Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help removing spyware?


  • This topic is locked This topic is locked
2 replies to this topic

#1 momotar0

momotar0

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 26 February 2009 - 08:42 PM

I started having problems with my firefox browser a few days ago. As soon as I opened it, I would get flooded with pop-ups. I uninstalled firefox, which seemed to get rid of the immediate problem. I am now using Safari, which seems to function pretty well with two exceptions that I've been able to note:
1) It crashes anytime I try to download any files.
2) For some reason it won't open gmail.com. (When I load it, I get the following error: " Safari can’t open the page “http://mail.google.com/mail/”. The error was: “unknown error” (CFURLErrorDomain:303) Please choose Report Bugs to Apple from the Help menu, note the error number, and describe what you did before you saw this message. "

I've run the dds (see the log below & attachment here) as well as HijackThis and Pocket Killbox. To no avail.

I think that's about all the information I have for now. Thanks in advance for any help offered!

DDS LOG:

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by gsunoo at 17:31:05.59 on Thu 02/26/2009
Internet Explorer: 6.0.2900.2096 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.189 [GMT -8:00]

AV: Total Protection Service *On-access scanning enabled* (Updated)
FW: Total Protection Service *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\User\Application Data\U3\0000184F7470F637\LaunchPad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://companyweb
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://companyweb
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Eyeball Chat] "c:\program files\eyeball\eyeball chat\EyeballChat.exe" -min
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [McAfee Managed Services Tray] "c:\program files\mcafee\managed virusscan\agent\StartMyagtTry.exe"
mRun: [SiteAdvisor] c:\program files\siteadvisor\6173\SiteAdv.exe
mRun: [CPM77b24ba1] Rundll32.exe "c:\windows\system32\gehesusu.dll",a
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [AOLRebootNeeded] regsvr32.exe /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Office Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {E8CC4DD8-038A-49F3-958B-D5C3B96EC49F} = 192.168.1.254,68.94.156.1
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: myrm - {4D034FC3-013F-4b95-B544-44D49ABE3E76} - c:\program files\mcafee\managed virusscan\agent\MyRmProt4.7.0.538.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} -
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENetFlt.dll
AppInit_DLLs: c:\windows\system32\wuyehehe.dll ioeiqa.dll c:\windows\system32\gehesusu.dll c:\windows\system32\suhahebu.dll c:\windows\system32\hevotuza.dll c:\windows\system32\hewudado.dll c:\windows\system32\ruyezijo.dll c:\windows\system32\vokowena.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gehesusu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\gehesusu.dll
LSA: Notification Packages = scecli c:\windows\system32\wuyehehe.dll

============= SERVICES / DRIVERS ===============

S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-22 201320]
S2 EngineServer;EngineServer;c:\program files\mcafee\managed virusscan\vscan\EngineServer.exe [2008-7-22 14144]
S2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2008-7-22 540776]
S2 myAgtSvc;McAfee Virus and Spyware Protection Service;c:\program files\mcafee\managed virusscan\agent\myAgtSvc.exe [2008-7-22 169280]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-23 33752]
S3 McShield;McShield;c:\progra~1\mcafee\manage~1\vscan\McShield.exe [2008-7-22 144704]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\MfeAVFK.sys [2008-7-22 79304]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\MfeBOPK.sys [2008-7-22 35240]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\MfeRKDK.sys [2008-7-22 33832]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-9-25 280344]

=============== Created Last 30 ================

2009-02-26 14:35 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-02-26 13:54 <DIR> --d----- c:\program files\Trend Micro
2009-02-26 13:44 <DIR> --d----- C:\!KillBox
2009-02-26 12:42 <DIR> --d----- c:\windows\pss
2009-02-25 14:31 129,024 a---h--- c:\windows\system32\ioeiqa.dll
2009-02-25 02:31 129,024 a--sh--- c:\windows\system32\wzawrc.dll
2009-02-24 14:30 129,024 a--sh--- c:\windows\system32\crtwcp.dll
2009-02-23 11:25 48,120 a---h--- c:\windows\system32\mlfcache.dat
2009-02-23 02:29 86 a------- c:\windows\wininit.ini
2009-02-22 14:29 129,024 a--sh--- c:\windows\system32\mfswrp.dll
2009-02-22 02:29 129,024 a--sh--- c:\windows\system32\bxplzt.dll
2009-02-21 14:29 129,024 a--sh--- c:\windows\system32\haxzzc.dll
2009-02-21 02:29 129,024 a--sh--- c:\windows\system32\dpsvjb.dll
2009-02-20 14:28 129,024 a--sh--- c:\windows\system32\leahqf.dll
2009-02-20 14:22 47,616 a------- c:\windows\system32\~.exe

==================== Find3M ====================

2009-02-25 14:31 129,024 a--sh--- c:\windows\system32\peyuvaba.dll
2009-02-25 14:31 84,992 a--sh--- c:\windows\system32\gehesusu.dll
2009-02-25 14:31 79,872 a--sh--- c:\windows\system32\zayewegi.dll
2009-02-25 02:31 84,992 a--sh--- c:\windows\system32\tomiluvo.dll
2009-02-25 02:30 129,024 a--sh--- c:\windows\system32\yuzovelo.dll
2009-02-24 14:30 84,992 a--sh--- c:\windows\system32\yahiviti.dll
2009-02-24 14:30 129,024 a--sh--- c:\windows\system32\jatelumi.dll
2009-02-24 02:30 129,024 a--sh--- c:\windows\system32\kebipifu.dll
2009-02-24 02:30 79,872 -------- c:\windows\system32\bidiwaye.dll
2009-02-23 14:29 129,024 a--sh--- c:\windows\system32\kefufaji.dll
2009-02-23 02:29 129,024 a--sh--- c:\windows\system32\remujuki.dll
2009-02-23 02:29 79,872 -------- c:\windows\system32\yalimone.dll
2009-02-22 14:29 129,024 a--sh--- c:\windows\system32\tibikeja.dll
2009-02-22 14:29 79,872 -------- c:\windows\system32\mahonaya.dll
2009-02-22 02:29 129,024 a--sh--- c:\windows\system32\zininozo.dll
2009-02-22 02:29 79,872 -------- c:\windows\system32\jilopuhu.dll
2009-02-21 14:29 129,024 a--sh--- c:\windows\system32\rimuzoma.dll
2009-02-21 14:29 79,872 -------- c:\windows\system32\pelayufo.dll
2009-02-21 02:28 129,024 a--sh--- c:\windows\system32\rowaloko.dll
2009-02-21 02:28 79,872 -------- c:\windows\system32\norozuse.dll
2009-02-20 14:28 79,872 -------- c:\windows\system32\dutahawe.dll
2009-02-20 14:28 129,024 a--sh--- c:\windows\system32\pobopivo.dll
2009-01-22 15:49 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-01 13:58 56,912 ac------ c:\documents and settings\user\g2mdlhlpx.exe

============= FINISH: 17:31:21.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:30 PM

Posted 06 March 2009 - 07:29 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Edited by Blade81, 06 March 2009 - 07:29 PM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:30 PM

Posted 12 March 2009 - 02:01 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users