Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various ad popups from Firefox and IE


  • This topic is locked This topic is locked
3 replies to this topic

#1 miketm

miketm

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 March 2009 - 10:51 AM

EDIT - Ok Spybot says that it is Virtumonde, if that helps.

These 3 look suspicious to me:
mRun: [sabuwagupi] Rundll32.exe "c:\windows\system32\puzojowo.dll",s
mRun: [b08240ca] rundll32.exe "c:\windows\system32\forugaza.dll",b
mRun: [CPMb3b17356] Rundll32.exe "c:\windows\system32\rifubuko.dll",a

My machine is running slower than normal. Explore.exe seems to be using more CPU than normal. When i open task manager is flashes (or flickers). And I am receivign random popups from Firefox and IE.

Here is the DDS Log: (Thanks!)



DDS (Ver_09-02-01.01) - NTFSx86
Run by MichaelM at 10:39:54.57 on Fri 03/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.995 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bentley\SELECTServer\Bentley.SelectServer.Gateway.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis.exe
\\aSaFS2\Homedir\MichaelM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://asafs2:5270/sites/aSa/Pages/Default.aspx
uDefault_Page_URL = hxxp://asafs2:5270/sites/aSa/Pages/Default.aspx
mDefault_Page_URL = hxxp://asafs2:5270/sites/aSa/Pages/Default.aspx
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: {ae0db43b-43ac-4166-a7dc-fe789eaec1db} - c:\windows\system32\vuseyiju.dll
BHO: {decf48cf-fb36-114a-b304-06e1a82bc66c}: {c66cb28a-1e60-403b-a411-63bffc84fced} - c:\windows\system32\ooogzk.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [EPSON Stylus Photo R200 Series] c:\program files\epson\printerdrivertemp\spr200\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [EPSON Stylus Photo R200 Series (from JEFFC)] c:\program files\epson\printerdrivertemp\spr200\E_S4I2H1.EXE /P43 "EPSON Stylus Photo R200 Series (from JEFFC)" /O5 "TS001" /M "Stylus Photo R200"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [sabuwagupi] Rundll32.exe "c:\windows\system32\puzojowo.dll",s
mRun: [b08240ca] rundll32.exe "c:\windows\system32\forugaza.dll",b
mRun: [CPMb3b17356] Rundll32.exe "c:\windows\system32\rifubuko.dll",a
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\aSaEnvSwitch.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Subscribe in Desktop Sidebar - c:\program files\desktop sidebar\sbhelp.dll/menuhandler.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162577422152
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162577414030
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38058.502349537
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: wxvault.dll c:\windows\system32\puvelepu.dll ooogzk.dll c:\windows\system32\rifubuko.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rifubuko.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\rifubuko.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 wvauth
LSA: Notification Packages = scecli c:\windows\system32\puvelepu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michaelm\applic~1\mozilla\firefox\profiles\qw3zfp73.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 Bentley SELECT Server Gateway;Bentley SELECT Server Gateway;c:\program files\bentley\selectserver\Bentley.SelectServer.Gateway.exe [2008-10-6 102400]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 MsDtsServer;SQL Server Integration Services;c:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql$SQL2005;SQL Server FullText Search (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\msftesql.exe [2005-8-26 92880]
R2 MSSQL$SQL2005;SQL Server (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2005-10-14 28768528]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 SQLAgent$SQL2005;SQL Server Agent (SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\SQLAGENT90.EXE [2005-10-14 318680]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060626.017\naveng.sys [2006-6-27 77864]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060626.017\navex15.sys [2006-6-27 799208]
S3 .CacheService;.CacheService;"c:\named pipes test 2\testservice\bin\release\cacheservice.exe" --> c:\named pipes test 2\testservice\bin\release\CacheService.exe [?]
S3 aSaProcessTrackerService;aSaProcessTrackerService;c:\dist641_release\release\program files\asa\ci\aSaProcessTrackerService.exe [2009-2-23 40960]
S3 MSOLAP$SQL2005;SQL Server Analysis Services (SQL2005);c:\program files\microsoft sql server\mssql.2\olap\bin\msmdsrv.exe [2005-10-14 14557912]
S3 MyService;MyService;"c:\myservice\bin\release\myservice.exe" --> c:\myservice\bin\release\MyService.exe [?]
S3 ReportServer$SQL2005;SQL Server Reporting Services (SQL2005);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2005-10-14 14552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-03-06 10:27 401,720 a------- C:\HiJackThis.exe
2009-03-06 10:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-06 10:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-06 10:09 16,409,960 a------- C:\spybotsd162.exe
2009-03-06 08:51 1,807,280 ---sh--- c:\windows\system32\azagurof.ini
2009-03-06 08:51 129,024 a--sh--- c:\windows\system32\ooogzk.dll
2009-03-06 08:49 70,429 a------- C:\helmets-41.jpg
2009-03-06 08:49 68,827 a------- C:\helmets-31.jpg
2009-03-06 08:49 57,854 a------- C:\helmets-21.jpg
2009-03-06 08:49 86,411 a------- C:\helmets-11.jpg
2009-03-05 16:26 9,635 a------- C:\red2.png
2009-03-05 16:25 5,461 a------- C:\red1.png
2009-03-05 10:59 16,905 a------- C:\chris_brown.jpg
2009-03-05 10:58 16,609 a------- C:\24v3dro.jpg
2009-03-04 15:06 23 a------- C:\blah.php
2009-03-04 14:10 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-04 13:42 17,084 a------- C:\logo.jpg
2009-03-04 12:06 <DIR> --d----- C:\WP
2009-03-04 10:39 3,861,671 a------- C:\FileZilla_3.2.2.1_win32-setup.exe
2009-03-04 09:11 17 a------- c:\windows\system32\tmp
2009-03-04 09:11 8,704 a------- c:\windows\system32\Default.mvba
2009-03-03 17:10 35,328 a------- c:\windows\system32\comct332.oca
2009-03-03 12:57 9,752,176 a------- C:\spyhunterS.exe
2009-03-03 12:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-26 09:19 24,922 a------- C:\campus2k.jpg
2009-02-25 09:44 <DIR> --d----- C:\LIC
2009-02-23 14:43 <DIR> --d----- C:\Dist641_MR1_Release
2009-02-23 10:55 430,592 a------- C:\setup.exe
2009-02-23 10:55 394,752 a------- C:\aSaProcessTrackerServiceSetup.msi
2009-02-20 13:17 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-20 13:17 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-13 14:13 71,680 a------- C:\Entry Level Developer Test.doc
2009-02-10 14:36 90,690 a------- C:\beard.jpg

