Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Windows Explorer and random "systm" popups and internet popups


  • This topic is locked This topic is locked
3 replies to this topic

#1 guitarist24000

guitarist24000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 21 April 2009 - 10:37 PM

Lets see so far my computer is very slow I tried using windows system restore twice both times it said unable to restore sometimes when I am bringing any page up on internet explorer a popup will come up either one from the internet or one that is either from my system or disguised to be my system before I also was hgetting some kind of terminaton eroor every 5 minutes say something about terminationg a program all i remember is the code which was 0x00000000 exactly


DDS (Ver_09-03-16.01) - NTFSx86
Run by Gregg at 23:27:22.67 on Tue 04/21/2009
Internet Explorer: 7.0.5730.13
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe=

{outputEncoding}&sourceid=ie7&rlz=1I7ACEW
uWindow Title = Microsoft Internet Explorer
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=0&o=xph&d=0808&m=le1200
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyOverride = local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: {74fa5d99-38cd-4e3e-b765-54fad4bda166} - c:\documents and settings\gregg\application data\winrar\atpisa.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9b82e6e5-2176-4edf-9eae-5257ce481a4f} - c:\windows\system32\potedeju.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\toolbar\CallingIDIE.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [Power2GoExpress] NA
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)

Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)" -"http://www.shockwave.com/contentPlay/shockwave.jsp?

id=inklink&dwin=1&memberStatus=SignedInStandard&brand="
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WIFISoftAP] "c:\program files\wireless pci-express network adapter\WIFISoftAP.exe" -nogui
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [microssofts] scvhosts.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Anti Trojan Elite] c:\program files\anti trojan elite\TJEnder.exe :NO
mRun: [CPM5bd5f796] Rundll32.exe "c:\windows\system32\benitonu.dll",a
mRun: [pitedehega] Rundll32.exe "c:\windows\system32\zugodiju.dll",s
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
StartupFolder: c:\docume~1\gregg\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\gregg\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
TCP: {CCC4CCBB-3755-490E-B170-0C8D5B4E2A95} = 167.206.245.130,167.206.245.129
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: atpisa - c:\documents and settings\gregg\application data\winrar\atpisa.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: c:\windows\system32\defazoye.dll c:\windows\system32\benitonu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\benitonu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\benitonu.dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website

inspector\linkadvisor\CIDLinkAdvisor.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\defazoye.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregg\applic~1\mozilla\firefox\profiles\7pp1bdjl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera\program\plugins\nporbit.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {5F207AAB-F7F7-4EF8-A4CC-B1DB31A4CD01} - c:\documents and settings\gregg\local settings\application data\{5f207aab-f7f7-

