Nexplore,Registery Defender,Popup Problems too

Unknown · January 2010

I saw quite a few other posts with the same problems...I tried installing Malwarebytes but it did not run. These persistent popups are rather annoying.

Here is my HijackThis:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:51:28 AM, on 1/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\svcwinra.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\resfilter32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TMPINI34] C:\WINDOWS\svcwinra.exe
O4 - HKLM\..\Run: [TP Win Desk] "C:\DOCUME~1\MIRAND~1\LOCALS~1\Temp\Rar$EX00.406\TP Win Desk.exe" autostarting
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [higivebep] Rundll32.exe "c:\windows\system32\hukepoge.dll",a
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
O20 - AppInit_DLLs: c:\windows\system32\zohewigu.dll gihupahi.dll c:\windows\system32\hukepoge.dll
O21 - SSODL: tipoyebif - {ca71419c-350c-4310-b3eb-cb8f996e6d59} - c:\windows\system32\zohewigu.dll (file missing)
O21 - SSODL: nufadawip - {4ea43626-9847-49b5-a894-45a71dc0651c} - c:\windows\system32\hukepoge.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: gahurihor - {ca71419c-350c-4310-b3eb-cb8f996e6d59} - c:\windows\system32\zohewigu.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {4ea43626-9847-49b5-a894-45a71dc0651c} - c:\windows\system32\hukepoge.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11664 bytes

chiaz · January 2010

Hi,

A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)

Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include C:\ComboFix.txt for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

vTwitchy · January 2010

Should I start up my computer using the recovery console when I install/run ComboFix or just start it up normally?

chiaz · January 2010

Start up normally. The option for Recovery Console will show up for a few seconds but don't use it.

vTwitchy · January 2010

ComboFix 10-01-04.01 - M.Lynn 01/08/2010 16:15:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.348 [GMT -5:00]
Running from: c:\documents and settings\M.Lynn\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\recycler\NPROTECT
c:\windows\desktop
c:\windows\EventSystem.log
c:\windows\Fonts\crowfont.exe
c:\windows\install.exe
c:\windows\kb913800.exe
c:\windows\system32\galazere.dll
c:\windows\system32\gotadere.dll
c:\windows\system32\jehewuzo.dll
c:\windows\system32\miyahewe.dll
c:\windows\system32\soyabodu.dll
c:\windows\system32\Thumbs.db
c:\windows\Tasks\abfntrcp.job
c:\recycler\S-1-5-21-1788147584-4155000736-2751380625-1005 . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-04 21:28 . 2010-01-04 21:28

dc----w- c:\documents and settings\M.Lynn\Application Data\OpenOffice.org
2010-01-01 09:50 . 2010-01-01 09:50

d

w- c:\program files\TrendMicro
2010-01-01 00:05 . 2010-01-01 00:05

dc----w- c:\documents and settings\M.Lynn\Local Settings\Application Data\McAfee
2009-12-30 03:14 . 2009-12-30 03:14

d

w- c:\program files\Mad Scientist Productions
2009-12-30 02:37 . 2009-12-30 02:37

dc----w- c:\documents and settings\M.Lynn\Application Data\TSR
2009-12-30 01:30 . 2009-12-30 01:30

dc----w- c:\documents and settings\M.Lynn\Local Settings\Application Data\Ibibi_HB
2009-12-30 01:30 . 2009-12-30 01:30

dc----w- c:\documents and settings\M.Lynn\Application Data\TSRWorkshop
2009-12-30 01:11 . 2009-12-30 01:11

d

w- c:\program files\TheSimsResource
2009-12-30 01:05 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-12-30 01:05 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-12-30 01:05 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-12-30 01:05 . 2009-03-16 19:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-12-30 01:05 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-12-30 01:05 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-12-30 01:03 . 2009-12-30 01:07

d

w- c:\program files\The Sims Resource
2009-12-29 22:26 . 2009-12-29 22:26

dc----w- c:\documents and settings\M.Lynn\Application Data\AdobeUM
2009-12-26 17:14 . 2009-12-26 17:14

dcsh--w- c:\documents and settings\M.Lynn\PrivacIE
2009-12-26 17:14 . 2009-12-31 03:22

dc----w- c:\documents and settings\M.Lynn\Local Settings\Application Data\Google
2009-12-26 06:43 . 2009-12-29 22:26

