TechSpot

Can't get rid of those pop ups

By marko
Dec 29, 2004
  1. Hi
    I am trying to get rid of pop up. I have run spybot and adaware and have cleaned my machince. I am still getting them. Log attached

    Any help would be greatly appreciated!
    Mark
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Repeat HJT and post it as hijackthis.txt please.
    For anti-virus reasons I will not open any .doc files.
     
  3. marko

    marko TS Rookie Topic Starter

    doc file is gone and txt file added

    4th pint coming your way
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Reboot in Safe Mode.

    C:\Program Files\Speed Disk\nopdb.exe
    That Norton program can eat up to 80% system resources for absolutely nothing.
    Open Speed disk and go to View>Schedule Options and uncheck Enable Schedule.
    Also go to start , control panel , administrative tools, settings , and scroll down to speed disk . Right click on it and select manual then stop and apply.

    Now run HJT on its own and let it "fix" (if still there):

    C:\WINDOWS\system32\voyqvk.exe
    C:\Program Files\Speed Disk\nopdb.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://Yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = torproxy1:80
    O4 - Global Startup: VPN Client.lnk = ?
    O14 - IERESET.INF: START_PAGE_URL=http://Yahoo.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://Yahoo.com
    O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc/place/GOLF/SCGpws-b2/5.1.3.199/lib/quicksilver.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093013450024
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://filenet.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
    O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com
    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

    Wish I could still believe in faeries. Did you Fedex it? (the pint I mean)
     
  5. marko

    marko TS Rookie Topic Starter

    I did most of what you asked.

    I did not delete these as I was not sure if they would cause future difficulties with accessing the company I work for's corporate services?

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
    O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com

    New log attached
     
  6. marko

    marko TS Rookie Topic Starter

    Could I have found the problem?

    I have been playing with this damn thing all day and I think I have found the problem. I was getting infected by coolwebsearch and VX2. There were 4 files that appeard to be causing the problem:
    kpyfkn.exe
    voyqvk.exe
    tps108.dll
    vx2.dll

    They were all located in:
    HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\SEARCH ASSISTANT\ACMru\5603

    And they were each associated with a Value (1,2,etc)

    Anybody care to guess what is going on?

    marko (aka newbie)
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    voyqvk.exe showed up in your first log, and I told you to fix it.
    kpyfkn.exe shows up now, is probably a copy of the above.
    Have HJT "fix" these, then delete them, including those 2 .dll files.

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpyfkn.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
    O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com

    These O17 are considered hijackers. It should not upset your work-connection.

    You still have this speed-disk service running. Your problem, not mine.

    Now do a FULL Antivirus-scan with updated definitions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...