Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

tehuwuyase is it supposed to be on my computer.


  • Please log in to reply
7 replies to this topic

#1 estoon Boy

estoon Boy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 01 March 2009 - 05:49 PM

I have a Dell computer running windows Vista. I use Microsoft one care for my antivirus program. I was online on facebook when my computer started something. The window came up saying that something was trying to access the internet. I was playing hammerfall like I had many times before so I didn't thing anything of it so I clicked cancel. (to stop the program from accessing the internet) the window popped up again, and I clicked cancel again. this happened a few times and I decided to clock "allow".

after that, every few minutes a random Internet Explorer window with some type of ad popped up. I ran AdAware Anniversary Edition, and it came up with nothing doing the quick scan. I then ran regcure it came up with over 300 things but when I tried to clean it, the program closed. I ran the One Care Virus/spyware scan and it came up with nothing. I then ran AdAware in depth scan and it came up with one thing that it cleaned.

That didn't fix the problem. I started looking for other solutions and put in the key words of windows IE keep popping up and found out about Superantispyware and ran that it came up with 61 things, then I read that I needed to do it in safe mode and so I did that and it came up with one more thing.

In the process of looking at what was going on I looked at the startup services and came accross two things that didn't make sense. both by unknown manufacturers one is "tehuwuyase" and the command is runndll32.exe "C:\programData\wibivuje\wibivuje.dll",s
the other is "CPMc5086c75" with the command being runndll32.exe "C:\programData\vazogeya\vazogeya.dll",a

I disabled both of them and restarted the computer and when I looked startup list again the tehuwuyase one is now on the startup list three times.

I haven't had any windows popping up since I ran the superAntiSpyware scans, but It doesn't look like the tehuwuyase thing is supposed to be on my computer.

The other thing is that I googled tehuwuyase and nothing came up so that leads me to belive that it doesn't belong as well.

Thanks for anyone who knows about this that wants to help.



This is the log of the first time that I ran SUPERantiSpyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/28/2009 at 11:26 PM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Complete Scan
Total Scan Time : 00:51:23

Memory items scanned : 741
Memory threats detected : 1
Registry items scanned : 7062
Registry threats detected : 55
File items scanned : 30029
File threats detected : 8

Adware.Vundo/Variant
C:\PROGRAMDATA\VAZOGEYA\VAZOGEYA.DLL
C:\PROGRAMDATA\VAZOGEYA\VAZOGEYA.DLL

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-1413683916-828238843-3065234848-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-1413683916-828238843-3065234848-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-1413683916-828238843-3065234848-1000\SOFTWARE\MyWebSearch
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Control
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\MiscStatus\1
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\ProgID
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Programmable
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\TypeLib
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\Version
HKCR\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\InprocServer32#ThreadingModel
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance#CLSID
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\InitPropertyBag#Url
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\InprocServer32#ThreadingModel
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\Programmable
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\TypeLib
HKCR\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\VersionIndependentProgID
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Type
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#Start
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService#ObjectName
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#MyWebSearch Plugin [ rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF ]

Adware.Tracking Cookie
C:\Users\eS'toonBoy\AppData\Roaming\Microsoft\Windows\Cookies\Low\es'toonboy@ads.techguy[2].txt
C:\Users\eS'toonBoy\AppData\Roaming\Microsoft\Windows\Cookies\Low\es'toonboy@chitika[1].txt
C:\Users\eS'toonBoy\AppData\Roaming\Microsoft\Windows\Cookies\Low\es'toonboy@doubleclick[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@2o7[2].txt

Trace.Known Threat Sources
C:\Users\eS'toonBoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XX12TKS1\l.s.bg1z[1].gif
C:\Users\eS'toonBoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EP994T9K\l.s.bg2z[1].gif
C:\Users\eS'toonBoy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XA9JS6P1\favicon[3].ico

This is the second log when Vista was in safe mode

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/28/2009 at 11:51 PM

Application Version : 4.25.1014

Core Rules Database Version : 3779
Trace Rules Database Version: 1738

Scan type : Quick Scan
Total Scan Time : 00:07:47

Memory items scanned : 284
Memory threats detected : 0
Registry items scanned : 592
Registry threats detected : 1
File items scanned : 9169
File threats detected : 0

Adware.MyWebSearch
HKU\S-1-5-21-1413683916-828238843-3065234848-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}

I also just ran "what's running on your computer" through a link by SUPERAntiSpyware and this is what it showed running on my computer that it didn't recognize. with the second one being of more concern JATUVERU.DLL C:\PROGRAMDATA\JATUVERU\JATUVERU.DLL.