dc----w- c:\documents and settings\M.Lynn\Local Settings\Application Data\Adobe
2009-12-25 23:50 . 2009-12-25 23:50

dc----w- c:\documents and settings\M.Lynn\Application Data\Canon
2009-12-25 22:36 . 2009-12-25 22:36

d

w- c:\program files\JRE
2009-12-25 22:35 . 2009-12-25 22:36

d

w- c:\program files\OpenOffice.org 3
2009-12-25 22:30 . 2010-01-08 01:18

dc----w- c:\documents and settings\M.Lynn\Application Data\gtk-2.0
2009-12-25 22:06 . 2009-12-25 22:06

dc----w- c:\documents and settings\M.Lynn\.thumbnails
2009-12-21 08:14 . 2009-12-21 08:14

dc----w- c:\documents and settings\M.Lynn\Local Settings\Application Data\IsolatedStorage
2009-12-21 07:54 . 2001-04-12 23:00 182272 ----a-w- c:\windows\patchw32.dll
2009-12-21 07:54 . 2009-12-21 07:54

dc----w- c:\documents and settings\M6F7A~1~LYN\LOCALS~1
2009-12-21 07:54 . 2009-12-21 07:54

dc----w- c:\documents and settings\M6F7A~1~LYN
2009-12-20 20:44 . 2009-12-20 20:44

d

w- c:\program files\Lionhead Studios Ltd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 21:29 . 2010-01-04 21:29 1 -c--a-w- c:\documents and settings\M.Lynn\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-01 09:50 . 2010-01-01 09:50 388096 -c--a-r- c:\documents and settings\M.Lynn\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 03:22 . 2006-01-26 02:17

d

w- c:\program files\Google
2009-12-27 04:50 . 2009-11-24 18:59 209080 -c--a-w- c:\documents and settings\M.Lynn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 22:34 . 2009-06-17 17:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-25 22:34 . 2005-12-01 07:31

d

w- c:\program files\Java
2009-12-22 07:43 . 2005-12-01 07:35

d--h--w- c:\program files\InstallShield Installation Information
2009-12-22 07:41 . 2005-12-01 07:44

d

w- c:\program files\McAfee
2009-12-21 08:11 . 2009-06-17 01:57

d

w- c:\program files\Electronic Arts
2009-12-21 07:59 . 2009-11-10 22:31

d

w- c:\program files\Warcraft III
2009-11-15 15:24 . 2009-10-17 20:51 129 -c--a-w- c:\documents and settings\M.Lynn\Local Settings\Application Data\fusioncache.dat
2009-11-14 02:02 . 2009-11-14 02:02

dc-h--r- c:\documents and settings\M.Lynn\Application Data\SecuROM
2009-11-14 01:31 . 2009-11-14 01:31

d

w- c:\program files\Flagship Studios
2009-11-10 22:34 . 2009-11-10 22:34 17947 ----a-w- c:\windows\War3Unin.dat
2009-11-10 22:34 . 2009-11-10 22:34 2829 ----a-w- c:\windows\War3Unin.pif
2009-11-10 22:34 . 2009-11-10 22:34 126976 ----a-w- c:\windows\War3Unin.exe
2009-11-04 21:54 . 2007-12-15 19:26 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-11-04 21:54 . 2007-12-15 19:26 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-04 21:54 . 2007-12-15 19:26 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-04 21:54 . 2007-12-15 19:26 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-04 21:53 . 2007-12-15 19:26 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-31 17:09 . 2009-10-31 17:09 152576 -c--a-w- c:\documents and settings\M.Lynn\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-29 07:45 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-01 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-01 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"TMPINI34"="c:\windows\svcwinra.exe" [2007-01-07 655360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-25 149280]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]

