Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some type of problem


  • Please log in to reply
4 replies to this topic

#1 seizer

seizer

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 02 April 2009 - 02:40 PM

Hello,
I am at my wits end trying to do everything I know how to correct problems but to no avail. What is going on is computer is running fine for a few hours then all of sudden something really starts tearing into the CPU using nearly 70-90 percent of it. From task manager I cannot see any process that is eating the CPU up, but man it bogs the heck outta my system. I ran a hijack this and tried removing the suspect entry, but lo and behold its back but under a different name. So here is my DDS log. I've highlighted my suspect entry in red that changed its name. Also I will include just that part of the entry from Hijack this showing what it used to be called. According to its properties its a legacy database driver from Mozilla. So any help getting rid of my problems or if you notice any other problems, I appreciate the help. As a side note I ran the LSPfix and it said nothing was wrong even though I have that one LSP entry. I also forgot to mention system bogs down heavily while running in safe mode too after a few hours. I was trying to run full virus scan in safe mode and it couldn't even finish because of the CPU resource stealing.

HiJackThis entry
O4 - HKLM\..\Run: [Pyilomubar] rundll32.exe "C:\WINDOWS\ojoyomebufebosuy.dll",e

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chris at 15:19:24.92 on Thu 04/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.582 [GMT -4:00]

AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated)
FW: NVIDIA Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Razer\Diamondback\razerhid.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Razer\Diamondback\razertra.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Razer\Diamondback\razerofa.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = LINK REMOVED BY ME THE POSTER
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [nod32kui] "c:\program files\eset\nod32kui.exe" /WAITSERVICE
mRun: [Diamondback] c:\program files\razer\diamondback\razerhid.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Pyilomubar] rundll32.exe "c:\windows\isayuvasaxoga.dll",e
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
Trusted Zone: turbotax.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184028420875
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219965982156
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli WURAp32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\5v4lanms.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {0A855801-77DD-4A54-AA64-11A2D166710A} - c:\documents and settings\chris\local settings\application data\{0A855801-77DD-4A54-AA64-11A2D166710A}

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2007-7-9 16640]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2007-7-9 15424]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2007-7-9 552064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-2-5 24652]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [2007-7-9 13225]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-7-31 42112]

=============== Created Last 30 ================

2009-04-02 14:43 <DIR> --d----- c:\program files\Trend Micro
2009-04-01 08:42 122,080 a------- C:\EConfickerRemover.exe
2009-03-29 13:39 <DIR> --d----- c:\program files\Microsoft Games
2009-03-29 13:04 <DIR> --d----- c:\program files\Freelancer Mod Manager
2009-03-20 20:31 552 a------- c:\windows\system32\d3d8caps.dat
2009-03-14 15:29 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-03-14 15:28 <DIR> --d----- c:\program files\Coupons

==================== Find3M ====================

2009-03-29 12:46 110,592 a------- c:\windows\system32\imm32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2007-08-01 00:37 25,600 a------- c:\documents and settings\chris\usbsermptxp.sys
2007-08-01 00:37 22,768 a------- c:\documents and settings\chris\usbsermpt.sys
2007-07-31 23:12 92,064 a------- c:\documents and settings\chris\mqdmmdm.sys
2007-07-31 23:12 79,328 a------- c:\documents and settings\chris\mqdmserd.sys
2007-07-31 23:12 66,656 a------- c:\documents and settings\chris\mqdmbus.sys
2007-07-31 23:12 9,232 a------- c:\documents and settings\chris\mqdmmdfl.sys
2007-07-31 23:12 6,208 a------- c:\documents and settings\chris\mqdmcmnt.sys
2007-07-31 23:12 5,936 a------- c:\documents and settings\chris\mqdmwhnt.sys
2007-07-31 23:12 4,048 a------- c:\documents and settings\chris\mqdmcr.sys
2008-08-28 19:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 15:19:38.48 ===============

Attached Files


Edited by seizer, 02 April 2009 - 02:45 PM.


BC AdBot (Login to Remove)

 


#2 seizer

seizer
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 02 April 2009 - 06:19 PM

No ideas?

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:52 AM

Posted 10 April 2009 - 07:57 PM

hi,

sorry for delay, no shortage of posters. We will get a download to use. There is a guide to read first. Read through the guide, download combofix, disable any AV/anti-malware as explained in the guide. Double click the icon and follow the prompts. Post the combofix log in your reply.

Guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?


#4 seizer

seizer
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 11 April 2009 - 06:29 PM

I am so sorry I forgot to come back and ask this thread to be closed. :thumbup2:

The computer started acting very weird. Nod32 finally picked something up as malicious and got rid of it. I rejoiced until I had to restart the computer for the cure to take effect. The computer then would not load anything claiming that mstch.dll was missing and had to be reloaded. Of course this was the file that Nod32 decided to quarantine and remove. In my frustration I backed up the files I needed and reformatted my drive.

Thanks for the reply and again sorry for absently minded forgetting to ask this thread be shut.

#5 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:52 AM

Posted 11 April 2009 - 09:21 PM

hi,

Ok no problem. Here are some tips to help reduce your risk to malware:

Reducing Your Risk To Malware:
The Short Version:

1) It is essential to Keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is now also true for web based application like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. Malicious code is counting on a unpatched OS, browser or software in order to successfully install.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer.

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users