Options

urtbk popups

Unknown
edited January 2010 in Spyware & Virus Removal
Hello,

I'm getting a series of blank IE windows with the url urtbk in them.

Running Vista 32bit

Hijack This log is attached.

RootRepeal doesn't seem to work (error: FOPS - DeviceIOcontrol Error! Error code = 0xc0000024 extended info (0x00000144)
Spybot installed, works, scanned, didn't get rid of this.

Malware Malbytes doesn't work

Dr. Web stops responding and says I have a virus and directs me to their FAQ website.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:09 PM, on 12/30/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Rodney\AppData\Roaming\SystemProc\lsass.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [vekijosar] Rundll32.exe "c:\progra~2\puwisuro\puwisuro.dll",a
O4 - HKLM\..\Run: [foyemiduhu] Rundll32.exe "C:\ProgramData\seyohale\seyohale.dll",s
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [foyemiduhu] Rundll32.exe "C:\ProgramData\seyohale\seyohale.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\Rodney\AppData\Roaming\SystemProc\lsass.exe
O4 - HKCU\..\Run: [vekijosar] Rundll32.exe "c:\progra~2\puwisuro\puwisuro.dll",a
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\progra~2\puwisuro\puwisuro.dll,C:\ProgramData\falefigi\falefigi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: hovehemus - {d577f553-1515-45ee-8620-fd4a488c9816} - c:\progra~2\puwisuro\puwisuro.dll
O22 - SharedTaskScheduler: jugezatag - {d577f553-1515-45ee-8620-fd4a488c9816} - c:\progra~2\puwisuro\puwisuro.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9628 bytes

Thanks.

Comments

  • chiazchiaz
    edited December 2009
    Hey,

    A few things before we start....
    1. Please Read All Instructions Carefully.
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you.
    4. If you have to go away for an extended period of time, let me know.
    5. Please continue to respond until I give you the "All Clear".
    (Just because you can't see a problem doesn't mean it isn't there)



    Please download Malwarebytes' Anti-Malware by clicking the link below:
    Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

    Double Click mbam-setup.exe to install the application.

    * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select "Perform Full Scan", then click Scan.
    * The scan may take some time to finish,so please be patient.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Make sure that everything is checked, and click Remove Selected.
    * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    * You'll be required to post the contents of this log later.

    Please Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



    Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

    Go here ======> A guide and tutorial on using ComboFix <====== Go here

    For now, the download link is:
    http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe

    Please also ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should get a prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    (2) Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.


    Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


    Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
  • slurpster03
    edited December 2009
    Thanks for responding Chiaz,

    I won't be able to do these steps until tomorrow, but before I begin, I should let you know that Malware Malbytes does not work. Its installed but the program does not open, same with Norton antivirus and Dr. web. The programs are installed but do not open. I renamed the setup file but that didn't work.
  • chiazchiaz
    edited December 2009
    OK, looks like you've already done a bit of research on your own. Go on with ComboFix then.
  • slurpster03
    edited December 2009
    chiaz wrote:
    OK, looks like you've already done a bit of research on your own. Go on with ComboFix then.

    Yup, in desperation I looked through some of the forums, but when none of those solutions worked I decided to come out of hiding. :p Anyway, I will get to combofix later on today. Thanks again.
  • slurpster03
    edited December 2009
    OK. So ComboFix won't work either. I downloaded it once. As it ran it went through said I had Norton and Spybot open. I closed Spybot thru the Task Manager, and I can't get into Norton thru the program and there isn't an Icon in the task bar. I went thru the dialogues anyway and the ComboFix closed with an error cannot rename ComboFix.exe as ComboFix[1].exe.

    I tried to re download it again. This time a dialogue box came up and said my ComboFix had been compromised and sent me to the how-to website you referenced above.

    So, really, I haven't done anything. Help!
  • slurpster03
    edited December 2009
    Ran Panda Secury online virus scan. Eliminated some trojans. Could not eliminate Trj/CI.A

    Ran Hijackthis after:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:55:09 PM, on 12/30/2009
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16386)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\hp\support\hpsysdrv.exe
    C:\WINDOWS\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Users\Rodney\AppData\Roaming\SystemProc\lsass.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
    C:\Windows\System32\mobsync.exe
    C:\hp\kbd\kbd.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\ieuser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "c:\Program Files\Norton Internet Security\osCheck.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [vekijosar] Rundll32.exe "c:\progra~2\puwisuro\puwisuro.dll",a
    O4 - HKLM\..\Run: [foyemiduhu] Rundll32.exe "C:\ProgramData\seyohale\seyohale.dll",s
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [foyemiduhu] Rundll32.exe "C:\ProgramData\seyohale\seyohale.dll",s
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [RTHDBPL] C:\Users\Rodney\AppData\Roaming\SystemProc\lsass.exe
    O4 - HKCU\..\Run: [vekijosar] Rundll32.exe "c:\progra~2\puwisuro\puwisuro.dll",a
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - AppInit_DLLs: c:\progra~2\puwisuro\puwisuro.dll,C:\ProgramData\falefigi\falefigi.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: hovehemus - {d577f553-1515-45ee-8620-fd4a488c9816} - c:\progra~2\puwisuro\puwisuro.dll
    O22 - SharedTaskScheduler: jugezatag - {d577f553-1515-45ee-8620-fd4a488c9816} - c:\progra~2\puwisuro\puwisuro.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 9628 bytes


