Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another case of annoying popups


  • Please log in to reply

#1
techeagle3

techeagle3

    New Member

  • Member
  • Pip
  • 2 posts
Win 2000 notebook with all Win Updates loaded.
Spybot 1.3 installed, updated and run. Errors found and removed.
Ad-Aware SE Personal installed, updated, and run. Errors found and removed.
Running Norton AntiVirus 2003; updated, scans find nothing.

Annoying popups begin after boot-up without starting IE (6.00.2800.1106IS)

Usually starts at http://yourmortgageshop.us

Does not occur after every boot-up; intermittent problem...

Thanks in advance for the assistance.

Here is the LOG:

Logfile of HijackThis v1.98.2
Scan saved at 7:39:22 PM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\zstatus.exe
C:\WINNT\system32\YfqamdX.exe
C:\WINNT\system32\YfqamdX.exe
C:\Internet Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O2 - BHO: (no name) - {3EAB150E-9610-4B98-8756-64550DF1214A} - C:\WINNT\system32\gbvdbqyv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lrWy] c:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [lrWy.exe] C:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [Ca02Yz.exe] C:\documents and settings\harold\local settings\temp\Ca02Yz.exe
O4 - HKLM\..\Run: [3AXQCNN5ZJ9FMH] C:\WINNT\system32\Zqzh0g6.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Justin"
O4 - HKCU\..\Run: [Yo39RSZmO] dbmcda.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

Advertisements


#2
Yarnouth

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Hi techeagle3 , you have many files we would like you to submit. Please await further instruction.
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Download and run: http://www.memorywat....com/uninst.exe
The program needs internet access to finish.

Could you please mail me a (preferably zipped) copy of:
E6F1873B.DLL and C:\UNMT.EXE
Use this address pieterATwilderssecurity.org please (replace AT with @)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O2 - BHO: (no name) - {3EAB150E-9610-4B98-8756-64550DF1214A} - C:\WINNT\system32\gbvdbqyv.dll (file missing)

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)

O4 - HKLM\..\Run: [lrWy] c:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [lrWy.exe] C:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [Ca02Yz.exe] C:\documents and settings\harold\local settings\temp\Ca02Yz.exe
O4 - HKLM\..\Run: [3AXQCNN5ZJ9FMH] C:\WINNT\system32\Zqzh0g6.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain

O4 - HKCU\..\Run: [Yo39RSZmO] dbmcda.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <= Unless you are using that to prevent other users from changing your settings

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Program Files\AutoUpdate\AutoUpdate.exe

Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

Post a new log when you are done, so we can see if everything worked out as planned.

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP