\MyWebSearch\bar\Cache\01BC3B34
c:\program files\MyWebSearch\bar\Cache\01BC3CAB
c:\program files\MyWebSearch\bar\Cache\03F05D1D.bin
c:\program files\MyWebSearch\bar\Cache\03F05D9A.bin
c:\program files\MyWebSearch\bar\Cache\03F05DF7
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\firefox\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\firefox\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\firefox\INSTALL.RDF
c:\program files\MyWebSearch\bar\firefox\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\8_step1.gif
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZJ.png
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZR.png
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\reb_bg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnbg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebclose.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebut.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut2.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut3.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut3b.htm
c:\program files\MyWebSearch\bar\Message\COMMON\repmidsm.png
c:\program files\MyWebSearch\bar\Message\COMMON\shield.png
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\setups\My Web Search Installer.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\habupawe.dll.tmp
c:\windows\system32\jurunute.dll.tmp
c:\windows\system32\nuhugofe.dll
c:\windows\system32\reboyuti.dll
c:\windows\system32\yipiwopa.dll
c:\windows\system32\zudeyuwi.dll.tmp
c:\windows\system32\zunadahi.dll
c:\windows\Tasks\axxvyqyh.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MYWEBSEARCHSERVICE
\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.
2009-12-26 03:12 . 2009-12-26 03:12
d
w- c:\program files\Angle Interactive
2009-12-19 16:24 . 2009-12-19 16:24
d
w- c:\documents and settings\Tim\Application Data\Amazon
2009-12-19 16:23 . 2009-12-19 16:23
d
w- c:\program files\Amazon
2009-12-07 04:27 . 2009-12-07 04:27
d
w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-07 02:59 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-07 02:59 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-07 02:40 . 2009-11-03 04:42 195456
w- c:\windows\system32\MpSigStub.exe
2009-12-07 01:43 . 2009-12-07 01:43
d
w- c:\documents and settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:15 . 2009-09-06 04:01 1 ----a-w- c:\documents and settings\Tim\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-07 01:03 . 2009-09-10 14:17 13599271
w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-07 01:00 . 2009-09-06 01:28 38408 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-07 00:52 . 2009-11-04 18:28 0 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\prvlcl.dat
2009-11-04 14:18 . 2009-11-04 14:18
d
w- c:\program files\AVG
2009-10-29 07:45 . 2005-07-03 02:11 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 13:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 13:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 13:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 13:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 13:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 13:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-26 12:29 . 2009-09-26 12:29 51712 --sha-w- c:\windows\system32\gupuvefa.dll
2009-09-26 00:28 . 2009-09-26 00:28 39424 --sha-w- c:\windows\system32\borababu.dll
2009-09-26 00:28 . 2009-09-26 00:28 94208 --sha-w- c:\windows\system32\ranuvozo.dll
2009-09-26 12:28 . 2009-09-26 12:28 61952 --sha-w- c:\windows\system32\nupejote.dll
2009-09-26 12:28 . 2009-09-26 12:28 51712 --sha-w- c:\windows\system32\fotobike.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{996a7981-4d77-4e93-8743-8e0f6248d3e6}]
2009-09-26 12:29 51712 --sha-w- c:\windows\system32\gupuvefa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-09-23 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2005-11-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"AspireService"="c:\program files\Acer\Acer eMode Management\AspireService.exe" [2006-01-19 110592]
"MediaSync"="c:\program files\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 425984]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 397312]
c:\documents and settings\Tim\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer eMode Management\\AspireService.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Supplementary Scan
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\z9blq4ik.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=G13FFodLzV7WGter.a4_CQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe
HKLM-Run-rotatigov - c:\windows\system32\yipiwopa.dll
HKLM-Run-rirawapola - zunadahi.dll
SharedTaskScheduler-{b9718e59-e96e-4b68-831c-caa35d6df359} - c:\windows\system32\yipiwopa.dll
SSODL-zaluyuson-{b9718e59-e96e-4b68-831c-caa35d6df359} - c:\windows\system32\yipiwopa.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 07:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\AGRSMMSG.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Acer\Acer eConsole\MediaServerService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-26 07:09:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 15:09
Pre-Run: 57,624,985,600 bytes free
Post-Run: 57,573,048,320 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DA7E817018743E6AFEC848B3633D279F
ComboFix 09-12-25.04 - Tim 12/26/2009 7:04.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1470.901 [GMT -8:00]
Running from: c:\documents and settings\Tim\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Tim\Application Data\FunWebProducts
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\avatar.dat
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\outfit.dat
c:\documents and settings\Tim\Application Data\FunWebProducts\Data\Tim\zbucks.dat