==================== Find3M ====================

2009-03-06 08:51 84,992 a--sh--- c:\windows\system32\rifubuko.dll
2009-03-06 08:51 129,024 a--sh--- c:\windows\system32\deriziro.dll
2009-03-06 08:51 79,872 a--sh--- c:\windows\system32\forugaza.dll
2009-01-21 15:21 8,750 a------- C:\ultrawingrid_binding_to_a_collection_vb.zip
2008-12-20 18:56 827,904 a------- c:\windows\system32\wininet.dll
2005-07-26 14:38 20,728 a------- c:\docume~1\michaelm\applic~1\GDIPFONTCACHEV1.DAT
0000-00-00 00:00 48,128 a--sh--- c:\windows\system32\puvelepu.dll
0000-00-00 00:00 48,128 a--sh--- c:\windows\system32\puzojowo.dll
0000-00-00 00:00 48,128 a--sh--- c:\windows\system32\vuseyiju.dll
2007-05-05 08:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-02-25 08:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008022520080226\index.dat

============= FINISH: 10:40:58.73 ===============

Attached Files


Edited by miketm, 06 March 2009 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 miketm

miketm
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 March 2009 - 01:23 PM

Additionally.. It looks like popups are just coming from IE. I only browse with Firefox. but it looks like the IE popup window has the Mozilla logo in the corner.

One particular popup is for "Medical Center" with links to bestdietforme.com (if that helps any)

Also, there is a registry entry that I cannot remove:

Rundll32.exe "C:\WINDOWS\system32\puzojowo.dll",s

As soon as I delete it, it comes right back.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:56 PM

Posted 17 March 2009 - 04:28 PM

Hello miketm,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:56 PM

Posted 27 March 2009 - 02:32 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users