ONCE Again thanks for any help




Unrecognized Applications and Files Show/Hide Info


Running Applications

Browser Extensions, Toolbars and Registry Applications

BAE.DLL C:\PROGRAM FILES\BAE\BAE.DLL More Info
File Location on your Computer
C:\PROGRAM FILES\BAE\BAE.DLL
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{CA6319C0-31B7-401E-A518-A07C3DB8F777}
File Size (bytes)
98304 MD5 Checksum/Fingerprint
1A4F60EF6DA38621F1091B0CB0FA2C09

File Version Information Show/Hide Version Information

Company Name
DELL INC.
File Description
BAE.DLL File Version
1.2.0.3
Product Name
BROWSER ADDRESS ERROR REDIRECTOR Product Version
1.2.0.3
Internal Name
BAE.DLL Original File Name
BAE.DLL
Legal Copyright
2006. DELL INC. ALL RIGHTS RESERVED. Legal Trademarks

Private Build
Special Build




JATUVERU.DLL C:\PROGRAMDATA\JATUVERU\JATUVERU.DLL More Info
File Location on your Computer
C:\PROGRAMDATA\JATUVERU\JATUVERU.DLL
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{6DF49CD5-0DC2-48FE-BE6A-F2E38630F007}
File Size (bytes)
48128 MD5 Checksum/Fingerprint
4C2AD598EB51B6F3948E641FE59EF048

File Version Information Show/Hide Version Information

Company Name

File Description
File Version

Product Name
Product Version

Internal Name
Original File Name

Legal Copyright
Legal Trademarks

Private Build
Special Build




RPBROWSERRECORDPLUGIN.DLL C:\PROGRAM FILES\REAL\REALPLAYER\RPBROWSERRECORDPLUGIN.DLL More Info
File Location on your Computer
C:\PROGRAM FILES\REAL\REALPLAYER\RPBROWSERRECORDPLUGIN.DLL
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{3049C3E9-B461-4BC5-8870-4C09146192CA}
File Size (bytes)
370296 MD5 Checksum/Fingerprint
4D630E9EF94CF8814DFD0E5938230822

File Version Information Show/Hide Version Information

Company Name
REALPLAYER
File Description
REALPLAYER DOWNLOAD AND RECORD PLUGIN FOR INTERNET EXPLORER File Version
1.0.0.522
Product Name
Product Version
1.0.0.522
Internal Name
RPBROWSERRECORDPLUGIN Original File Name
RPBROWSERRECORDPLUGIN.DLL
Legal Copyright
COPYRIGHT REALNETWORKS, INC. 1995-2007 Legal Trademarks

Private Build
Special Build





Startup Applications

AAWTRAY.EXE C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWTRAY.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\LAVASOFT\AD-AWARE\AAWTRAY.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
509784 MD5 Checksum/Fingerprint
029E76069E46D0EB41BF7551D119D010

File Version Information Show/Hide Version Information

Company Name
LAVASOFT
File Description
AD-AWARE TRAY APPLICATION File Version
8, 0, 0, 0
Product Name
AD-AWARE TRAY APPLICATION Product Version
8, 0, 0, 0
Internal Name
AAWTRAY Original File Name
AAWTRAY.EXE
Legal Copyright
COPYRIGHT 2009 LAVASOFT. ALL RIGHTS RESERVED. Legal Trademarks

Private Build
Special Build




APPLESYNCNOTIFIER.EXE C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLESYNCNOTIFIER.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLESYNCNOTIFIER.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
111936 MD5 Checksum/Fingerprint
3C59CB80D1849128C14FF2B3245419BE