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\00F1603C.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\4.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\4.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\4.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\4.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\4.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\4.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\4.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\4.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\4.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\4.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\4.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\4.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\4.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\4.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\4.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\4.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\4.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\4.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\4.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\4.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\4.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\4.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\4.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\4.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\4.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\4.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\4.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\4.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\4.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\4.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\4.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\4.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\common-x.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\common.css
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\include.js
c:\program files\MyWebSearch\bar\Avatar\COMMON\index.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loader.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\loading.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\logo.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
c:\program files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
c:\program files\MyWebSearch\bar\Avatar\COMMON\window.ico
c:\program files\MyWebSearch\bar\Cache\00EEE597
c:\program files\MyWebSearch\bar\Cache\00EEEC9C.bin
c:\program files\MyWebSearch\bar\Cache\00EEF382.bin
c:\program files\MyWebSearch\bar\Cache\00EEF6ED.bin
c:\program files\MyWebSearch\bar\Cache\00EEF9FA.bin
c:\program files\MyWebSearch\bar\Cache\00EEFAB6.bin
c:\program files\MyWebSearch\bar\Cache\01BC1453
c:\program files\MyWebSearch\bar\Cache\01BC397F
c:\program files\MyWebSearch\bar\Cache\01BC3B34
c:\program files\MyWebSearch\bar\Cache\01BC3CAB
c:\program files\MyWebSearch\bar\Cache\03F05D1D.bin
c:\program files\MyWebSearch\bar\Cache\03F05D9A.bin
c:\program files\MyWebSearch\bar\Cache\03F05DF7
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\firefox\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\firefox\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\firefox\INSTALL.RDF
c:\program files\MyWebSearch\bar\firefox\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Message\COMMON\8_step1.gif
c:\program files\MyWebSearch\bar\Message\COMMON\ask_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.gif
c:\program files\MyWebSearch\bar\Message\COMMON\autoup.htm
c:\program files\MyWebSearch\bar\Message\COMMON\bkwebfet.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\bkzwinky.jpg
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn2r.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3d.png
c:\program files\MyWebSearch\bar\Message\COMMON\blubtn3r.png
c:\program files\MyWebSearch\bar\Message\COMMON\center.htm
c:\program files\MyWebSearch\bar\Message\COMMON\index.htm
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZJ.png
c:\program files\MyWebSearch\bar\Message\COMMON\logo_ZR.png
c:\program files\MyWebSearch\bar\Message\COMMON\mid_dots.gif
c:\program files\MyWebSearch\bar\Message\COMMON\mws_logo.gif
c:\program files\MyWebSearch\bar\Message\COMMON\protect.htm
c:\program files\MyWebSearch\bar\Message\COMMON\reb_bg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnbg.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtnn2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny1.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebbtny2.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebclose.png
c:\program files\MyWebSearch\bar\Message\COMMON\rebut.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut2.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut3.htm
c:\program files\MyWebSearch\bar\Message\COMMON\rebut3b.htm
c:\program files\MyWebSearch\bar\Message\COMMON\repmidsm.png
c:\program files\MyWebSearch\bar\Message\COMMON\shield.png
c:\program files\MyWebSearch\bar\Message\COMMON\shocked.gif
c:\program files\MyWebSearch\bar\Message\COMMON\stop.gif
c:\program files\MyWebSearch\bar\Message\COMMON\systray.htm
c:\program files\MyWebSearch\bar\Message\COMMON\systrayp.htm
c:\program files\MyWebSearch\bar\Message\COMMON\tp_grad.gif
c:\program files\MyWebSearch\bar\Message\COMMON\warn.gif
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\setups\My Web Search Installer.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\habupawe.dll.tmp
c:\windows\system32\jurunute.dll.tmp
c:\windows\system32\nuhugofe.dll
c:\windows\system32\reboyuti.dll
c:\windows\system32\yipiwopa.dll
c:\windows\system32\zudeyuwi.dll.tmp
c:\windows\system32\zunadahi.dll
c:\windows\Tasks\axxvyqyh.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MYWEBSEARCHSERVICE
\Service_MyWebSearchService
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.