4ef8-a4cc-b1db31a4cd01}\

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-21 23:07 <DIR> --d----- c:\program files\Trend Micro
2009-04-21 22:38 <DIR> --d----- c:\program files\Anti Trojan Elite
2009-04-21 21:45 1,399,323 ---sh--- c:\windows\system32\okabukeb.ini2
2009-04-21 21:45 1,399,314 ---sh--- c:\windows\system32\okabukeb.tmp
2009-04-21 21:45 121 ---sh--- c:\windows\system32\okabukeb.ini
2009-04-20 16:52 <DIR> --d----- c:\program files\Siber Systems
2009-04-17 22:36 1,562 a------- c:\windows\cdplayer.ini
2009-04-16 18:25 <DIR> --d----- c:\program files\Game_Maker7
2009-04-15 14:23 <DIR> --d----- C:\JDownloader
2009-04-13 17:43 69,632 a------- c:\windows\Alcmtr.exe
2009-04-12 10:05 90,298 ---shr-- c:\windows\scvhosts.exe
2009-04-12 09:58 <DIR> --d----- c:\program files\NewsBinGN
2009-04-10 10:51 166 a------- c:\windows\usdthank.ini
2009-04-10 10:51 31 a------- c:\windows\idc.ini
2009-04-10 10:46 1,877,464 a---h--- c:\windows\system32\2.exe
2009-04-10 10:46 16,384 a---h--- c:\windows\system32\shell.exe
2009-04-10 10:46 49 a---h--- c:\windows\system32\run.bat
2009-04-10 10:46 416,256 a------- c:\windows\system32\gen.exe
2009-04-10 10:46 151,552 a------- c:\windows\system32\Rapid.exe
2009-04-08 16:08 <DIR> --d----- c:\program files\vSoft
2009-04-08 13:15 129,536 a------- c:\windows\system32\ksproxy.ax
2009-04-08 13:15 49,408 a------- c:\windows\system32\drivers\stream.sys
2009-04-07 19:41 <DIR> --d----- c:\program files\Orbitdownloader
2009-04-07 08:00 <DIR> --d----- c:\program files\GetRight
2009-04-05 23:20 <DIR> --d----- c:\docume~1\gregg\applic~1\Avant Profiles
2009-04-05 23:20 <DIR> --d----- c:\documents and settings\gregg\Option
2009-04-05 23:05 <DIR> --d----- c:\docume~1\gregg\applic~1\DMCache
2009-04-04 21:52 <DIR> --d----- c:\program files\Illusion
2009-03-30 20:43 <DIR> --d----- c:\docume~1\gregg\applic~1\Windows Search
2009-03-30 15:03 32 a------- c:\windows\go
2009-03-30 15:03 <DIR> --d----- c:\windows\vf_hip
2009-03-30 15:03 <DIR> --d----- c:\program files\Hide IP Platinum
2009-03-30 14:21 <DIR> --d----- c:\docume~1\gregg\applic~1\CPUControl
2009-03-30 14:21 <DIR> --d----- c:\program files\CPU-Control
2009-03-29 14:39 <DIR> --d----- c:\docume~1\gregg\applic~1\Windows Desktop Search
2009-03-29 14:36 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-03-29 14:36 <DIR> --d----- c:\program files\Windows Desktop Search

==================== Find3M ====================

2009-04-21 22:30 251,830 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-04-21 22:30 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-04-21 21:44 354,842 a--sh--- c:\windows\system32\bahowuka.exe
2009-04-21 21:44 89,600 a--sh--- c:\windows\system32\benitonu.dll
2009-04-21 21:44 81,408 a--sh--- c:\windows\system32\bekubako.dll
2009-04-21 21:44 47,616 a--sh--- c:\windows\system32\kefeledi.exe
2009-03-31 06:50 162,546 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-03-19 15:10 17,090,309 a------- c:\windows\system32\senekawgduhhbb.dat
2009-03-14 18:10 87,608 a------- c:\docume~1\gregg\applic~1\inst.exe
2009-03-14 18:10 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-14 18:10 47,360 a------- c:\docume~1\gregg\applic~1\pcouffin.sys
2009-03-14 18:09 4,970,264 a------- c:\docume~1\gregg\applic~1\setup.exe
2009-03-02 10:14 7,351 a------- c:\windows\SCXEunin.dat
2009-03-02 10:10 72,704 a------- c:\windows\SCXEUnin.exe
2009-02-23 21:59 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-23 21:59 348,160 a------- c:\windows\system32\msvcr71.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-22 18:40 64,861 a------- c:\windows\DIIUnin.dat
2009-01-22 18:38 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-01-22 18:38 17,212 a------t c:\windows\system32\SIntf32.dll
2009-01-22 18:38 12,067 a------t c:\windows\system32\SIntf16.dll
2009-01-22 18:27 94,208 a------- c:\windows\DIIUnin.exe
2009-01-22 18:27 2,829 a------- c:\windows\DIIUnin.pif
2008-12-15 20:07 24,192 a------- c:\documents and settings\gregg\usbsermptxp.sys
2008-12-15 20:07 22,768 a------- c:\documents and settings\gregg\usbsermpt.sys
2008-08-18 17:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-10-28 22:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029

\index.dat
2008-10-28 22:42 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-10-28 22:42 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-28 22:42 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 23:32:04.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 guitarist24000

guitarist24000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 22 April 2009 - 02:32 PM

Bump.... aparently the virus i have is Vundo r at least one of them is
=============
Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 22 April 2009 - 09:47 PM.


#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:35 PM

Posted 04 May 2009 - 04:59 PM

Hi guitarist24000,

Sorry for the delay. We have many logs backed up and only a few helpers. :thumbup2:

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Edited by SifuMike, 04 May 2009 - 05:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:35 PM

Posted 22 May 2009 - 05:35 PM

This thread will now be closed due to lack of feedback.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users