    Thanks.
  • slurpster03
    edited December 2009
    Results of the ActiveScan here:

    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2009-12-31 16:09:47
    PROTECTIONS: 1
    MALWARE: 33
    SUSPECTS: 2
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    Norton Internet Security 2007 No No
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@trafficmp[1].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@doubleclick[1].txt
    00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@atdmt[2].txt
    00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@tradedoubler[2].txt
    00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@247realmedia[2].txt
    00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@fastclick[1].txt
    00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@tribalfusion[2].txt
    00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@mediaplex[2].txt
    00147806 Cookie/7search TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@7search[2].txt
    00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@com[1].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@ad.yieldmanager[2].txt
    00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@burstnet[2].txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@serving-sys[2].txt
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@bs.serving-sys[2].txt
    00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@server.iad.liveperson[1].txt
    00168114 Cookie/onestat.com TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@stat.onestat[2].txt
    00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@advertising[1].txt
    00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@ads.pointroll[2].txt
    00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@overture[1].txt
    00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@realmedia[2].txt
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@questionmarket[2].txt
    00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@zedo[2].txt
    00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@bluestreak[1].txt
    00194327 Cookie/Go TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@go[2].txt
    00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@searchportal.information[2].txt
    00207338 Cookie/Target TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@target[2].txt
    00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@atwola[2].txt
    00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@citi.bridgetrack[2].txt
    00950035 Cookie/RegistryDefender TrackingCookie No 0 Yes No c:\users\rodney\appdata\roaming\microsoft\windows\cookies\low\rodney@registrydefender[2].txt
    03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes c:\users\rodney\appdata\local\microsoft\windows\temporary internet files\content.ie5\vhyxfhb1\34fc31720ce1b1ab18191a852120231f[1].exe
    03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\programdata\vufeguja\vufeguja.dll
    03074964 Trj/CI.A Virus/Trojan Yes 0 Yes No c:\progra~2\vufeguja\vufeguja.dll
    03074964 Trj/CI.A Virus/Trojan Yes 0 Yes No c:\progra~2\vufeguja\vufeguja.dll
    03074964 Trj/CI.A Virus/Trojan No 0 Yes Yes c:\users\rodney\appdata\local\temp\ethicsor.exe
    03074964 Trj/CI.A Virus/Trojan Yes 0 Yes Yes c:\users\rodney\appdata\roaming\systemproc\lsass.exe
    03983016 Generic Malware Virus/Trojan No 0 Yes Yes c:\windows\hpcpcuninstall-6811507\interop.shdocvw.dll
    03983016 Generic Malware Virus/Trojan No 0 Yes Yes c:\program files\hp connections\6811507\program\hpbwsetup\interop.shdocvw.dll
    03983016 Generic Malware Virus/Trojan No 0 Yes Yes c:\program files\hp connections\6811507\program\interop.shdocvw.dll
    05827524 Trj/Krap.Y Virus/Trojan No 0 Yes Yes c:\programdata\visujowo\visujowo.dll
    05835816 Trj/Krap.Y Virus/Trojan No 0 Yes Yes c:\programdata\rewuguti\rewuguti.dll
    05835816 Trj/Krap.Y Virus/Trojan No 0 Yes Yes c:\programdata\ruyupuno\ruyupuno.dll_old
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    No c:\users\rodney\appdata\local\microsoft\windows\temporary internet files\content.ie5\dgvzkkdh\combofix.exe[32788r22fwjfw\pev.exe]
    No c:\users\rodney\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\0esv07ro\combofix[1].exe[32788r22fwjfw\pev.exe]
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
  • chiazchiaz
    edited January 2010
    Download and run Win32kDiag:
    1. Download Win32kDiag from any of the following locations and save it to your Desktop.
    Download Win32kDiag - #1 http://ad13.geekstogo.com/Win32kDiag.exe
    Download Win32kDiag - #2 http://download.bleepingcomputer.com...Win32kDiag.exe
    Download Win32kDiag - #3 http://rootrepeal.psikotick.com/Win32kDiag.exe
    Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

    "%userprofile%\desktop\win32kdiag.exe" -f -r
Sign In or Register to comment.