Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer flooded with Malware


  • Please log in to reply
10 replies to this topic

#1 bigjeepzz

bigjeepzz

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 07 March 2009 - 12:00 AM

Hello, my wife was watching a video the other night and her computer crashed. When she restarted the computer she got a blue screen saying the computer was beginning a physical memory dump and had the error message Driver_IRQL_Not_Less_or_EQUAL. I was able to restore the computer to an earlier restore point but the computer is completely unusable because of the pop ups. Start up takes about 30mins and the computer continues to get pop ups even without running IE. I have not recieved any other errors other than the one I mentioned earlier. I have followed the instructions listed and here is the DDS log.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Ann at 22:36:55.42 on Fri 03/06/2009
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0..1:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {11e0f62e-2868-4c9a-9fcb-f353617a952e} - c:\windows\system32\qoMeFyyV.dll
BHO: {144ea9ea-4193-487e-ba39-5f3cbd9edec5} - c:\windows\system32\dikiyoka.dll
BHO: {e2db8707-550b-6b8a-7f24-356243ae0cc1}: {1cc0ea34-2653-42f7-a8b6-b0557078bd2e} - c:\windows\system32\wjnmbz.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBssppM.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 12\pccguide.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [gijimukodo] Rundll32.exe "c:\windows\system32\vudijema.dll",s
mRun: [Explorer] c:\windows\system32\msrstart.exe
mRun: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
mRun: [c84f6a8d] rundll32.exe "c:\windows\system32\fshqnpnc.dll",b
mRunOnce: [svchost.exe] "c:\windows\system32\3361\svchost.exe"
dRun: [comidle] "c:\documents and settings\ann\application data\comidle\comidle.exe" 61A847B5BBF728103B9D3B466188719AB689201522886B092CBD44BD8689220221DD3257
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090131a.dll xccd16
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - c:\program files\partygaming\partybingo\RunBingo.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: geBssppM - geBssppM.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\wuyiyage.dll wjnmbz.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBssppM.dll
LSA: Notification Packages = scecli c:\windows\system32\wuyiyage.dll

============= SERVICES / DRIVERS ===============


============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-03-06 22:31 406,016 a------- c:\windows\system32\tmpxccacj1.exe
2009-03-06 22:26 1,805,682 ---sh--- c:\windows\system32\cnpnqhsf.ini
2009-03-06 22:26 87,040 -------- c:\windows\system32\fshqnpnc.dll
2009-03-06 22:24 105,984 a------- c:\windows\system32\7.tmp
2009-03-06 22:23 40 a------- c:\windows\system32\6.tmp
2009-03-06 22:05 25,088 a------- c:\windows\system32\drivers\phqghume.sys
2009-03-06 22:05 2,204 a------- c:\windows\xekjjoqb
2009-03-06 21:43 105,984 a------- c:\windows\system32\5.tmp
2009-03-06 21:43 40 a------- c:\windows\system32\4.tmp
2009-03-06 21:39 31,724 a------- c:\windows\system32\3.tmp
2009-03-06 21:39 40 a------- c:\windows\system32\2.tmp
2009-03-06 21:04 121,344 a------- c:\windows\system32\drivers\seneka.sys
2009-03-04 00:36 59 a------- c:\windows\system32\senekaklatamqr.dat
2009-03-04 00:36 129,024 a--sh--- c:\windows\system32\wjnmbz.dll
2009-03-04 00:36 1,805,682 ---sh--- c:\windows\system32\epunezup.ini
2009-03-04 00:36 0 a------- c:\windows\system32\hgcheck.exe
2009-03-04 00:36 30 a------- c:\windows\system32\hgset.ini
2009-03-04 00:35 <DIR> --d----- c:\windows\system32\3361
2009-03-04 00:35 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-03-04 00:35 90,112 a------- c:\windows\system32\200933532.dll
2009-03-04 00:35 77,824 a------- c:\windows\system32\u0493320.dll
2009-03-04 00:35 676,352 a------- c:\windows\system32\rtl60.bpl
2009-03-04 00:35 8 a------- c:\windows\system32\comsa32.sys
2009-03-04 00:35 108,032 a------- c:\windows\system32\w.exe
2009-03-04 00:34 205 a------- c:\windows\system32\xcchit32.ini
2009-03-04 00:33 <DIR> --d----- c:\docume~1\ann\applic~1\comidle
2009-03-04 00:32 1,104 a------- c:\windows\skvjmzqf
2009-03-04 00:32 5,239 a--sh--- c:\windows\system32\VyyFeMoq.ini
2009-03-04 00:32 3,385 a--sh--- c:\windows\system32\VyyFeMoq.ini2
2009-03-04 00:32 25,088 a------- c:\windows\system32\drivers\lrxroyrq.sys
2009-03-04 00:31 29,794 a------- c:\windows\system32\senekassnjdfan.dll
2009-03-04 00:31 27,234 a------- c:\windows\system32\senekaxocuovad.dll
2009-03-04 00:31 11,342 a------- c:\windows\system32\senekaytiwttsv.dat
2009-03-04 00:31 90,210 a------- c:\windows\system32\senekaoldxljmo.dll
2009-03-04 00:30 121,344 a------- c:\windows\system32\drivers\senekaejkrgdkk.sys
2009-03-04 00:27 48,128 a------- c:\windows\system32\nnnkHxyX.dll
2009-03-04 00:26 48,640 a------- c:\windows\system32\geBssppM.dll
2009-03-04 00:26 79,148 a------- c:\windows\system32\prunnet.exe