c:\documents and settings\M.Lynn\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lionhead Studios Ltd\\Black & White\\runblack.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1176335208\\ee\\aolsoftware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader
"6882:TCP"= 6882:TCP:Blizzard Downloader
"6883:TCP"= 6883:TCP:Blizzard Downloader
"6884:TCP"= 6884:TCP:Blizzard Downloader
"6885:TCP"= 6885:TCP:Blizzard Downloader
"6886:TCP"= 6886:TCP:Blizzard Downloader
"6887:TCP"= 6887:TCP:Blizzard Downloader
"6888:TCP"= 6888:TCP:Blizzard Downloader
"6889:TCP"= 6889:TCP:Blizzard Downloader
"6890:TCP"= 6890:TCP:Blizzard Downloader
"6891:TCP"= 6891:TCP:Blizzard Downloader
"6892:TCP"= 6892:TCP:Blizzard Downloader
"6893:TCP"= 6893:TCP:Blizzard Downloader
"6894:TCP"= 6894:TCP:Blizzard Downloader
"6895:TCP"= 6895:TCP:Blizzard Downloader
"6898:TCP"= 6898:TCP:Blizzard Downloader
"6899:TCP"= 6899:TCP:Blizzard Downloader
"6900:TCP"= 6900:TCP:Blizzard Downloader
"6901:TCP"= 6901:TCP:Blizzard Downloader
"6999:TCP"= 6999:TCP:Blizzard Downloader
"7640:TCP"= 7640:TCP:Blizzard Background Downloader
"3724:UDP"= 3724:UDP:Blizzard Downloader
"7640:UDP"= 7640:UDP:Blizzard Background Downloader
"14899:TCP"= 14899:TCP:BitComet 14899 TCP
"14899:UDP"= 14899:UDP:BitComet 14899 UDP

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EDDC0222-1E6B-11D3-A468-00605205B0B3}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-15 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-15 17:22]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.dell4me.com/myway
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\M.Lynn\Application Data\Mozilla\Firefox\Profiles\570dd9jw.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-TP Win Desk - c:\docume~1\MIRAND~1\LOCALS~1\Temp\Rar$EX00.406\TP Win Desk.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
HKLM-Run-higivebep - c:\windows\system32\gotadere.dll
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
SharedTaskScheduler-{ca71419c-350c-4310-b3eb-cb8f996e6d59} - c:\windows\system32\zohewigu.dll
SharedTaskScheduler-{309972f5-9b61-408e-ac3a-a2e42a015770} - c:\windows\system32\gotadere.dll
SSODL-tipoyebif-{ca71419c-350c-4310-b3eb-cb8f996e6d59} - c:\windows\system32\zohewigu.dll
SSODL-vutobutip-{309972f5-9b61-408e-ac3a-a2e42a015770} - c:\windows\system32\gotadere.dll
AddRemove-EAX(tm) Unified (SHELL) - c:\program files\Creative Labs\EAX(tm) Unified (SHELL)\Uninst.isu
AddRemove-ScreensaversInstaller - c:\program files\Screensavers.com\Installer\bin\siuninst.exe
AddRemove-Vampire - c:\program files\Vampire The Masquerade - Redemption\DeIsL1.isu
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(1600)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll
c:\windows\perfsysdeam.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\stsystra.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\resfilter32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-08 16:34:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 21:34

Pre-Run: 100,586,192,896 bytes free
Post-Run: 102,341,795,840 bytes free

- - End Of File - - EB7FD4098D757CB5916F56766696C006

chiaz · January 2010

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

=====================

Now let's have you go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply.

vTwitchy · January 2010

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-01-11 16:46:35
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 7
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@atdmt[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@fastclick[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@bs.serving-sys[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@advertising[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@realmedia[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@zedo[2].txt
00950035 Cookie/RegistryDefender TrackingCookie No 0 Yes No c:\documents and settings\m.lynn\cookies\m.lynn@registrydefender[2].txt
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp1278\a0129435.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\miyahewe.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\jehewuzo.dll.vir
05848138 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp1278\a0129402.dll
05848138 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\galazere.dll.vir
05848244 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp1272\a0128885.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\m.lynn\desktop\combofix.exe[32788r22fwjfw\pev.exe]
No c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp1278\a0129497.exe
No c:\windows\pev.exe
No c:\windows\sspbpalert.exe
No c:\windows\survservices.dll
No c:\windows\survsplash.exe
No c:\windows\view32utils.dll
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz · January 2010

I notice a program called System Surveillance Pro on your system. Did you install that intentionally?

vTwitchy · January 2010

I don't think so -- I don't recognize it.

vTwitchy · January 2010

I don't think so -- I don't recognize it

Nexplore,Registery Defender,Popup Problems too

Comments