2009-12-26 03:12 . 2009-12-26 03:12
d
w- c:\program files\Angle Interactive
2009-12-19 16:24 . 2009-12-19 16:24
d
w- c:\documents and settings\Tim\Application Data\Amazon
2009-12-19 16:23 . 2009-12-19 16:23
d
w- c:\program files\Amazon
2009-12-07 04:27 . 2009-12-07 04:27
d
w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-07 02:59 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-07 02:59 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-07 02:40 . 2009-11-03 04:42 195456
w- c:\windows\system32\MpSigStub.exe
2009-12-07 01:43 . 2009-12-07 01:43
d
w- c:\documents and settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-14 20:15 . 2009-09-06 04:01 1 ----a-w- c:\documents and settings\Tim\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-07 01:03 . 2009-09-10 14:17 13599271
w- c:\windows\Internet Logs\tvDebug.Zip
2009-12-07 01:00 . 2009-09-06 01:28 38408 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-07 00:52 . 2009-11-04 18:28 0 ----a-w- c:\documents and settings\Tim\Local Settings\Application Data\prvlcl.dat
2009-11-04 14:18 . 2009-11-04 14:18
d
w- c:\program files\AVG
2009-10-29 07:45 . 2005-07-03 02:11 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 06:00 . 2004-08-04 13:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 13:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 13:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-04 13:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-04 13:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-04 13:00 112128 ----a-w- c:\windows\system32\rastls.dll
2009-09-26 12:29 . 2009-09-26 12:29 51712 --sha-w- c:\windows\system32\gupuvefa.dll
2009-09-26 00:28 . 2009-09-26 00:28 39424 --sha-w- c:\windows\system32\borababu.dll
2009-09-26 00:28 . 2009-09-26 00:28 94208 --sha-w- c:\windows\system32\ranuvozo.dll
2009-09-26 12:28 . 2009-09-26 12:28 61952 --sha-w- c:\windows\system32\nupejote.dll
2009-09-26 12:28 . 2009-09-26 12:28 51712 --sha-w- c:\windows\system32\fotobike.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{996a7981-4d77-4e93-8743-8e0f6248d3e6}]
2009-09-26 12:29 51712 --sha-w- c:\windows\system32\gupuvefa.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SoundMan"="SOUNDMAN.EXE" [2005-09-23 90112]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2005-11-11 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-11-11 86016]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"AspireService"="c:\program files\Acer\Acer eMode Management\AspireService.exe" [2006-01-19 110592]
"MediaSync"="c:\program files\Acer\Acer eConsole\MediaSync.exe" [2005-09-21 425984]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-17 397312]
c:\documents and settings\Tim\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer eMode Management\\AspireService.exe"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Supplementary Scan
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZJfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\z9blq4ik.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZJfox000&ptb=G13FFodLzV7WGter.a4_CQ
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=G13FFodLzV7WGter.a4_CQ&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\4.bin\m3SrchMn.exe
HKLM-Run-rotatigov - c:\windows\system32\yipiwopa.dll
HKLM-Run-rirawapola - zunadahi.dll
SharedTaskScheduler-{b9718e59-e96e-4b68-831c-caa35d6df359} - c:\windows\system32\yipiwopa.dll
SSODL-zaluyuson-{b9718e59-e96e-4b68-831c-caa35d6df359} - c:\windows\system32\yipiwopa.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 07:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(4004)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\SOUNDMAN.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\AGRSMMSG.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Acer\Acer eConsole\MediaServerService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-26 07:09:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 15:09
Pre-Run: 57,624,985,600 bytes free
Post-Run: 57,573,048,320 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DA7E817018743E6AFEC848B3633D279F
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the red text in the quotebox below into it:
[COLOR="Red"]File:: c:\windows\system32\gupuvefa.dll c:\windows\system32\borababu.dll c:\windows\system32\ranuvozo.dll c:\windows\system32\nupejote.dll c:\windows\system32\fotobike.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{996a7981-4d77-4e93-8743-8e0f6248d3e6}][/COLOR]Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*