Jump to content

Recommended Posts

Hi,

A few days back, I noticed that my system has slowed down significantly. My BlackIce application has done a wonderful job of detecting "weird stuff" and I notice that it keeps prompting to allow certain application through eg SearchProtocolHost.exe, svchost.exe but upon closer look, it seems that it was all prompted by either zusudupe.dll or pikekise.dll. See below for the screenshots.

error.gif

I followed in the instructions in http://forums.malwarebytes.org/index.php?showtopic=9573

- Install Malwarebytes' Anti-Malware. After installation, I got the error message "

Unable to execute file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.

CreateProcess failed; code 2.

The system cannot file the file specified

- CD Emulation Software disabled successfully

- Run DDS successfully (See file below)

- Run GMER unsuccessfully twice. It finished running the scan in both situation but I am unable to save the log nor copy the results to a text file. It hung my computer to the point that I had to cold boot.

Now my computer has slowed down to the point that opening a word documents takes 14.5 secs.

If I terminate all the BlackIce prompts by either zusudupe.dll and pikekise.dll, my computer crawl to a standstill.

Please help because anything I do seem to make matter worse!!!!

DDS.txt file below from running DDS

@@@@@@@@@@@@

DDS (Ver_09-12-01.01) - NTFSx86

Run by Woei Yu Choo at 12:44:04.07 on Fri 02/12/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1156 [GMT -5:00]

AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Belkin\F5D8053\v6\WifiSvc.exe

C:\Program Files\ISS\BlackICE\blackd.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Microsoft SQL Server 2005\90\DTS\Binn\MsDtsSrvr.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

c:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\Program Files\ISS\BlackICE\rapapp.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\DOCUME~1\WOEIYU~1\LOCALS~1\Temp\clclean.0001

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\ZoneAlarmBackup\ZABackupWebM.exe

C:\Program Files\Belkin\F5D8053\v6\BelkinWCUI.exe

C:\Program Files\ZoneAlarmBackup\ZABackup Service.exe

C:\Program Files\ISS\BlackICE\blackice.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\ISS\BlackICE\rapapp.exe

C:\Documents and Settings\Woei Yu Choo\Desktop\SecTools\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

mDefault_Page_URL = hxxp://www.dell.com

mStart Page = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

uRun: [setDefaultMIDI] MIDIDef.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [PestPatrol Control Center] c:\progra~1\pestpa~1\PPControl.exe

mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe

mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r

mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe

mRun: [indexSearch] c:\program files\scansoft\paperport\IndexSearch.exe

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe

mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [tubedokut] Rundll32.exe "c:\windows\system32\pikekise.dll",a

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\woeiyu~1\startm~1\programs\startup\zoneal~1.lnk - c:\program files\zonealarmbackup\ZABackupReg2ini.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053\v6\BelkinWCUI.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blacki~1.lnk - c:\program files\iss\blackice\blackice.exe

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - {8C85E2EE-9FD6-11D5-B770-504D54C10000} - c:\program files\visualroute\vrie.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: aol.com

Trusted Zone: microsoft.com

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261160137437

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258991308046

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\windows\system32\pikekise.dll,miliyepa.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: zujahivuk - {3cc7e42d-9735-4de1-a140-a4b266e0842b} - c:\windows\system32\pikekise.dll

STS: kupuhivus: {3cc7e42d-9735-4de1-a140-a4b266e0842b} - c:\windows\system32\pikekise.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Notification Packages = scecli wunipilo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\woeiyu~1\applic~1\mozilla\firefox\profiles\ym4753pa.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

==================== Find3M ====================

1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\finegefo.dll

1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\godobovo.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\marokeru.dll

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\miliyepa.dll

1601-01-01 00:03:28 51720 --sha-w- c:\windows\system32\nanehutu.exe

1601-01-01 00:03:28 93184 --sha-w- c:\windows\system32\pikekise.dll

1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\tebudati.dll

1601-01-01 00:03:28 51200 --sha-w- c:\windows\system32\tukideka.exe

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\wunipilo.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\yeyozoda.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\yizimife.dll

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\yuhisona.dll

1601-01-01 00:03:28 62464 --sha-w- c:\windows\system32\zozefebe.dll

1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\zusudupe.dll

============= FINISH: 13:07:57.14 ===============

Attach.zip

Link to post
Share on other sites

Hi, eivac :D

;)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.