Pop Up Messages

[ken545]

Hi Tiffany,

When you didn't post back I was wondering what happened to you, if there is not reply in about 5 days the thread is closed and I did not want that to happen.

A couple of things to do.

You need to enable windows to show all files and folders, instructions Here


Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

c:\windows\ocbdfi.dll <--This file





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
c:\windows\Ewelexexi.dat
c:\windows\Ysuzozi.bin
c:\windows\temp\Perflib_Perfdata_528.dat
c:\windows\acubayavejog.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Inuwi"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

[tiffanyle2000]

I just came back from spring break vacation. Sorry did not reply. I will be back shortly. Thanks.

[tiffanyle2000]

Hi Ken, are you still here?

[tiffanyle2000]

Ahh.. sorry.. i didnt know that it went to page 2. Ive been waiting for your repsonse all week!

ComboFix 09-04-14.01 - Kim 04/13/2009 20:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1691 [GMT -7:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kim\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\acubayavejog.dll
c:\windows\Ewelexexi.dat
c:\windows\temp\Perflib_Perfdata_528.dat
c:\windows\Ysuzozi.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\acubayavejog.dll
c:\windows\Ewelexexi.dat
c:\windows\ocbdfi.dll
c:\windows\Ysuzozi.bin

.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-08 20:19 . 2009-04-08 20:19 -------- d-----w c:\documents and settings\Kim\Local Settings\Application Data\{39A73A16-435C-4231-8ABC-970491C1EE80}
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\documents and settings\Kim\Application Data\Malwarebytes
2009-04-05 04:29 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 04:29 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:01 . 2009-03-27 17:18 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-22 07:27 . 2009-03-22 07:27 -------- d-----w c:\windows\system32\LogFiles
2009-03-17 13:11 . 2009-03-17 13:11 -------- d-----w c:\documents and settings\Kim\Local Settings\Application Data\Yahoo
2009-03-17 13:10 . 2009-03-17 13:10 -------- d-----w c:\documents and settings\Kim\Application Data\Yahoo!
2009-03-17 13:10 . 2009-03-17 13:10 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-17 13:09 . 2009-03-17 13:11 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 04:29 . 2009-04-05 04:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 04:21 . 2008-09-15 21:42 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-30 03:06 . 2009-03-30 03:06 -------- d-----w c:\program files\Trend Micro
2009-03-27 20:08 . 2009-03-27 20:08 422 ----a-w C:\aaw7boot.log
2009-03-27 17:01 . 2009-03-27 17:01 -------- d-----w c:\program files\Lavasoft
2009-03-27 16:59 . 2009-03-27 16:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-24 05:48 . 2008-09-15 17:31 -------- d-----w c:\documents and settings\Kim\Application Data\LimeWire
2009-03-17 13:10 . 2009-03-17 13:09 -------- d-----w c:\program files\Yahoo!
2009-03-12 01:20 . 2008-09-12 06:16 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 11:13 . 2004-08-04 06:17 1846784 ----a-w c:\windows\system32\win32k.sys
2008-09-12 06:38 . 2008-09-11 22:27 69232 ----a-w c:\documents and settings\Kim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ocbdfi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Lime Wire\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
Contents of the 'Scheduled Tasks' folder

2008-11-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\snrmdj1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 20:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 03:27
ComboFix2.txt 2009-04-10 23:07
ComboFix3.txt 2009-04-06 04:09

