Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Weird Random Pop Ups?


  • This topic is locked This topic is locked
2 replies to this topic

#1 dlmartin2008

dlmartin2008

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 29 May 2008 - 01:24 PM

Hi there, Can someone help me with this computer... we had a atfxqogp toolbar deal on it and well I think I got that removed, but still getting crazy pop ups... some are not so nice sites and others are like spyware protection type sites...
Here is my Deckard log:
Deckard's System Scanner v20071014.68
Run by ASB on 2008-05-29 18:21:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as ASB.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-29 18:21:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\Lotus\Notes\nslsvice.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\ASB\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {120E8FEA-8BC8-456E-A5AF-36CA89BCF6C5} - C:\WINDOWS\SYSTEM32\xxyayYqQ.dll
O2 - BHO: (no name) - {27796771-8D05-4EE6-B478-43CE759F2106} - C:\WINDOWS\SYSTEM32\iifefFxu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C3DD1421-4C39-45DB-AB45-1282D8506E00} - C:\WINDOWS\system32\wvUkJyww.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [Client Access PC5250 Sound] "C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe"
O4 - HKLM\..\Run: [44811e40] rundll32.exe "C:\WINDOWS\system32\ayeopukl.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Shortcut to icvmlt32.exe.lnk = C:\ICWin310\icvmlt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/0/A...01F/wmvadvd.cab
O16 - DPF: {3D03AEAF-38CC-4DB5-9FA1-1C3538B1CA85} (Crystal Reports Print Control 11.0) - http://200.202.77.16/crystalreportviewers1...rintControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...38145.561412037
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://abfmail02.americanbus.com/dwa7W.cab
O16 - DPF: {E9CF1117-B55B-4AE2-B77D-045B4EEC1FAA} (Wells Fargo Scanner Control) - https://wellsoffice.wellsfargo.com/dsktpdp/...inet/WFSCAN.cab
O17 - HKLM\Software\..\Telephony: DomainName = americanbus.com
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = americanbus.com
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = americanbus.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = americanbus.com
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: iifefFxu - C:\WINDOWS\system32\iifefFxu.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\cwbrxd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Lotus\Notes\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Lotus\Notes\ntmulti.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ranger Log - Silver Bullet Technologies, Inc. - C:\Program Files\Silver Bullet Technology\Ranger\Tools\Log Service\Rangerlogservice.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


--
End of file - 7929 bytes

-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 18:20:32 95232 --a------ C:\WINDOWS\system32\ayeopukl.dll
2008-05-29 18:08:31 584618 --ahs---- C:\WINDOWS\system32\QqYyayxx.ini2
2008-05-29 18:08:15 322816 --a------ C:\WINDOWS\system32\xxyayYqQ.dll
2008-05-29 10:44:00 95232 -----n--- C:\WINDOWS\system32\fgxvvbph.dll
2008-05-28 16:21:26 0 d-------- C:\Documents and Settings\ASB\Application Data\Macromedia
2008-05-28 13:15:30 96256 --a------ C:\WINDOWS\system32\yqcufand.dll
2008-05-27 14:21:14 3466 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-27 12:16:39 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 12:15:52 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-27 10:46:30 94208 --a------ C:\WINDOWS\system32\kqdyrurk.dll
2008-05-27 10:43:45 585869 --ahs---- C:\WINDOWS\system32\wwyJkUvw.ini2
2008-05-27 10:37:49 34432 --a------ C:\WINDOWS\system32\iifefFxu.dll
2008-05-27 10:37:37 81920 --a------ C:\WINDOWS\xmpstean.exe
2008-05-27 10:37:37 94208 --a------ C:\WINDOWS\efpn.exe
2008-05-22 15:56:19 32318 --a------ C:\WINDOWS\system32\dsgrab_01c8bc4e490e863e.dll <Not Verified; Oracle Corp.; Desktop Sharing Run-Time>
2008-05-22 15:56:19 10910 --a------ C:\WINDOWS\system32\drivers\dsload.sys <Not Verified; Oracle Corp.; Desktop Sharing Run-Time>
2008-05-22 15:56:16 0 d-------- C:\Program Files\Common Files\Oracle
2008-05-15 16:16:40 0 d-------- C:\Documents and Settings\ardept\Contacts
2008-05-01 10:55:27 0 d-------- C:\Program Files\User Productivity Kit


-- Find3M Report ---------------------------------------------------------------

2008-05-29 18:03:27 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-27 12:15:52 0 d-------- C:\Program Files\Common Files
2008-05-27 12:06:10 0 d-------- C:\Program Files\AWS


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{120E8FEA-8BC8-456E-A5AF-36CA89BCF6C5}]
05/29/2008 06:08 PM 322816 --a------ C:\WINDOWS\system32\xxyayYqQ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27796771-8D05-4EE6-B478-43CE759F2106}]
05/27/2008 10:37 AM 34432 --a------ C:\WINDOWS\system32\iifefFxu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3DD1421-4C39-45DB-AB45-1282D8506E00}]
C:\WINDOWS\system32\wvUkJyww.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [08/14/2002 06:22 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [12/17/2002 12:28 PM]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [06/06/2005 05:30 AM]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [06/06/2005 05:30 AM]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [06/06/2005 05:30 AM]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [06/06/2005 05:30 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 04:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [04/17/2005 01:30 PM]
"igfxtray"="C:\WINDOWS\System32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd"="C:\WINDOWS\System32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\System32\igfxpers.exe" [09/20/2005 09:36 AM]
"Client Access PC5250 Sound"="C:\Program Files\IBM\Client Access\Emulator\pcssnd.exe" [06/06/2005 05:30 AM]
"44811e40"="C:\WINDOWS\system32\ayeopukl.dll" [05/29/2008 06:20 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

C:\Documents and Settings\ASB\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 1:36:04 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [5/15/2003 1:19:50 AM]
DESKTOP.INI [9/3/2002 1:36:04 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
Shortcut to icvmlt32.exe.lnk - C:\ICWin310\icvmlt32.exe [10/31/2005 1:33:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{27796771-8D05-4EE6-B478-43CE759F2106}"= C:\WINDOWS\system32\iifefFxu.dll [05/27/2008 10:37 AM 34432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifefFxu]
iifefFxu.dll 05/27/2008 10:37 AM 34432 C:\WINDOWS\SYSTEM32\iifefFxu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxyayYqQ
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\Asb1\NETLOGON\KIX32.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-412998335-402979365-3620187474-1196\Scripts\Logon\0\0]
"Script"=\\americanbus.com\sysvol\americanbus.com\scripts\KIX32.EXE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-05-29 18:22:47 ------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:10 AM

Posted 30 May 2008 - 12:05 AM

Hello dlmartin2008,

Welcome to Bleeping Computer :thumbsup:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:10 AM

Posted 15 June 2008 - 02:51 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users