Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UiPopupHidden infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 andrew_mc_dougall

andrew_mc_dougall

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 13 July 2009 - 03:07 AM

Have been fighting this a while now. With your help perhaps it can be killed!

Results from DDS below:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Andrew at 8:58:35.03 on Mon 07/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BitComet] "c:\program files\bitlord\BitLord.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\SpyEraser.exe" -m
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [IndexCleaner] "c:\program files\virgin broadband\pcguard\IdxClnR.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SNPSTD2] c:\windows\vsnpstd2.exe
mRunOnce: [IndexCleaner] "c:\program files\virgin broadband\pcguard\IdxClnR.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?

1246566838212
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1246570592528
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\wbpzsy1s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npvideoegg-loader.dll
FF - plugin: c:\program files\videoegg\loader\2663\npvideoegg-loader.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-

ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-

ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-

ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-

ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-07-12 16:33 <DIR> --dsh--- c:\documents and settings\andrew\IETldCache
2009-07-12 16:03 <DIR> -cd-h--- c:\windows\ie8
2009-07-09 16:35 <DIR> --d----- c:\documents and settings\andrew\DoctorWeb
2009-07-08 22:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-08 22:53 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-08 22:53 <DIR> --d----- c:\docume~1\andrew\applic~1\SUPERAntiSpyware.com
2009-07-08 19:20 47,616 a------- c:\windows\system32\iyuv_32.dll
2009-07-08 19:12 <DIR> --d----- c:\program files\Noel Danjou
2009-07-08 19:04 <DIR> --d----- c:\documents and settings\andrew\Tracing
2009-07-08 18:01 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-07-08 17:10 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 17:10 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 17:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 16:44 <DIR> --d--r-- c:\program files\Skype
2009-07-08 08:50 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-07 13:13 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-07 09:18 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-07 00:44 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-07-07 00:40 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-07-07 00:39 20 a------- c:\windows\
2009-07-07 00:19 <DIR> --d----- c:\program files\Microsoft
2009-07-07 00:18 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-07 00:02 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-06 20:55 <DIR> --d----- c:\windows\system32\scripting
2009-07-06 20:55 <DIR> --d----- c:\windows\l2schemas
2009-07-06 20:55 <DIR> --d----- c:\windows\system32\en
2009-07-06 20:55 <DIR> --d----- c:\windows\system32\bits
2009-07-06 20:43 <DIR> --d----- c:\windows\ServicePackFiles
2009-07-05 12:50 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-04 22:22 276,992 -------- c:\windows\system32\wmphoto.dll
2009-07-04 22:20 20,992 -------- c:\windows\system32\spupdwxp.exe
2009-07-04 22:19 166,912 -------- c:\windows\system32\drivers\s3gnbm.sys
2009-07-04 22:18 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2009-07-04 22:17 33,792 -------- c:\windows\system32\mmcperf.exe
2009-07-04 22:17 397,312 -------- c:\windows\system32\mmcex.dll
2009-07-04 22:17 184,320 -------- c:\windows\system32\microsoft.managementconsole.dll
2009-07-04 22:17 106,496 -------- c:\windows\system32\mmcfxcommon.dll
2009-07-04 22:16 11,868 -------- c:\windows\system32\drivers\mdmxsdk.sys
2009-07-04 22:16 86,016 -------- c:\windows\system32\mdmxsdk.dll
2009-07-04 22:15 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-07-04 22:14 61,440 -------- c:\windows\system32\kmsvc.dll
2009-07-04 22:14 6,144 -------- c:\windows\system32\kbdpash.dll
2009-07-04 22:14 6,144 -------- c:\windows\system32\kbdnepr.dll
2009-07-04 22:14 6,144 -------- c:\windows\system32\kbdiultn.dll
2009-07-04 22:14 6,144 -------- c:\windows\system32\kbdbhc.dll
2009-07-04 22:14 24,064 -c------ c:\windows\system32\dllcache\pidgen.dll
2009-07-04 22:14 102,912 -c------ c:\windows\system32\dllcache\dpcdll.dll
2009-07-04 22:13 10,752 -------- c:\windows\system32\smtpapi.dll
2009-07-04 22:13 9,728 -------- c:\windows\system32\rwnh.dll
2009-07-04 22:13 974 -------- c:\windows\system32\pid.inf
2009-07-04 22:13 46,592 -------- c:\windows\system32\drivers\irbus.sys
2009-07-04 22:13 9,728 -------- c:\windows\system32\comsdupd.exe
2009-07-04 22:13 1,041,536 -------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-07-04 22:13 685,056 -------- c:\windows\system32\drivers\hsfcxts2.sys
2009-07-04 22:13 220,032 -------- c:\windows\system32\drivers\hsfbs2s2.sys
2009-07-04 22:13 32,285 -------- c:\windows\system32\hsfcisp2.dll
2009-07-04 22:13 19,200 -------- c:\windows\system32\drivers\hidir.sys
2009-07-04 22:13 25,600 -------- c:\windows\system32\drivers\hidbth.sys
2009-07-04 22:11 129,045 -------- c:\windows\system32\drivers\cxthsfs2.cty
2009-07-04 22:11 12,800 -------- c:\windows\system32\credssp.dll
2009-07-04 22:09 3,775 -------- c:\windows\system32\drivers\adv11nt5.dll
2009-07-04 22:09 3,967 -------- c:\windows\system32\drivers\adv02nt5.dll
2009-07-04 22:09 3,711 -------- c:\windows\system32\drivers\adv09nt5.dll
2009-07-04 22:09 3,647 -------- c:\windows\system32\drivers\adv07nt5.dll
2009-07-04 22:09 3,615 -------- c:\windows\system32\drivers\adv05nt5.dll
2009-07-04 22:09 3,135 -------- c:\windows\system32\drivers\adv08nt5.dll
2009-07-04 22:09 4,255 -------- c:\windows\system32\drivers\adv01nt5.dll
2009-07-04 22:09 136,192 -------- c:\windows\system32\aaclient.dll
2009-07-02 21:27 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-07-02 20:35 361,216 a------- c:\windows\system32\TuneUpDefragService.exe

==================== Find3M ====================

2009-07-06 21:16 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-05 22:09 2,068 a------- c:\windows\system32\d3d9caps.dat
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-02-25 17:03 0 a------- c:\docume~1\andrew\applic~1\Install.dat

============= FINISH: 9:03:20.09 ===============

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:41 AM

Posted 23 July 2009 - 10:27 AM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • MBAM log
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:41 AM

Posted 28 July 2009 - 03:35 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users