File Version Information Show/Hide Version Information

Company Name
APPLE INC.
File Description
APPLESYNCNOTIFIER File Version
1, 1, 0, 0
Product Name
MOBILEME Product Version
1, 1, 0, 0
Internal Name
APPLESYNCNOTIFIER Original File Name
APPLESYNCNOTIFIER.EXE
Legal Copyright
COPYRIGHT APPLE INC. 2008 Legal Trademarks

Private Build
Special Build




DSCA.EXE C:\DELL\DSCA.EXE More Info
File Location on your Computer
C:\DELL\DSCA.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
16384 MD5 Checksum/Fingerprint
267B3A856E9F4DB1CABD4E6DB71E07D2

File Version Information Show/Hide Version Information

Company Name

File Description
File Version
1.0.2767.18581
Product Name
Product Version
1.0.2767.18581
Internal Name
WINDOWSAPPLICATION1.EXE Original File Name
WINDOWSAPPLICATION1.EXE
Legal Copyright
Legal Trademarks

Private Build
Special Build




EREG.EXE C:\PROGRAM FILES\SCANSOFT\PAPERPORT\EREG\EREG.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\EREG\EREG.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
255528 MD5 Checksum/Fingerprint
82C94CB8DF55112D06E05030A91F1C3F

File Version Information Show/Hide Version Information

Company Name
NUANCE COMMUNICATIONS, INC.
File Description
SSEREG MFC APPLICATION File Version
4, 0, 4, 0
Product Name
EREG APPLICATION Product Version
4, 0, 4, 0
Internal Name
SSEREG Original File Name
EREG.EXE
Legal Copyright
COPYRIGHT 1993-2007 NUANCE COMMUNICATIONS, INC. Legal Trademarks

Private Build
Special Build




EULALAUNCHER.EXE C:\DELL\E-CENTER\EULALAUNCHER.EXE More Info
File Location on your Computer
C:\DELL\E-CENTER\EULALAUNCHER.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
17920 MD5 Checksum/Fingerprint
BCB30677F086E0E84CFD22D1FEFF9BDB

File Version Information Show/Hide Version Information

Company Name

File Description
File Version
1.0.2489.24404
Product Name
Product Version
1.0.2489.24404
Internal Name
EULALAUNCHER.NET.EXE Original File Name
EULALAUNCHER.NET.EXE
Legal Copyright
Legal Trademarks

Private Build
Special Build




E_FATIBIA.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIBIA.EXE More Info
File Location on your Computer
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIBIA.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
143360 MD5 Checksum/Fingerprint
2D97DB96FF5E8707E72BCB1871470FC9

File Version Information Show/Hide Version Information

Company Name
SEIKO EPSON CORPORATION
File Description
EPSON STATUS MONITOR 3 File Version
4.01
Product Name
EPSON STATUS MONITOR 3 Product Version
4.01
Internal Name
E_S7I2I1 Original File Name
E_S7I2I1.EXE
Legal Copyright
COPYRIGHT SEIKO EPSON CORP. 2006 Legal Trademarks

Private Build
Special Build




E_FATIBIA.EXE C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIBIA.EXE More Info
File Location on your Computer
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_FATIBIA.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
143360 MD5 Checksum/Fingerprint
2D97DB96FF5E8707E72BCB1871470FC9

File Version Information Show/Hide Version Information

Company Name
SEIKO EPSON CORPORATION
File Description
EPSON STATUS MONITOR 3 File Version
4.01
Product Name
EPSON STATUS MONITOR 3 Product Version
4.01
Internal Name
E_S7I2I1 Original File Name
E_S7I2I1.EXE
Legal Copyright
COPYRIGHT SEIKO EPSON CORP. 2006 Legal Trademarks

Private Build
Special Build




HOMERUNNER.EXE C:\PROGRAM FILES\TOMTOM HOME 2\HOMERUNNER.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\TOMTOM HOME 2\HOMERUNNER.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
234856 MD5 Checksum/Fingerprint
846F07A90C8769F154F5A92C788AC1FA

