TechSpot

Browser hijacked? IE popup windows

By tezza22
Nov 16, 2008
  1. Hi,

    When I'm surfing the net, these IE popups keep appearing. The windows are of various sites.

    I switched to using firefox, but the windows still keep popping up, even when I'm not using IE.

    I have done the 8step thing and have attached the logs.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi tezza22

    Fantastic job, this happened because you did the 8 Steps and did them correctly.

    Run HJT Scan only select and delete the below

    O2 - BHO: (no name) - {225D025F-2BDD-472C-9A78-32E3306A9BCC} - C:\WINDOWS\system32\iifcYOHW.dll (file missing)
    O2 - BHO: (no name) - {72E1688E-F15D-4358-A283-70E6AEC93E15} - C:\WINDOWS\system32\yaywwXoP.dll (file missing)
    O2 - BHO: {f184ac69-a8be-9039-25f4-5f2d7527ee0c} - {c0ee7257-d2f5-4f52-9309-eb8a96ca481f} - (no file)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c008255C.dat
    O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)

    Now as you see from the logs both mbam and sas found an cleaned issues. Some times this exposes more that could not see the first time.

    So you need to REBOOT

    Then run both programs again posting logs each run, and even again until they both come up clean or find something they cannot clean.

    Make sure to reboot once before these runs.

    No HJT needed yet until I request it.

    Mike
     
  3. tezza22

    tezza22 TS Rookie Topic Starter

    Hi Mike,

    I did as you suggested and also ran both mbam and sas until they both come up clean or found something they couldn't clean.

    mbam kept finding something and said that it cleaned it, but when I repeated the process, the same problem would come up again.

    sas said that there was nothing found.

    The IE popups are still appearing.

    Here are all of the logs.

    Sorry, I didn't realise that I should have posted the logs after each clean. I have cleaned about four to five times each.

    I thought I needed to rerun them until they came up clean or found something they could not clean, not run it once then post it and keep going that way.

    Here are all of the mbam logs and I will post the sas logs on a new reply, as I can only upload a max of 5 at a time.

    Thanks
     
  4. tezza22

    tezza22 TS Rookie Topic Starter

    Here are all of the sas logs.

    Thanks
     
  5. mflynn

    mflynn TS Rookie Posts: 2,793

  6. tezza22

    tezza22 TS Rookie Topic Starter

    Hi Mike,

    Here is the combofix log
     
  7. mflynn

    mflynn TS Rookie Posts: 2,793

    Ok fantastic job.

    SAS is clear good!

    mbam found one in System Restore we can handle that.

    But combofix is just like the others we need run it at least once more to see it clean. So go getum!
    Post logs.


    Mike
     
  8. tezza22

    tezza22 TS Rookie Topic Starter

    Hi,

    I ran combofix twice, but I'm not quite sure if that is enough times.

    I've posted the logs.

    Thanks
     
  9. mflynn

    mflynn TS Rookie Posts: 2,793

    Yes it cleared all from the first run.

    Lets do another cleaner to be sure!

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Copy and paste the Report.txt file to your next post.

    After this get me a new HJT log also.

    Mike
     
  10. tezza22

    tezza22 TS Rookie Topic Starter

    Hi,

    I have copied and pasted the report from SD FIX and have posted the HJT log.

    Thanks

    Also, I'm still getting the popups.

    SDFix: Version 1.240
    Run by Jules on Wed 11/19/2008 at 06:39 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Temp\xp34\cPH.log - Deleted



    Folder C:\Temp\xp34 - Removed


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-19 19:12:47
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
    "OfflineDetectionPending"=dword:00000001

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe"="C:\\Documents and Settings\\Joel & Otti\\My Documents\\Limewire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Joel's Stuff\\iTunes\\iTunes.exe"="C:\\Joel's Stuff\\iTunes\\iTunes.exe:*:Enabled:iTunes"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Sat 8 Mar 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sat 26 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT8.tmp"
    Thu 23 Oct 2008 17,222,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b0bbf9bad2a96231d750c48395570f92\BITB0.tmp"
    Fri 25 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\BIT2.tmp"
    Wed 4 Oct 2006 3,072,000 A..H. --- "C:\Documents and Settings\Jules\Application Data\U3\temp\Launchpad Removal.exe"

    Finished!
     
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi Tez

    Run HJT Scan only Select the below and remove

    O23 - Service: DvpApi (dvpapi) - Unknown owner - c:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe (file missing)

    You are clean of malware YAY, so now we will go after the pop ups.

    First apply the Immunize function in Spybot.

    Get http://www.javacoolsoftware.com/spywareblaster.html Install update and run!

    Hostsman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html select all 4 hosts let it disable DNS Client.

    With IE closed go to Internet Options in Control panel. Click delete then delete all. Then Privacy then settings then in filter level chose Medium or high.

    If all above fails do the below
    http://www.techspot.com/vb/post680361-2.html

    Mike
     
     
  12. tezza22

    tezza22 TS Rookie Topic Starter

    Hi Mike,

    I have no idea what to do with these two new programs. I downloaded them, but I don't understand what I should do with them. Also, I don't have spybot. It did not say in the 8 step thing that I should download it.

    If you could tell me whether I should download it and what I am supposed to be using these other two for, that would be great.

    Thank you
     
  13. mflynn

    mflynn TS Rookie Posts: 2,793

    Both programs block an filter known bad sites some of which will cause pop ups!

    They are simple to install and run have help and the download site tell all about what they do and how to use them

    SpyBot is good to have these days especially.

    Your choice!

    Mike
     
  14. tezza22

    tezza22 TS Rookie Topic Starter

    Hi Mike,

    Thanks for all of the advice. The popups aren't occuring anymore, so I think it is fixed.

    Thank you
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.