Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unwanted Yoog search engine in IE


  • This topic is locked This topic is locked
2 replies to this topic

#1 mikeforrest

mikeforrest

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 04 April 2009 - 05:01 AM

Hi

I'm using Internet Explorer on XP. The search bar keeps coming up with Yoog Search as the default search engine, no matter how many times I delete it!

Also had godamuwe.dll show up on Bitdefender scan - but not removed. I hear it is very dodgy!

Also get popups from worldadmarketplace.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Family at 22:42:26.28 on Sat 04/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.542 [GMT 13:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Philips\SA33XX\Philips Device Manager\Bin\SA33XXDeviceManager.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\VnrPack\VnrPack27.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iConcepts Music Express\MEAutoDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Family\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.stuff.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\services.exe
{027ad73a-cdfb-425b-ae87-1fb9064dd156}
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: worldadmarketplace browser enhancer: {468c5c73-ea5e-c2c5-5b9e-363e821ef929} - c:\windows\system32\mpujzoirtqljurnmx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Jcore class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\jcore\Jcore2.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [[system]] c:\windows\system32\drivers\services.exe
uRun: [winlogon] c:\documents and settings\family\svchost.exe
uRun: [nidle] "c:\documents and settings\family\application data\nidle\nidle.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-5841939926-5076067258-837690826-2106\service.exe
uRun: [12CFG914-K641-26SF-N32P] c:\recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
uRun: [12CFG914-K641-26SF-N31P] c:\recycler\s-1-5-21-0243336031-4052116379-881863308-0850\vsse32.exe
uRun: [Twain] c:\documents and settings\family\application data\twain\Twain.exe
uRun: [VnrPack27] "c:\program files\vnrpack\VnrPack27.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [PhilipsSA33XXDM] c:\program files\philips\sa33xx\philips device manager\bin\SA33XXDeviceManager.exe OS_STARTUP
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [[system]] c:\windows\system32\drivers\services.exe
mRun: [winlogon] c:\documents and settings\family\svchost.exe
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hvciowdjzxcyyul] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\mpujzoirtqljurnmx.dll"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [[system]] c:\windows\system32\drivers\services.exe
dRun: [winlogon] c:\documents and settings\localservice\svchost.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\ppcb_32.lnk - c:\program files\ppcbooster\ppcb_32.exe
StartupFolder: c:\docume~1\family\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autode~1.lnk - c:\program files\iconcepts music express\MEAutoDetect.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\office
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211701095531
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\gurelido.dll c:\windows\system32\godamuwe.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} -
STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}: STS
LSA: Notification Packages = scecli c:\windows\system32\gurelido.dll

============= SERVICES / DRIVERS ===============

R2 bdvedisk;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
S2 ajiawok;ajiawok;c:\windows\system32\svchost.exe -k netsvcs [2003-4-1 14336]
S2 cyriezgoywo;cyriezgoywo;c:\windows\system32\svchost.exe -k netsvcs [2003-4-1 14336]
S2 reogtevt;reogtevt;c:\windows\system32\svchost.exe -k netsvcs [2003-4-1 14336]
S3 arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-2-14 68922]

=============== Created Last 30 ================

2009-04-04 16:43 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-04 16:43 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-25 08:30 304 a------- c:\windows\system32\BDUpdateV1.xml
2009-03-17 09:04 <DIR> --d----- c:\program files\iTunes
2009-03-17 09:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 09:03 <DIR> --d----- c:\program files\Bonjour
2009-03-17 08:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-15 18:30 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-15 18:30 385 a------- c:\windows\system32\user_gensett.xml
2009-03-15 14:48 0 a------- C:\sbndleh.exe
2009-03-15 14:44 <DIR> --d----- c:\docume~1\family\applic~1\BitDefender
2009-03-15 14:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-15 14:00 48,288 a------- c:\windows\system32\wiaewslfxsb.exe
2009-03-15 14:00 <DIR> --d----- c:\program files\VnrPack
2009-03-15 14:00 <DIR> --d----- c:\program files\iCheck
2009-03-15 13:54 <DIR> --d----- c:\docume~1\family\applic~1\Twain
2009-03-15 13:49 104,942 a------- c:\windows\system32\drivers\26cbdd76.sys
2009-03-15 13:49 <DIR> --d----- c:\program files\Jcore
2009-03-15 13:49 1,702,671 ---sh--- c:\windows\system32\oduveres.ini
2009-03-14 10:50 101,230 a------- c:\windows\system32\drivers\ab6b4f4c.sys
2009-03-14 10:49 <DIR> --dsh--- c:\windows\system32\twain32
2009-03-14 10:49 2 a------- C:\1894931320
2009-03-14 10:49 <DIR> --d----- c:\docume~1\family\applic~1\nidle
2009-03-14 10:49 <DIR> --d----- c:\windows\system32\h2
2009-03-14 10:49 <DIR> --d----- c:\temp\1cb
2009-03-14 10:49 <DIR> --d----- c:\windows\system32\aNI02
2009-03-14 10:49 <DIR> --d----- c:\temp\atmp8

==================== Find3M ====================

2009-04-04 08:51 81,984 a------- c:\windows\system32\bdod.bin
2009-04-02 04:20 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-03-17 22:37 391,680 a------- c:\windows\system32\mpujzoirtqljurnmx.dll
2009-03-14 10:54 79,872 a--sh--- c:\windows\system32\tesifoti.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-14 15:08 38 a------- C:\drmHeader.bin
2009-02-10 00:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 17:35 418,480 a------- c:\windows\system32\wrap_oal.dll
2009-02-05 17:35 115,432 a------- c:\windows\system32\OpenAL32.dll

============= FINISH: 22:43:49.00 ===============
Attached File  Attach.txt   11.78KB   15 downloads

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 10 April 2009 - 06:44 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:23 AM

Posted 17 April 2009 - 05:32 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users