Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups...lots of them, some crashes


  • This topic is locked This topic is locked
2 replies to this topic

#1 Xaven

Xaven

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 07 November 2009 - 09:32 AM

Well, whenever I go to a website, I am greeted with the website and a popup. Its a little disturbing. Also, Internet explorer managed to open itself 30+ times once and on another occasion my computer froze while continuously making that noise where you try to click out of something but can't.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Malcolm at 9:12:41.06 on Sat 11/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.91 [GMT -5:00]

AV: ZoneAlarm Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
svchost.exe
C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi125.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Malcolm\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Malcolm\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=101676&l=dis
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=
mStart Page = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [dlbxmon.exe] "c:\program files\dell photo aio printer 962\dlbxmon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [bebohojit] Rundll32.exe "c:\windows\system32\mibagoyo.dll",a
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [DLBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBXtime.dll,_RunDLLEntry@16
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {6FAC4823-815E-4361-836E-46D65ED2550B}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: ginuwike.dll c:\windows\system32\hajiruno.dll c:\windows\system32\mibagoyo.dll
SSODL: witayosen - {4a7f8693-4341-4d61-a345-1efcfa2f0ce4} - No File
SSODL: budelurel - {3e84ec72-54d3-4a2d-b603-887cb1c610af} - No File
SSODL: zobuzetit - {87713c6b-ad89-4cd8-b5a9-909983918525} - c:\windows\system32\mibagoyo.dll
STS: jugezatag: {87713c6b-ad89-4cd8-b5a9-909983918525} - c:\windows\system32\mibagoyo.dll
LSA: Notification Packages = scecli fezogevu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\malcolm\applic~1\mozilla\firefox\profiles\rr02szig.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.teamuber.net/forum/index.php
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 Zwunzi Service;Zwunzi Service;c:\documents and settings\all users\application data\zwunzi\zwunzi125.exe [2009-11-5 58720]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-11-06 02:22:22 0 d-----w- C:\Fraps
2009-11-06 01:51:02 0 d-----w- c:\program files\ASIO4ALL v2
2009-11-06 01:50:15 0 d-----w- c:\program files\VstPlugins
2009-11-06 01:50:14 225280 ----a-w- c:\windows\system32\rewire.dll
2009-11-06 01:49:19 1294336 ----a-w- c:\windows\system32\vorbis.acm
2009-11-06 01:44:47 0 d-----w- c:\program files\Outsim
2009-11-06 01:40:17 0 d-----w- c:\program files\Image-Line
2009-11-05 17:00:50 0 d-----w- c:\documents and settings\malcolm\Downloads
2009-11-05 14:38:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky SDK
2009-11-05 14:20:39 0 d-----w- c:\docume~1\malcolm\applic~1\CheckPoint
2009-11-05 14:19:59 0 d-----w- c:\program files\CheckPoint
2009-11-05 14:15:04 713216 ------w- c:\windows\system32\dllcache\sxs.dll
2009-11-05 14:15:03 0 d-----w- c:\program files\Zone Labs
2009-11-05 14:14:49 0 d-----w- c:\windows\Internet Logs
2009-11-05 03:11:32 0 d-----w- c:\docume~1\malcolm\applic~1\GlarySoft
2009-11-05 03:03:27 0 d-----w- c:\program files\Glary Utilities
2009-11-04 11:04:43 1 --sh--w- c:\windows\system32\yufiweru.dll
2009-10-31 12:44:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-31 12:44:23 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 23:12:39 0 d-----w- C:\Downloads
2009-10-30 16:41:49 0 d-----w- c:\docume~1\malcolm\applic~1\Free Download Manager
2009-10-30 16:41:45 0 d-----w- c:\docume~1\alluse~1\applic~1\FreeDownloadManager.ORG
2009-10-30 16:41:44 0 d-----w- c:\program files\Free Download Manager
2009-10-29 18:39:15 0 d-----w- c:\docume~1\malcolm\applic~1\Free Mp3 Wma Ogg Converter
2009-10-27 20:00:59 0 d-----w- c:\program files\Zwunzi
2009-10-27 20:00:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Zwunzi
2009-10-27 20:00:51 0 d-----w- c:\program files\Free Mp3 Wma Ogg Converter
2009-10-24 20:35:55 202072 ----a-r- c:\windows\system32\cpnprt2.cid
2009-10-24 20:34:54 0 d-----w- c:\windows\Cache
2009-10-24 20:34:52 0 d-----w- c:\program files\Coupons
2009-10-23 18:53:11 36704 ----a-w- c:\windows\system32\SubtitDSuninst.exe
2009-10-22 23:31:00 0 d-----w- c:\docume~1\malcolm\applic~1\Any Video Converter Professional
2009-10-22 23:30:56 0 d-----w- c:\program files\Any Video Converter Professional
2009-10-20 21:44:33 8086 ----a-w- C:\proxy.php
2009-10-20 21:34:44 9130 ----a-w- C:\classWebPage.php
2009-10-20 21:34:44 6077 ----a-w- C:\URLproxyServer.php
2009-10-20 21:34:44 1888 ----a-w- C:\config.php
2009-10-20 21:34:44 17987 ----a-w- C:\COPYING
2009-10-20 21:34:44 1455 ----a-w- C:\ChangeLog

==================== Find3M ====================

2009-11-07 13:01:09 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-17 06:39:40 72584 ----a-w- c:\windows\zllsputility.exe
2009-10-17 06:39:32 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-10-13 01:20:28 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-12 23:15:26 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-09-18 09:56:10 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-07 17:46:42 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 23:23:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 05:09:28 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-10 15:21:02 6451712 ----a-w- c:\windows\system32\tlidetail10.dll
2009-08-02 11:03:08 90112 --sha-w- c:\windows\system32\jivavadu.dll
2009-08-01 11:02:40 90112 --sha-w- c:\windows\system32\lewiyidi.dll
2009-08-05 11:04:45 90112 --sha-w- c:\windows\system32\mibagoyo.dll
2009-08-05 11:04:45 38912 --sha-w- c:\windows\system32\mokinepa.dll
2009-08-04 23:04:38 37888 --sha-w- c:\windows\system32\yezimuya.dll
2009-08-04 11:04:11 1 --sha-w- c:\windows\system32\zahuyoru.dll

============= FINISH: 9:16:26.73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:53 PM

Posted 11 November 2009 - 03:54 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:53 PM

Posted 16 November 2009 - 09:07 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users