==================== Find3M ====================

2009-03-06 22:27 251,392 a------- c:\windows\xccdf32_090131a.dll
2009-03-04 00:36 84,992 a--sh--- c:\windows\system32\seholima.dll
2009-03-04 00:36 129,024 a--sh--- c:\windows\system32\fegovumi.dll
2009-03-04 00:36 79,872 a--sh--- c:\windows\system32\puzenupe.dll
2009-03-04 00:33 36,352 a------- c:\windows\xccdf16_090131a.dll
2009-03-04 00:33 105,984 a------- c:\windows\system32\161.tmp
2009-03-04 00:33 124,416 a------- c:\windows\system32\pboqzx.dll
2009-03-04 00:33 124,416 a------- c:\windows\system32\deubehna.dll
2009-03-04 00:33 88,576 a------- c:\windows\system32\awkhpkui.dll
2008-12-12 12:27 3,067,392 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\dikiyoka.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\vudijema.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\wuyiyage.dll

============= FINISH: 22:41:43.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:17 AM

Posted 16 March 2009 - 10:59 PM

Hello bigjeepzz,

Sorry for the delay. We have over 600 logs backed up and only a few helpers.

Since it has been a few days, please post a fresh DDS log so I can see if anything has changed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 17 March 2009 - 05:09 PM

I know yhou guys are busy so I have no worries. Neither me or my wife have used the computer since I posted the log so I am assuming there are no changes. I am out of town right now but I can give my wife directions on what to do over the phone. I will try to get a new log for you tonight.

Bigjeepzz

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:17 AM

Posted 17 March 2009 - 06:48 PM

Hi,

No rush. :thumbup2: I want you to do another scan before you post the DDS log.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 22 March 2009 - 05:30 PM

Sorry for the delay, I made it back in town.

I can't get the computer to startup now. When I turn the computer on I get the following message;

STOP: c0000135 {Unable to Locate Component}
This application has failed to start because USER32.dll was not found. Reinstalling the application may fix this problem

I have tried to start the computer in safe mode as well but I get the same message. Any thoughts on this?

After doing some research on the net I noticed most people have stated a restore disk is needed to repair the problem. If this is the case I am in a bad spot because I don't have a disk. I don't ever remember getting a disk with the computer, then again, I am not 100% sure either.

I appreciate the help thus far.

Jake

Edited by bigjeepzz, 22 March 2009 - 06:10 PM.


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:17 AM

Posted 22 March 2009 - 06:44 PM

Hi Jake,

You may be out of luck on this one. :thumbup2:


http://support.microsoft.com/kb/q173309/

his error can occur for any of the following reasons:
1. USER32.dll is missing from the %SystemRoot%\system32 directory.
2 .Your computer is loading the Sermouse.sys file.
3. If USER32.dll exists, the software hive may be corrupted and therefore, cannot load.


Try copying user32.dll back to the c:\Windows\System32 directory from the XP disk, another computer, or parallel install of XP.

If you can get to Safe Mode or Even Safe Mode Command Prompt you may aslo be able to run "sfc /scannow" at the prompt and get Windows to check all of it's system drivers and replace any that are found corrupted.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 22 March 2009 - 09:28 PM

I was going to ask you about the possibility of creating a repair disk or something similar from another computer I have running XP. Any thoughts?? Is there a way I can make the disk I need from one computer for another?

I have found the user32.dll file on my good computer but I have no idea on how I would even try to get the file where it needs to be.

I noticed you said something about running sfc/scannow from safemode but that isn't happening. I tried to go into command prompt as well and got nothing.

What do I need as far as a disk for XP? If you can give me an idea of what to look for I can go searching. Any advice from here would be awesome as I really don't have any ideas.

Thanks Bro......

#8 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 22 March 2009 - 09:54 PM

Update! I talked to my wife (I had to go out of town again and brought her cpu with me) and we do have the XP disk. She is sending it to me and should be here in about four days.

Please forgive me because I am not the most saavy person with computers. I believe she had service pack 2 (sp2) on her computer. The disk we have is service pack 1 (sp1). Is this something that is updated from Microsoft? Is this going to make a difference when the disk arrives? If you can let me know what I need to do from here, I will update you after I follow your instructions.
Thanks again

Jake

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:17 AM

Posted 22 March 2009 - 10:52 PM

Hi Jake,

Since my expterise is malware removeal and this is a windows problem, I am going to ask you post your problem at our Windows XP Home and Professional forum. The techs in that forum specialize in matters pertaining to Windows issues.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.

Edited by SifuMike, 22 March 2009 - 10:53 PM.
spelling

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 bigjeepzz

bigjeepzz
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 22 March 2009 - 10:55 PM

Thanks man, I will return back to this post once I get the computer fired back up. Talk to you in a few days.

Jake

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:17 AM

Posted 23 March 2009 - 01:49 PM

Sounds good to me. ;)
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users