Another case of annoying popups

Win 2000 notebook with all Win Updates loaded.
Spybot 1.3 installed, updated and run. Errors found and removed.
Ad-Aware SE Personal installed, updated, and run. Errors found and removed.
Running Norton AntiVirus 2003; updated, scans find nothing.

Annoying popups begin after boot-up without starting IE (6.00.2800.1106IS)

Usually starts at http://yourmortgageshop.us

Does not occur after every boot-up; intermittent problem...

Thanks in advance for the assistance.

Here is the LOG:

Logfile of HijackThis v1.98.2
Scan saved at 7:39:22 PM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\zstatus.exe
C:\WINNT\system32\YfqamdX.exe
C:\WINNT\system32\YfqamdX.exe
C:\Internet Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O2 - BHO: (no name) - {3EAB150E-9610-4B98-8756-64550DF1214A} - C:\WINNT\system32\gbvdbqyv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lrWy] c:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [lrWy.exe] C:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [Ca02Yz.exe] C:\documents and settings\harold\local settings\temp\Ca02Yz.exe
O4 - HKLM\..\Run: [3AXQCNN5ZJ9FMH] C:\WINNT\system32\Zqzh0g6.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Justin"
O4 - HKCU\..\Run: [Yo39RSZmO] dbmcda.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Download and run: http://www.memorywat....com/uninst.exe
The program needs internet access to finish.

Could you please mail me a (preferably zipped) copy of:
E6F1873B.DLL and C:\UNMT.EXE
Use this address pieterATwilderssecurity.org please (replace AT with @)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {12EE7A5E-0674-42f9-A76A-000000004D00} - (no file)
O2 - BHO: (no name) - {3EAB150E-9610-4B98-8756-64550DF1214A} - C:\WINNT\system32\gbvdbqyv.dll (file missing)

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)

O4 - HKLM\..\Run: [lrWy] c:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [lrWy.exe] C:\winnt\temp\lrWy.exe
O4 - HKLM\..\Run: [Ca02Yz.exe] C:\documents and settings\harold\local settings\temp\Ca02Yz.exe
O4 - HKLM\..\Run: [3AXQCNN5ZJ9FMH] C:\WINNT\system32\Zqzh0g6.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [SYSTRAY] C:\UNMT.EXE
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain

O4 - HKCU\..\Run: [Yo39RSZmO] dbmcda.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <= Unless you are using that to prevent other users from changing your settings

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Program Files\AutoUpdate\AutoUpdate.exe

Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folders.

Post a new log when you are done, so we can see if everything worked out as planned.

Regards,

Pieter

#1
techeagle3

Posted 13 December 2004 - 08:23 PM

Advertisements

#2
Yarnouth

Posted 13 December 2004 - 10:07 PM

#3
Metallica

Posted 14 December 2004 - 02:10 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us