File Version Information Show/Hide Version Information

Company Name
TOMTOM
File Description
SYSTEM TRAY APPLICATION FOR TOMTOM HOME File Version
2.5.2.60
Product Name
TOMTOM HOME Product Version
2.5.2.60
Internal Name
HOMERUNNER Original File Name
HOMERUNNER.EXE
Legal Copyright
COPYRIGHT 2008 TOMTOM INTERNATIONAL B.V. Legal Trademarks
TOMTOM GO, TOMTOM RIDER, TOMTOM ONE, TOMTOM ONE XL, TOMTOM XL, TOMTOM HOME
Private Build
Special Build




ISUSPM.EXE C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE More Info
File Location on your Computer
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
213936 MD5 Checksum/Fingerprint
2BAD84B393AF47006D80BA2F03B18029

File Version Information Show/Hide Version Information

Company Name
MACROVISION CORPORATION
File Description
INSTALLSHIELD UPDATE SERVICE UPDATE MANAGER File Version
5, 01, 100, 47363
Product Name
INSTALLSHIELD UPDATE SERVICE Product Version
5, 01
Internal Name
PROGRAMMANAGER Original File Name
ISUSPM.EXE
Legal Copyright
COPYRIGHT 2005 MACROVISION CORPORATION Legal Trademarks

Private Build
Special Build




ISUSPM.EXE C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
213936 MD5 Checksum/Fingerprint
2BAD84B393AF47006D80BA2F03B18029

File Version Information Show/Hide Version Information

Company Name
MACROVISION CORPORATION
File Description
INSTALLSHIELD UPDATE SERVICE UPDATE MANAGER File Version
5, 01, 100, 47363
Product Name
INSTALLSHIELD UPDATE SERVICE Product Version
5, 01
Internal Name
PROGRAMMANAGER Original File Name
ISUSPM.EXE
Legal Copyright
COPYRIGHT 2005 MACROVISION CORPORATION Legal Trademarks

Private Build
Special Build




ISUSPM.EXE C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\COMMON FILES\INSTALLSHIELD\UPDATESERVICE\ISUSPM.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
213936 MD5 Checksum/Fingerprint
2BAD84B393AF47006D80BA2F03B18029

File Version Information Show/Hide Version Information

Company Name
MACROVISION CORPORATION
File Description
INSTALLSHIELD UPDATE SERVICE UPDATE MANAGER File Version
5, 01, 100, 47363
Product Name
INSTALLSHIELD UPDATE SERVICE Product Version
5, 01
Internal Name
PROGRAMMANAGER Original File Name
ISUSPM.EXE
Legal Copyright
COPYRIGHT 2005 MACROVISION CORPORATION Legal Trademarks

Private Build
Special Build




MCCITRAYAPP.EXE C:\PROGRAM FILES\ATTC\MCCITRAYAPP.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\ATTC\MCCITRAYAPP.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
1505280 MD5 Checksum/Fingerprint
20A2113394B07D01E8A25662B941C7E7

File Version Information Show/Hide Version Information

Company Name
MOTIVE COMMUNICATIONS, INC.
File Description
MCCI+MCCITRAYAPP File Version
6,2,1,80
Product Name
Product Version
6,2,1,80
Internal Name
MCCI+MCCITRAYAPP_6-2-1_RELEASE Original File Name
MCCITRAYAPP_SSR.EXE
Legal Copyright
COPYRIGHT 1999-2008, MOTIVE COMMUNICATIONS, INC. Legal Trademarks

Private Build
Special Build




MCCITRAYAPP.EXE C:\PROGRAM FILES\BELLSOUTHWCC\MCCITRAYAPP.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\BELLSOUTHWCC\MCCITRAYAPP.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
1509888 MD5 Checksum/Fingerprint
8086B7A3F5E56D10D05317C69D378791

File Version Information Show/Hide Version Information

Company Name
MOTIVE COMMUNICATIONS, INC.
File Description
MCCI+MCCITRAYAPP File Version
6,2,1,80
Product Name
Product Version
6,2,1,80
Internal Name
MCCI+MCCITRAYAPP_6-2-1_RELEASE Original File Name
MCCITRAYAPP_SSR.EXE
Legal Copyright
COPYRIGHT 1999-2008, MOTIVE COMMUNICATIONS, INC. Legal Trademarks

