Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many persistant popups


  • Please log in to reply
1 reply to this topic

#1 THE RD

THE RD

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 28 December 2008 - 12:56 AM

I'm visiting home for the holidays and the computer in the living room has been giving me constant pop-ups since I got here. But in the last few days it has been increasingly bad. I use Mozilla Firefox for the default browser yet pop-ups appear in internet explorer. I also get pop ups in mozilla but they come up as blank pages, but they still have the url. The one in mozilla is usually sagipsul.com. I've tried Ad-Aware and CounterSpy and they found a lot of things but it still has not helped.

Here is the DDS.txt and attach.txt is attached as instructed


DDS (Version 1.1.0) - NTFSx86
Run by Compaq_Owner at 23:46:13.18 on Sat 12/27/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.383.55 [GMT -6:00]

AV: PC Tools AntiVirus 4.0.0.26 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\prunnet.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Seekeen\seekeen.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Seekeen\seekeen.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! uC: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {02a703d7-1230-4c0f-9485-334025d9b81d} - c:\windows\system32\opnmKBqP.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SmartShopper: {2ba1c226-ec1b-4471-a65f-d0688ac6ee3a} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
BHO: {3efd638c-ce1b-e46a-3e34-eefc15520395}: {59302551-cfee-43e3-a64e-b1ecc836dfe3} - c:\windows\system32\lknooz.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: XBTBPos00 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\my.freeze.com toolbar with netassistant\freeze_us.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Yahoo! uC: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: My.Freeze.com Toolbar: {d0523bb4-21e7-11dd-9ab7-415b56d89593} - c:\program files\my.freeze.com toolbar with netassistant\freeze_us.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Monitor] c:\windows\pixart\pac207\Monitor.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [0caca9f2] rundll32.exe "c:\windows\system32\gsfqaxbs.dll",b
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\imvu.lnk - c:\program files\imvu\IMVUClient.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paltalk.lnk - c:\program files\paltalk messenger\paltalk.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...l?p=ZKfox000(2)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\compaq_owner\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {2260D608-C844-435d-90FD-DC16CFA577F2} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {BCEB373D-A35A-4200-BD43-8586CD9DFAE7} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: wvUlihEV - wvUlihEV.dll
AppInit_DLLs: lknooz.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnmKBqP

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\toxzysv9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-3-19 607576]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2008-4-21 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;"c:\program files\pc tools antivirus\PCTAVSvc.exe" [2008-4-21 767888]
R2 SBAMSvc;Sunbelt VIPRE Antivirus Service;"c:\program files\sunbelt software\counterspy\SBAMSvc.exe" [2008-8-26 869672]
R2 Seekeen Service;Seekeen Service;"c:\program files\seekeen\seekeen.exe" "c:\program files\seekeen\seekeen.dll" Service []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-1-20 24652]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2008-4-21 28568]
R3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys [2007-11-6 87848]
S3 PAC207;Webcam 1200;c:\windows\system32\drivers\PFC027.SYS [2008-6-8 611584]

=============== Created Last 30 ================

2008-12-27 17:58 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Sunbelt
2008-12-27 17:46 123,904 a------- c:\windows\system32\lknooz.dll
2008-12-27 17:46 123,904 a------- c:\windows\system32\cdjfjyse.dll
2008-12-27 17:43 1,306,974 ---sh--- c:\windows\system32\sbxaqfsg.ini
2008-12-27 17:43 73,216 a------- c:\windows\system32\gsfqaxbs.dll
2008-12-27 17:32 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-27 12:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2008-12-27 11:43 <DIR> --d----- c:\program files\Norton Security Scan
2008-12-26 23:09 733,265 a--sh--- c:\windows\system32\PqBKmnpo.ini2
2008-12-26 23:09 733,265 a--sh--- c:\windows\system32\PqBKmnpo.ini
2008-12-26 23:09 303,104 a------- c:\windows\system32\opnmKBqP.dll
2008-12-26 23:04 <DIR> --d----- c:\docume~1\compaq~1\applic~1\gadcom
2008-12-26 23:04 45,056 a------- c:\windows\system32\geBtUkji.dll
2008-12-26 23:04 63,488 a------- c:\windows\system32\prunnet.exe
2008-12-15 00:38 <DIR> --d----- c:\windows\system32\townandcountrychristmas_3116234 dir
2008-12-15 00:37 520,192 a------- c:\windows\system32\townandcountrychristmas_3116234.scr
2008-12-14 23:19 337,320 a------- c:\windows\difxapi.dll

==================== Find3M ====================

2008-12-23 23:55 31 a------- c:\documents and settings\compaq_owner\jagex_runescape_preferences.dat
2008-12-12 11:33 3,060,224 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:01 283,648 a------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 10:57 332,800 a------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 03:45 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2008-10-03 04:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 04:15 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-06-10 09:44 81,920 a------- c:\docume~1\compaq~1\applic~1\ezpinst.exe
2008-06-10 09:44 47,360 a------- c:\docume~1\compaq~1\applic~1\pcouffin.sys
2007-08-06 13:14 11,118 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe

============= FINISH: 23:47:26.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 08 January 2009 - 05:47 AM

Hi ,

The forums are really busy, that explains why logs get behind. If you still need some help, please start with posting a new hijackthislog in this thread. Don't start with a new thread.
Then we'll take a look.


Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users