Can't get rid of those pop ups

[marko]

Hi
I am trying to get rid of pop up. I have run spybot and adaware and have cleaned my machince. I am still getting them. Log attached

Any help would be greatly appreciated!
Mark

 

[RealBlackStuff]

Repeat HJT and post it as hijackthis.txt please.
For anti-virus reasons I will not open any .doc files.

 

[marko]

doc file is gone and txt file added

4th pint coming your way

 

[RealBlackStuff]

Reboot in Safe Mode.

C:\Program Files\Speed Disk\nopdb.exe
That Norton program can eat up to 80% system resources for absolutely nothing.
Open Speed disk and go to View>Schedule Options and uncheck Enable Schedule.
Also go to start , control panel , administrative tools, settings , and scroll down to speed disk . Right click on it and select manual then stop and apply.

Now run HJT on its own and let it "fix" (if still there):

C:\WINDOWS\system32\voyqvk.exe
C:\Program Files\Speed Disk\nopdb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://Yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://Yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = torproxy1:80
O4 - Global Startup: VPN Client.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://Yahoo.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://Yahoo.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwgb.ops.placeware.com/etc/place/GOLF/SCGpws-b2/5.1.3.199/lib/quicksilver.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093013450024
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/expressviewer/installer/ExpressViewerSetup.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://filenet.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Wish I could still believe in faeries. Did you Fedex it? (the pint I mean)

 

[marko]

I did most of what you asked.

I did not delete these as I was not sure if they would cause future difficulties with accessing the company I work for's corporate services?

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com

New log attached

 

[marko]

Could I have found the problem?

I have been playing with this damn thing all day and I think I have found the problem. I was getting infected by coolwebsearch and VX2. There were 4 files that appeard to be causing the problem:
kpyfkn.exe
voyqvk.exe
tps108.dll
vx2.dll

They were all located in:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\SEARCH ASSISTANT\ACMru\5603

And they were each associated with a Value (1,2,etc)

Anybody care to guess what is going on?

marko (aka newbie)

 

[RealBlackStuff]

voyqvk.exe showed up in your first log, and I told you to fix it.
kpyfkn.exe shows up now, is probably a copy of the above.
Have HJT "fix" these, then delete them, including those 2 .dll files.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpyfkn.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = docscience.com
O17 - HKLM\Software\..\Telephony: DomainName = docscience.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = docscience.com

These O17 are considered hijackers. It should not upset your work-connection.

You still have this speed-disk service running. Your problem, not mine.

Now do a FULL Antivirus-scan with updated definitions.