Private Build
Special Build




MCCITRAYAPP.EXE C:\PROGRAM FILES\BELLSOUTHWCC\MCCITRAYAPP.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\BELLSOUTHWCC\MCCITRAYAPP.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
1509888 MD5 Checksum/Fingerprint
8086B7A3F5E56D10D05317C69D378791

File Version Information Show/Hide Version Information

Company Name
MOTIVE COMMUNICATIONS, INC.
File Description
MCCI+MCCITRAYAPP File Version
6,2,1,80
Product Name
Product Version
6,2,1,80
Internal Name
MCCI+MCCITRAYAPP_6-2-1_RELEASE Original File Name
MCCITRAYAPP_SSR.EXE
Legal Copyright
COPYRIGHT 1999-2008, MOTIVE COMMUNICATIONS, INC. Legal Trademarks

Private Build
Special Build




PPTD40NT.EXE C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPTD40NT.EXE More Info
File Location on your Computer
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPTD40NT.EXE
Registry Path and CLSID where file was detected on your Computer
Software\Microsoft\Windows\CurrentVersion\Run

File Size (bytes)
30248 MD5 Checksum/Fingerprint
792D0020117F2F6D3B433193BBAC555E

File Version Information Show/Hide Version Information

Company Name
NUANCE COMMUNICATIONS, INC.
File Description
PAPERPORT PRINT TO DESKTOP FOR NT File Version
11.1
Product Name
PAPERPORT Product Version
11.1
Internal Name
PPTD40NT Original File Name
PPTD40NT.EXE
Legal Copyright
COPYRIGHT 1993-2006 NUANCE COMMUNICATIONS, INC. Legal Trademarks

Private Build
Special Build




SSBKGDUPDATE.EXE C:\PROGRAM FILES\COMMON FILES\SCANSOFT SHARED\SSBKGDUPDATE\SSBKGDUPDATE.EXE

Edited by garmanma, 01 March 2009 - 06:16 PM.


BC AdBot (Login to Remove)

 


#2 estoon Boy

estoon Boy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 02 March 2009 - 12:20 AM

Another thing of interest is that I switched to Safari because I was having so many problems with Internet explorer and while I was on facebook the window came up stating that Internet explorer was closing due to error and then another window popped up stating that Internet Explorer was restarting. nothing changed on safari- the page stayed open.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 02 March 2009 - 12:39 AM

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#4 estoon Boy

estoon Boy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 04 March 2009 - 01:23 AM

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 6.0.6001 Service Pack 1

3/2/2009 6:01:39 PM
mbam-log-2009-03-02 (18-01-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209028
Time elapsed: 1 hour(s), 35 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\momewohu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6df49cd5-0dc2-48fe-be6a-f2e38630f007} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6df49cd5-0dc2-48fe-be6a-f2e38630f007} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmc5086c75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmc5086c75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\momewohu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\momewohu.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\momewohu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\ProgramData\jatuveru\jatuveru.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Windows\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\ProgramData\wibivuje\wibivuje.dll (Trojan.Agent) -> Delete on reboot.

#5 estoon Boy

estoon Boy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 04 March 2009 - 01:24 AM

I ran this one from safe mode a little later.

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 6.0.6001 Service Pack 1

3/3/2009 8:06:44 PM
mbam-log-2009-03-03 (20-06-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 210225
Time elapsed: 1 hour(s), 44 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 04 March 2009 - 07:46 AM

One last scan with MBAM, from normal mode, it can be a quick one

Your computers seems to be taking too long with full scans
Chewy

No. Try not. Do... or do not. There is no try.

#7 estoon Boy

estoon Boy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 04 March 2009 - 10:16 PM

It keeps finding them.



Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 6.0.6001 Service Pack 1

3/4/2009 7:14:49 PM
mbam-log-2009-03-04 (19-14-49).txt

Scan type: Quick Scan
Objects scanned: 61359
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tehuwuyase (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:06 PM

Posted 05 March 2009 - 08:46 AM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users