Pre-Run: 57,577,058,304 bytes free
Post-Run: 57,608,679,424 bytes free

128 --- E O F --- 2009-03-12 01:21


File ilmfitl.dll received on 04.14.2009 00:33:17 (CET)
Current status: finished

Result: 8/40 (20.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.13 -
AhnLab-V3 5.0.0.2 2009.04.13 -
AntiVir 7.9.0.138 2009.04.13 -
Antiy-AVL 2.0.3.1 2009.04.13 -
Authentium 5.1.2.4 2009.04.13 -
Avast 4.8.1335.0 2009.04.13 Win32:Vupa
AVG 8.5.0.285 2009.04.13 -
BitDefender 7.2 2009.04.14 -
CAT-QuickHeal 10.00 2009.04.13 -
ClamAV 0.94.1 2009.04.13 -
Comodo 1112 2009.04.13 -
DrWeb 4.44.0.09170 2009.04.14 -
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6454 2009.04.13 -
F-Prot 4.4.4.56 2009.04.13 -
F-Secure 8.0.14470.0 2009.04.13 -
Fortinet 3.117.0.0 2009.04.13 -
GData 19 2009.04.14 Win32:Vupa
Ikarus T3.1.1.49.0 2009.04.13 -
K7AntiVirus 7.10.700 2009.04.11 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.04.14 -
McAfee 5583 2009.04.13 -
McAfee+Artemis 5583 2009.04.13 -
McAfee-GW-Edition 6.7.6 2009.04.13 -
Microsoft 1.4502 2009.04.13 Trojan:Win32/Hiloti.gen!A
NOD32 4005 2009.04.14 -
Norman 6.00.06 2009.04.13 -
nProtect 2009.1.8.0 2009.04.13 -
Panda 10.0.0.14 2009.04.13 Suspicious file
PCTools 4.4.2.0 2009.04.08 -
Prevx1 V2 2009.04.14 Low Risk Adware
Rising 21.25.04.00 2009.04.13 -
Sophos 4.40.0 2009.04.13 Mal/Behav-172
Sunbelt 3.2.1858.2 2009.04.13 -
Symantec 1.4.4.12 2009.04.14 -
TheHacker 6.3.4.0.306 2009.04.12 -
TrendMicro 8.700.0.1004 2009.04.13 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.13.1690 2009.04.13 -
VirusBuster 4.6.5.0 2009.04.13 -
Additional information
File size: 27136 bytes
MD5...: 46b69e2ea4c5334c076b3c2887dedb79
SHA1..: b6975968e52c1f143d72159d63618c03ba017fda
SHA256: 32c661305f192c5cd2931ac8a527c405fc57793f70e4b5560b15aef9c138ef73
SHA512: c85a1b43ed1936edcc4d30dd4bab456ff996c559ba733c8fc5b26abc1815c3f1
23afa6091678b3008b54936db3a1835ea05083c297644a6e43758d56e3f971de
ssdeep: 384:fCqROGtHNeJ5U77mntOUbNmWJsBH6qWceqUBdWaDnsX/9Bh9jnNfz0C:VOwc
XDN4BH6qPmeVNjaC

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1f0c
timedatestamp.....: 0x490b1a28 (Fri Oct 31 14:46:00 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x3000 7.77 1d5d60429edcfbaef8a7e06b4dc65466
.data 0x4000 0x3000 0x2400 6.23 e76a0bacc7f3d396c89b47b61b733eab
.rsrc 0x7000 0x1000 0x400 2.80 518e24c9ce6e2d5be82d5124dff1097d
.reloc 0x8000 0x1000 0x200 2.79 8aee511088b6890c6e902a2fff03e2f3

( 5 imports )
> KERNEL32.dll: ExitProcess, GetACP, GetModuleHandleA, GetOEMCP, GetStartupInfoA, GetSystemInfo, GlobalUnlock, HeapAlloc, HeapCreate
> msvcrt.dll: srand, __p__commode, __p__fmode, vswprintf, strpbrk, sscanf, wcscpy, setlocale, malloc, exit
> user32.dll: EmptyClipboard, CreateDialogParamA
> OLEAUT32.dll: -, -, -, -, -
> SHLWAPI.dll: PathCombineA, PathAppendA, PathFileExistsA, PathGetDriveNumberA, SHDeleteValueA, StrRStrIA, StrSpnA, SHEnumKeyExA

( 0 exports )

RDS...: NSRL Reference Data Set
-
Prevx info: http://info.prevx.com/aboutprogramte...8FCB00BBCB533F


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

[ken545]

Hi Tiffany,

Yep , still here. Hope you had fun at spring break.


Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files
c:\windows\ocbdfi.dll

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Post a new HJT log also and lets take another look. How is your computer running now??

[ken545]

We crossed wires. That file is gone, no need for OTMoveIt.

How are things running now?

[tiffanyle2000]

My computer is running great now. Better than before. However, sometimes, it still pops up one or 2 random msgs depending on the website i go to, but not as bad as before. Should I keep you updated still? Thanks for all your help! you saved my computer! =)

[ken545]

Good Morning Tiffany,

Are you talking about one or two random pages popping up or messages? What are the pages about or what do the messages say?


We can dig deeper and make sure everything bad is gone.

First, make sure your Java is up to date.

Download the latest version Here save it, do not install it yet.

JRE 6 Update 13 <--This is what you need

• Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
• Reboot your computer
• Install the latest version

You can verify the installation Here





Please run this free online virus scanner from ESET

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[tiffanyle2000]

Hi Ken,

Im not able to scan my computer from that website using Internet Explorer. The msg to install came up but it doesnt do anything. What else can I do?

[ken545]

Make sure your Java is up todate

Run this free online scan using Internet Explorer:
Kaspersky Online Virus Scanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan: Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.

Post the log along with a New HJT Log into your next reply.