Solve : Pop ups please help?

1.	Solve : Pop ups please help?
Answer» I did a AVG scan and Symanatc. Attached is my hijack this. Thanks for the help. [recovering space - attachment deleted by admin]You're running two antivirus. This is never advised and just leads to problems. Uninstall one of them before continuing. Open Hijackthis and select Do a system scan only. Place a check mark next to the following entries: (if there) O4 - HKLM\..\Run: [7069579c] rundll32.exe "C:\WINDOWS\system32\ybsehhnh.dll",b Important: Close all windows except for Hijackthis and then click Fix checked. Exit Hijackthis. ---------- Download OTMoveIt2 by OldTimer Save it to your desktop. Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Code: [Select]C:\WINDOWS\system32\ybsehhnh.dll Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt2 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Next post please add the OTMoveIt log. I copy and pasted the under the green. Is that what you meant by my log? DllUnregisterServer procedure not found in C:\WINDOWS\system32\ybsehhnh.dll C:\WINDOWS\system32\ybsehhnh.dll NOT unregistered. C:\WINDOWS\system32\ybsehhnh.dll moved successfully. OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05232008_182632 Download Malwarebytes' Anti-Malware from here or here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be PRESENTED with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. How is everything now?It appears that the pop ups have stopped. Thanks for your help. Which virus scan should i get rid of? Symantac or AVG? Here is my Malaware log: Malwarebytes' Anti-Malware 1.12 Database version: 783 Scan type: Quick Scan Objects scanned: 37453 Time elapsed: 9 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 13 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 1 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\oiiotefd.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7069579c (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM735a6400 (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\system32\logXv01 (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\oiiotefd.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\dfetoiio.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kewdecsi.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. Quote Which virus scan should i get rid of? Symantac or AVG? Avast or AVG Free...use the Norton Removal Tooll to get rid of Symantec. EF will let you know when you are finished even though the popups have stopped...follow thru to the end of the process. But you can take care of your AV situation in the meantime...Following patios advice... Download ATF Cleaner by Atribune. Note: Vista users must use Run As Administrator Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. ---------- 1. Double click OTMoveIt2.exe to launch it. Vista users right click and choose Run As Administrator 2. Click on the CleanUp! button. 3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access. 4. Click YES at the next prompt (list DOWNLOADED, Do you want to begin cleanup process?) 5. Once complete exit out of OTMoveIt2 Set a New Restore Point to prevent possible reinfection from an old one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. . Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable THOROUGH system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Answer»

I did a AVG scan and Symanatc.

Attached is my hijack this. Thanks for the help.

[recovering space - attachment deleted by admin]You're running two antivirus. This is never advised and just leads to problems. Uninstall one of them before continuing.

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [7069579c] rundll32.exe "C:\WINDOWS\system32\ybsehhnh.dll",b

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download OTMoveIt2 by OldTimer

Save it to your desktop.
Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code: [Select]C:\WINDOWS\system32\ybsehhnh.dll

Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the Yellow bar) and choose Paste.
Click the red Moveit! button.

Copy everything in the Results window (under the Green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next post please add the OTMoveIt log.

I copy and pasted the under the green. Is that what you meant by my log?

DllUnregisterServer procedure not found in C:\WINDOWS\system32\ybsehhnh.dll
C:\WINDOWS\system32\ybsehhnh.dll NOT unregistered.
C:\WINDOWS\system32\ybsehhnh.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05232008_182632
Download Malwarebytes' Anti-Malware from here or here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be PRESENTED with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

How is everything now?It appears that the pop ups have stopped. Thanks for your help.

Which virus scan should i get rid of? Symantac or AVG?

Here is my Malaware log:

Malwarebytes' Anti-Malware 1.12
Database version: 783

Scan type: Quick Scan
Objects scanned: 37453
Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\oiiotefd.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7069579c (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM735a6400 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\logXv01 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\oiiotefd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dfetoiio.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kewdecsi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
Quote

Which virus scan should i get rid of? Symantac or AVG?

Avast or AVG Free...use the Norton Removal Tooll to get rid of Symantec.

EF will let you know when you are finished even though the popups have stopped...follow thru to the end of the process.
But you can take care of your AV situation in the meantime...Following patios advice...

Download ATF Cleaner by Atribune.
Note: Vista users must use Run As Administrator

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

----------

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list DOWNLOADED, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable THOROUGH system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.

Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Solve : Pop ups please help?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment