AYB.DNS-Look-up.dns.com

[villan881]

Every time I boot my puter I get Spysweeper telling me that it is blocking an attempt to connect to the above site. And then I get adverts each time I click Yahoo home page. It has the title: CiD:????? whatever- casino's, dating agencies, cancer research donations, betting etc. And every few minutes I get a new window of adverts just popping up.

So I followed your instructions implicitly on the viruses/spyware/Malware, preliminary removal instructions and this is what I got ( please see attachments.)

Since running all the tests, I still get the CiD attempting to open a new window except that now, it is blank. But still annoying.

Thanks!

Paul

 

[howard_hopkinso]

Hello and welcome to Techspot.

In your next reply, can you please explain why a lot of your entries have this filepath.

C:\C\WINDOWS\System32\svchost.exe Normally the filepath would be C\WINDOWS\System32\svchost.exe.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Delete all files in AVG Antispyware quarantine.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

UPnPDevService
InCD Helper (InCDsrv)<Disable the service name and/or the name in brackets.
avagnt

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

upnpmngr.exe
avagnt.exe
meta inside.exe
Loudmeal.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - (no file)

O2 - BHO: (no name) - {BD27FF48-D0D0-439D-AE8E-33C6375F4572} - (no file)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [ReadmeDentOnceCoal] "C:\Documents and Settings\All Users\Application Data\Bolt Software Readme Dent\Loudmeal.exe"

O4 - HKCU\..\Run: [about support] "C:\DOCUME~1\admin\APPLIC~1\exitwave\meta inside.exe"

O15 - Trusted Zone: *.line6.net

Fix all 018 Protocol: entries.

O23 - Service: avagnt - Unknown owner - C:\C\WINDOWS\system32\avagnt.exe (file missing)

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - (no file)

O23 - Service: UPnPDevService - Unknown owner - C:\Program Files\Common Files\PnpManager\upnpmngr.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Common Files\PnpManager<Delete the entire folder.
C:\C\WINDOWS\system32\avagnt.exe
C:\DOCUME~1\admin\APPLIC~1\exitwave<Delete the entire folder.
C:\Documents and Settings\All Users\Application Data\Bolt Software Readme Dent<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having problems.

Regards Howard :wave: :wave:

This thread is for the use of villan881 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[villan881]

Howard,

I followed your instructions implicitly and I have attached the log.
And the good news is that for the first time in over a week I did not get the dreaded "Internet Shield has blocked access to AYB.DNS-look-up.com"

And when I opened IE to post this....no other annoying pop-up window!!!!!!

But I did get a scary window open up when I rebooted into normal mode that listed a whole bunch of entries like:

/CAS
/CBS
etc.

So I clicked on "okay" and the window went away. I have not yet tried rebooting to see if the window comes up again.

So I can assume that one of the programs that was deleted was causing the auto-launch of the AYB.DNS connection? And the pop-ups? Any idea which one was doing it?

I was also amazed at the number of Logitech lines that were listed - is that normal? I also believe that the puter booted up much quicker too - maybe my imagination?

And the reason that the Directory has C:\C\ is back in the mists of time in 2002/2003 when I built this PC as a dual o/s machine and installed Win XP, the XP O/S failed to load twice before being successful a third time. This has left me with three win XP entries in the opening sequence - but only one works. I haven't had the courage to try and delete the other two. So I made another directory called C\ to put my o/s that works into using Boot magic/partition magic. I hope this makes sense?

Howard, you are amazing, its people like you that the Internet community should provide awards to; many thanks for your help and I am so pleased that I found this site.

 

[howard_hopkinso]

Your HJT log is now clean.

upnpmngr.exe is Added by the Trojan/Small-DMW and may well have been responsible for the Internet Shield has blocked access to AYB.DNS-look-up.com message.

meta inside.exe and Loudmeal.exe are both associated with the lop infection. This causes popups to be displayed.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of villan881 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[villan881]

Howard, okay, will do, many thanks.

I believe that the opening window that I mention when I reboot is something to do with McAfee. Is it because I have AVG Anti-spyware enabled that is interfering with McAfee? Is it okay to disable AVG now? What is your take on AVG or McAfee? Which is the better program? I also have SpySweeper too.

But I noticed that AVG caught 16 threats after SS and McAfee had recorded no problems. Is it because in their own way, each has a different threat list and that to be sure, we should have multi-programs for malware and Virus protection?

Many thanks for all your help:wave:

 

[howard_hopkinso]

Yes, you can disable AVG Antispyware.

AVG Antispyware must not be confused with any antivirus programme. It is an antispyware programme like SpySweeper.

Personally, I don`t rate McAfee very highly and much prefer the free AVG antivirus program.

Here`s a list of programmes I recommend, some of which you already have. However, it`s completely up to you, if you want to keep McAfee.

AVG free or Avast antivirus programmes.

Zonealarm or Kerio free firewall programmes.

Spybot Search & Destroy.

Ad-Aware se personal.

Spyware Blaster.

AVG Antispyware.

Ccleaner.

Regards Howard

This thread is for the use of villan881 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[villan881]

Howard, again, thanks for the reply.

So I pay for McAfee annually; in your opinion, the free AVG AntiVirus program is better than McAfee? And If I upgraded AVG to the Pro version, would that be an even better thing to do?

 

[howard_hopkinso]

In my opinion, AVG free is better than McAfee. I wouldn`t bother upgrading to the pro version, as I don`t think it`s necessary for a home user.

The secret to a safe computer, apart from having a good AV and Firewall, is sensible surfing etc. You might want to take a look at this thread HERE. It`ll show you how you can make your system more secure.

There are plenty of guys around here who use free antivirus and firewall software and never have any virus problems and I include myself in that.

Regards Howard

This thread is for the use of villan881 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[villan881]

Hmmm....interesting! How do you use AVG after the trial period with no automatic updates and when the resident shield becomes disabled?

 

[howard_hopkinso]

That`s the AVG Antispyware programme. After the trial period has expired, the programme will carry on working and can still be used and updated. You just lose the resident shield and automatic updates. You can still update manually.

Regards Howard

This thread is for the use of villan881 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.