Hi,

When I'm surfing the net, these IE popups keep appearing. The windows are of various sites.

I switched to using firefox, but the windows still keep popping up, even when I'm not using IE.

I have done the 8step thing and have attached the logs.

Hi tezza22

Fantastic job, this happened because you did the 8 Steps and did them correctly.

Run HJT Scan only select and delete the below

O2 - BHO: (no name) - {225D025F-2BDD-472C-9A78-32E3306A9BCC} - C:\WINDOWS\system32\iifcYOHW.dll (file missing)
O2 - BHO: (no name) - {72E1688E-F15D-4358-A283-70E6AEC93E15} - C:\WINDOWS\system32\yaywwXoP.dll (file missing)
O2 - BHO: {f184ac69-a8be-9039-25f4-5f2d7527ee0c} - {c0ee7257-d2f5-4f52-9309-eb8a96ca481f} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c008255C.dat
O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)

Now as you see from the logs both mbam and sas found an cleaned issues. Some times this exposes more that could not see the first time.

So you need to REBOOT

Then run both programs again posting logs each run, and even again until they both come up clean or find something they cannot clean.

Make sure to reboot once before these runs.

No HJT needed yet until I request it.

Mike

Hi Mike,

I did as you suggested and also ran both mbam and sas until they both come up clean or found something they couldn't clean.

mbam kept finding something and said that it cleaned it, but when I repeated the process, the same problem would come up again.

sas said that there was nothing found.

The IE popups are still appearing.

Here are all of the logs.

Sorry, I didn't realise that I should have posted the logs after each clean. I have cleaned about four to five times each.

I thought I needed to rerun them until they came up clean or found something they could not clean, not run it once then post it and keep going that way.

Here are all of the mbam logs and I will post the sas logs on a new reply, as I can only upload a max of 5 at a time.

Thanks

Here are all of the sas logs.

Thanks

OK while waiting for the other logs....

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log. Attach the log.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

Hi Mike,

Here is the combofix log

Ok fantastic job.

SAS is clear good!

mbam found one in System Restore we can handle that.

But combofix is just like the others we need run it at least once more to see it clean. So go getum!
Post logs.


Mike

Hi,

I ran combofix twice, but I'm not quite sure if that is enough times.

I've posted the logs.

Thanks

Yes it cleared all from the first run.

Lets do another cleaner to be sure!

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Copy and paste the Report.txt file to your next post.

After this get me a new HJT log also.

Mike

Hi,

I have copied and pasted the report from SD FIX and have posted the HJT log.

Thanks

Also, I'm still getting the popups.

SDFix: Version 1.240
Run by Jules on Wed 11/19/2008 at 06:39 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Temp\xp34\cPH.log - Deleted



Folder C:\Temp\xp34 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-19 19:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"OfflineDetectionPending"=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe"="C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Joel's Stuff\\iTunes\\iTunes.exe"="C:\\Joel's Stuff\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 26 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
Thu 23 Oct 2008 17,222,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0bbf9bad2a96231d750c48395570f92\BITB0.tmp"
Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BIT2.tmp"
Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Jules\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

Hi Tez

Run HJT Scan only Select the below and remove

O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)

You are clean of malware YAY, so now we will go after the pop ups.

First apply the Immunize function in Spybot.

Get http://www.javacoolsoftware.com/spywareblaster.html Install update and run!

Hostsman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html select all 4 hosts let it disable DNS Client.

With IE closed go to Internet Options in Control panel. Click delete then delete all. Then Privacy then settings then in filter level chose Medium or high.

If all above fails do the below
http://www.techspot.com/vb/post680361-2.html

Mike

Hi Mike,

I have no idea what to do with these two new programs. I downloaded them, but I don't understand what I should do with them. Also, I don't have spybot. It did not say in the 8 step thing that I should download it.

If you could tell me whether I should download it and what I am supposed to be using these other two for, that would be great.

Thank you

Both programs block an filter known bad sites some of which will cause pop ups!

They are simple to install and run have help and the download site tell all about what they do and how to use them

SpyBot is good to have these days especially.

Your choice!

Mike

Hi Mike,

Thanks for all of the advice. The popups aren't occuring anymore, so I think it is fixed.

Thank you