Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant pop ups, Firefox really slow.


  • Please log in to reply
6 replies to this topic

#1 callaghan

callaghan

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 01 March 2010 - 11:41 AM

My HP laptop has been running great for about 3 years, and it all thanks to you guys. I believe that a Malware program has infected my computer, and now I get pop ups all the time, as in I have had one just now while typing this sentence. I have found a "bohemuko.exe" file that I have not noticed before, and after searching the internet a bit, it seems this is the culprit. I do not know how to remove this particular one, so any help would be appreciated.

I am running windows xp home, SP3 on an HP pavilion laptop.
I have haxfix, hijack this, and other similar programs.
My laptop is used almost exclusively for browsing the internet, and I do not use any file sharing programs.
I do, however, frequent facebook, and other similar sites.

Thanks

BC AdBot (Login to Remove)

 


#2 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 04 March 2010 - 10:10 PM

Hello :thumbsup:

Run ATF Cleaner:
http://www.atribune.org/index.php?option=c...5&Itemid=25
Instructions on web page.

Use Rkill immediately before scanning with Malwarebytes'.
http://www.technibble.com/rkill-repair-tool-of-the-week/
"Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools. Rkill is made by a Microsoft MVP “Lawrence Abrams” and is available in 4 different extensions. An .EXE, .COM, .SCR and a .PIF file.
The reason why Rkill comes in 4 different versions is because some malware will block .EXE files in an attempt to prevent you from running other malware removal tools, so this gets around that problem."


Scan with Malwarebytes'. (Make sure you update it before scanning).
Topic below includes detailed step by step instructions, and a Troubleshoot section:
How to use Malwarebytes' Anti-Malware to scan and remove malware from your computer
Posted by Grinler on February 16, 2010

http://www.bleepingcomputer.com/virus-remo...alware-tutorial

Scan with SUPERAntiSpyware. (Make sure you update it before scanning).
How to use SUPERAntiSpyware to scan and remove malware from your computer
Posted by Grinler on November 2, 2009

http://www.bleepingcomputer.com/virus-remo...pyware-tutorial

Just to let you know (this is for YOUR protection):
"only trained members of the following groups: Malware Response Team, Malware Study Hall Senior, Moderators or Administrators are allowed to help people with logs. "
source: http://www.bleepingcomputer.com/forums/t/126946/a-reminder-to-our-members-regarding-malware-logs/

Please reply back with the scan results (SUPERAntiSpyware and Malwarebytes').
Copy/paste the ENTIRE CONTENTS of the scan results logs into your next reply.
Also include in your reply what symptoms, if any, you are still experiencing.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#3 callaghan

callaghan
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 05 March 2010 - 01:08 AM

Malwarebytes' Anti-Malware 1.44
Database version: 3825
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/5/2010 12:44:22 AM
mbam-log-2010-03-05 (00-44-11).txt

Scan type: Quick Scan
Objects scanned: 155830
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8657294d-6bab-4e2a-acfa-22fac5a1461f} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8657294d-6bab-4e2a-acfa-22fac5a1461f} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yodedafi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\loyejosu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pegojehe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rezizafo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vizaratu.dll (Trojan.Vundo.H) -> No action taken.


next:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/05/2010 at 01:07 AM

Application Version : 4.34.1000

Core Rules Database Version : 4641
Trace Rules Database Version: 2453

Scan type : Quick Scan
Total Scan Time : 00:13:12

Memory items scanned : 376
Memory threats detected : 0
Registry items scanned : 446
Registry threats detected : 25
File items scanned : 7268
File threats detected : 6

Adware.Vundo/Variant-[Fixed]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8657294d-6bab-4e2a-acfa-22fac5a1461f}
HKCR\CLSID\{8657294D-6BAB-4E2A-ACFA-22FAC5A1461F}
HKCR\CLSID\{8657294D-6BAB-4E2A-ACFA-22FAC5A1461F}\InprocServer32
HKCR\CLSID\{8657294D-6BAB-4E2A-ACFA-22FAC5A1461F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\YODEDAFI.DLL
HKU\S-1-5-21-823518204-796845957-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8657294D-6BAB-4E2A-ACFA-22FAC5A1461F}
C:\WINDOWS\SYSTEM32\VIZARATU.DLL

Adware.MyWebSearch
HKU\S-1-5-21-823518204-796845957-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

Trojan.Media-Codec
HKU\S-1-5-21-823518204-796845957-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{202A961F-23AE-42B1-9505-FFE3C818D717}

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-823518204-796845957-725345543-1004\SOFTWARE\MyWebSearch
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\0\win32
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\FLAGS
HKCR\TypeLib\{D518921A-4A03-425E-9873-B9A71756821E}\1.0\HELPDIR
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version

Adware.180solutions/Seekmo/Zango
C:\DOCUMENTS AND SETTINGS\SPASTIC BUNNY\MY DOCUMENTS\SETUP.EXE

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\LOYEJOSU.DLL
C:\WINDOWS\SYSTEM32\REZIZAFO.DLL

Adware.Vundo/Variant-Rampage
C:\WINDOWS\SYSTEM32\PEGOJEHE.DLL

#4 callaghan

callaghan
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 05 March 2010 - 01:11 AM

both of these were the "quick scan" type. I can do a more thorough scan if needed. Thanks.

I also ran combofix yesterday because I could not get malewarebytes to work at all, even after using rkill.

#5 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 08 March 2010 - 10:01 AM

Hello :thumbsup:

Please note the warning in blue text at the top of this page:
"ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer."

I am not authorized to help with logs.

I had a "Vundo" infection, and it required the help of the Malware Response Team
in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

See this topic:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help, Instructions for receiving help in cleaning your computer
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

After following the instructions, post a NEW TOPIC here:
Virus, Trojan, Spyware, and Malware Removal Logs forum
http://www.bleepingcomputer.com/forums/posthjtlog.html

Once you post a new topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum,
DO NOT MAKE ANY CHANGES TO YOUR COMPUTER, and only follow instructions provided by OFFICIAL STAFF members.
If we don't change the direction we are going,
We are likely to end up where we are headed.

#6 callaghan

callaghan
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 10 March 2010 - 07:29 AM

Yeah, I have used it once before, so I am a little familiar with it. Thanks for your help, it is greatly appreciated. I will post up a new topic in the forum you mentioned.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:28 AM

Posted 16 March 2010 - 12:39 PM

Hello callaghan,

I have deleted the new topic you made as you neglected to furnish the logs.

Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

Since you ran ComboFix, please include that log in your new topic. If you are UNABLE to create the DDS logs or the GMER logs, create the new topic anyway and post the ComboFix log. If that should happen, please explain what happened when you tried to produce the DDS and GMER logs.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users