Thread: Help with constant pop ups
View Single Post
Old 07-02-2008, 09:33 AM   #8 (permalink)
tetonbob
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,196
OS: 2000 Pro; XP Pro; XP Home


Re: Help with constant pop ups
Good job...still quite a bit of work to do. There are several user accounts on this machine. Before we're done, I'll need to review Hijackthis logs from each. Most of our scans are global in nature (entire machine), but some registry items are user account specific.

I'll let you know when it's time for that.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

P2P - I see you have P2P software (LimeWire 4.18.2 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/hijackthis-log-help/259849-help-constant-pop-ups.html

    File::
    H:\WINDOWS\BM1736e4a6.xml
    H:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job

    Folder::
    H:\Documents and Settings\Kyle-Family Computer\Application Data\AdwareBot
    H:\Documents and Settings\All Users\Application Data\LiveItchDoesFind
    H:\Program Files\AdwareBot
    H:\Documents and Settings\All Users\Application Data\Software rule flag owns

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34daeb15-b09a-4028-aa23-33288a68be84}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Flag Owns Live Grim"=-

    Collect::
    H:\WINDOWS\system32\uvjnbkgx.dll
    H:\WINDOWS\system32\rrvljw.dll
    H:\WINDOWS\system32\zzxxyk.dll
    H:\WINDOWS\system32\swsygrew.dll
    H:\WINDOWS\system32\rlapeppx.dll
    H:\WINDOWS\system32\fsluqm.dll
    H:\WINDOWS\system32\ztlufu.dll
    H:\WINDOWS\system32\ynvuqcde.dll
    H:\WINDOWS\system32\jzbqgh.dll
    H:\WINDOWS\system32\aeohxjac.dll
    H:\WINDOWS\system32\ecxespli.ini
    H:\WINDOWS\system32\ecxespli.tmp
    H:\WINDOWS\system32\dwrvojcr.dll
    H:\WINDOWS\system32\nrxbqkwu.dll
    H:\WINDOWS\system32\vjbokgtu.dll
    H:\WINDOWS\system32\biuslttf.dll
    H:\WINDOWS\system32\dqomrclo.dll
    H:\WINDOWS\system32\mlJAsSJa.dll
    H:\WINDOWS\system32\qoMcbcBq.dll

    Suspect::
    H:\Documents and Settings\All Users\Application Data\ypinfo.bin
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

    ---------------------------------------------------------------------------------------------

  6. Download fl.zip
    Extract the contents to a new folder on your Desktop.
    Within the folder, locate & double-click fl.bat.
    It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

    ---------------------------------------------------------------------------------------------
  7. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------

Please return with logs from:

ComboFix (C:\ComboFix.txt)
C:\findlop.txt
HijackThis
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline