Browser hijacked? IE popup windows
- Thread starter tezza22
- Start date
- Status
Hi tezza22
Fantastic job, this happened because you did the 8 Steps and did them correctly.
Run HJT Scan only select and delete the below
O2 - BHO: (no name) - {225D025F-2BDD-472C-9A78-32E3306A9BCC} - C:\WINDOWS\system32\iifcYOHW.dll (file missing)
O2 - BHO: (no name) - {72E1688E-F15D-4358-A283-70E6AEC93E15} - C:\WINDOWS\system32\yaywwXoP.dll (file missing)
O2 - BHO: {f184ac69-a8be-9039-25f4-5f2d7527ee0c} - {c0ee7257-d2f5-4f52-9309-eb8a96ca481f} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c008255C.dat
O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
Now as you see from the logs both mbam and sas found an cleaned issues. Some times this exposes more that could not see the first time.
So you need to REBOOT
Then run both programs again posting logs each run, and even again until they both come up clean or find something they cannot clean.
Make sure to reboot once before these runs.
No HJT needed yet until I request it.
Mike
Fantastic job, this happened because you did the 8 Steps and did them correctly.
Run HJT Scan only select and delete the below
O2 - BHO: (no name) - {225D025F-2BDD-472C-9A78-32E3306A9BCC} - C:\WINDOWS\system32\iifcYOHW.dll (file missing)
O2 - BHO: (no name) - {72E1688E-F15D-4358-A283-70E6AEC93E15} - C:\WINDOWS\system32\yaywwXoP.dll (file missing)
O2 - BHO: {f184ac69-a8be-9039-25f4-5f2d7527ee0c} - {c0ee7257-d2f5-4f52-9309-eb8a96ca481f} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c008255C.dat
O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
Now as you see from the logs both mbam and sas found an cleaned issues. Some times this exposes more that could not see the first time.
So you need to REBOOT
Then run both programs again posting logs each run, and even again until they both come up clean or find something they cannot clean.
Make sure to reboot once before these runs.
No HJT needed yet until I request it.
Mike
Hi Mike,
I did as you suggested and also ran both mbam and sas until they both come up clean or found something they couldn't clean.
mbam kept finding something and said that it cleaned it, but when I repeated the process, the same problem would come up again.
sas said that there was nothing found.
The IE popups are still appearing.
Here are all of the logs.
Sorry, I didn't realise that I should have posted the logs after each clean. I have cleaned about four to five times each.
I thought I needed to rerun them until they came up clean or found something they could not clean, not run it once then post it and keep going that way.
Here are all of the mbam logs and I will post the sas logs on a new reply, as I can only upload a max of 5 at a time.
Thanks
I did as you suggested and also ran both mbam and sas until they both come up clean or found something they couldn't clean.
mbam kept finding something and said that it cleaned it, but when I repeated the process, the same problem would come up again.
sas said that there was nothing found.
The IE popups are still appearing.
Here are all of the logs.
Sorry, I didn't realise that I should have posted the logs after each clean. I have cleaned about four to five times each.
I thought I needed to rerun them until they came up clean or found something they could not clean, not run it once then post it and keep going that way.
Here are all of the mbam logs and I will post the sas logs on a new reply, as I can only upload a max of 5 at a time.
Thanks
OK while waiting for the other logs....
ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
When finished, it will open a log. Attach the log.
Note: Do not click combofix's window while its running. That may cause it to stall
Mike
ComboFix
NOTE: If you have had ComboFix more than a few days old delete and re-download.
Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe
Double click combofix.exe follow the prompts.
When finished, it will open a log. Attach the log.
Note: Do not click combofix's window while its running. That may cause it to stall
Mike
Yes it cleared all from the first run.
Lets do another cleaner to be sure!
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-clickto RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.
After this get me a new HJT log also.
Mike
Lets do another cleaner to be sure!
Download SD Fix to Desktop among other things Catchme to look for RootKits.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
On Desktop run SDdFix It will run (install) then close.
Then reboot into Safe Mode
As the computer starts up, tap the F8 key several times.
On the Boot menu Choose Safe Mode.
Click thu all the prompts to get to desktop.
At Desktop
My Computer C: drive. Double-click to open.
Look for a folder called SD Fix. Double-click to enter SD Fix.
Double-clickto RunThis.bat. Type Y to begin.
SD Fix does its job.
When prompted hit the enter key to restart the computer
Your computer will reboot.
On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.
Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.
After this get me a new HJT log also.
Mike
Hi,
I have copied and pasted the report from SD FIX and have posted the HJT log.
Thanks
Also, I'm still getting the popups.
SDFix: Version 1.240
Run by Jules on Wed 11/19/2008 at 06:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Temp\xp34\cPH.log - Deleted
Folder C:\Temp\xp34 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:12:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe"="C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Joel's Stuff\\iTunes\\iTunes.exe"="C:\\Joel's Stuff\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 8 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
Thu 23 Oct 2008 17,222,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0bbf9bad2a96231d750c48395570f92\BITB0.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BIT2.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Jules\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
I have copied and pasted the report from SD FIX and have posted the HJT log.
Thanks
Also, I'm still getting the popups.
SDFix: Version 1.240
Run by Jules on Wed 11/19/2008 at 06:39 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Temp\xp34\cPH.log - Deleted
Folder C:\Temp\xp34 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:12:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000""C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe"="C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Joel's Stuff\\iTunes\\iTunes.exe"="C:\\Joel's Stuff\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled
xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled
xpsp3res.dll,-20000""C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 8 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
Thu 23 Oct 2008 17,222,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0bbf9bad2a96231d750c48395570f92\BITB0.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BIT2.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Jules\Application Data\U3\temp\Launchpad Removal.exe"
Finished!
Hi Tez
Run HJT Scan only Select the below and remove
O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
You are clean of malware YAY, so now we will go after the pop ups.
First apply the Immunize function in Spybot.
Get http://www.javacoolsoftware.com/spywareblaster.html Install update and run!
Hostsman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html select all 4 hosts let it disable DNS Client.
With IE closed go to Internet Options in Control panel. Click delete then delete all. Then Privacy then settings then in filter level chose Medium or high.
If all above fails do the below
https://www.techspot.com/vb/post680361-2.html
Mike
Run HJT Scan only Select the below and remove
O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)
You are clean of malware YAY, so now we will go after the pop ups.
First apply the Immunize function in Spybot.
Get http://www.javacoolsoftware.com/spywareblaster.html Install update and run!
Hostsman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html select all 4 hosts let it disable DNS Client.
With IE closed go to Internet Options in Control panel. Click delete then delete all. Then Privacy then settings then in filter level chose Medium or high.
If all above fails do the below
https://www.techspot.com/vb/post680361-2.html
Mike
Hi Mike,
I have no idea what to do with these two new programs. I downloaded them, but I don't understand what I should do with them. Also, I don't have spybot. It did not say in the 8 step thing that I should download it.
If you could tell me whether I should download it and what I am supposed to be using these other two for, that would be great.
Thank you
I have no idea what to do with these two new programs. I downloaded them, but I don't understand what I should do with them. Also, I don't have spybot. It did not say in the 8 step thing that I should download it.
If you could tell me whether I should download it and what I am supposed to be using these other two for, that would be great.
Thank you
- Status
