Forum Home
Press F1
 
Thread ID: 66473 2006-02-24 06:28:00 Registry Popups/Virus?? JonWesley (9859) Press F1
Post ID Timestamp Content User
433333 2006-02-24 06:28:00 New member to the forum and was after some help with getting rid of some popups.
Current setup is Window 2000 and have used the following software to scan for popup/virus??
AVG, Spybot, and Adware.(all current definitions) Also tried ewido malware scan which pickup some but whatever I tried I can't get rid of the following types of popups.


"Message from System to Administrator on 2/24/2006 6:55:59 PM
Critical Windows System Error! The Windows registry appears to have become corrupted. Please proceed to
"www.winregfix.net" and download the registry repair tool to scan and repair all corrupted records before possible data
loss occurs."

"Message from SYSTEM to ALERT on 2/24/2006 7:03:02 PM
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found CRITICAL SYSTEM ERRORS.
Run Registry Repair from: "http://www.fixwin32.com"
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"

Any suggestions to get rid of these popups/virus?? would be appreciated.

Thanks


Jon 		JonWesley (9859)
433334 2006-02-24 06:34:00 My guess is the Messenger service is not turned off.

Click start / Run / services.msc / OK

look for "Messenger" and if it is not set to disabled, then right click it, select properties, click Stop if it is not already stopped and change startup type to disabled. 		bob_doe_nz (92)
433335 2006-02-24 06:40:00 Post a hijackthis log (www.merijn.org)

Which is from here (www.spywareinfo.com)

Unzip this file, then run it, click on scan and save a log, and copy and paste the log here.

It could be spyware/adware. 		Speedy Gonzales (78)
433336 2006-02-24 06:54:00 Thanks for quick reply and help.
Turning off message service seems to have work.

Logfile of HijackThis v1.99.1
Scan saved at 7:41:30 PM, on 2/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\IPWireless Inc\IPWireless PC Software\UEStatus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\arthur\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.woosh.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - download.ewido.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{157FA28B-BB7C-40A2-B3C1-EF04D2A9FD70}: NameServer = 202.74.207.10 202.74.207.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{157FA28B-BB7C-40A2-B3C1-EF04D2A9FD70}: NameServer = 202.74.207.10 202.74.207.100
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



Cheers


Jon 		JonWesley (9859)
433337 2006-02-24 07:05:00 Must have been Messenger. The HJT looks clean. Speedy Gonzales (78)
433338 2006-02-24 07:24:00 Ok, I have the same problem, scanned with Spybot, Adaware, AVG7 all with the latest installed update, but still suffer from Casino, Christian Dating Service, and a few other occasionally occuring popups.

Heres the Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 8:19:42 p.m., on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\windowsautomaticupdates.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\TotalRecorder\TotRecSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PRINTS~1\PrintScreen.exe
C:\Program Files\WLAN\802.11 Wireless LAN\WWlanMonitor.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TUGZip\TUGZip.exe
C:\DOCUME~1\JOHN&H~1\LOCALS~1\Temp\tz_exec.tmp130\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.bom.gov.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bom.gov.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\TotalRecorder\TotRecSched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\PROGRA~1\PRINTS~1\PrintScreen.exe /nosplash
O4 - Global Startup: WLAN Monitor Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - www.makeoversolutions.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - a1540.g.akamai.net
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - sib1.od2.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - spaces.msn.com
O16 - DPF: {5C8D0494-02F2-40E9-8EBF-07FED5919629} - www.goodcontacts.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - www.nick.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com
O16 - DPF: {F44CA80E-E7A7-4849-8630-EF56D763C255} (MicrosoftMediasEx Class) - microsoftactivex.com
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - chat.msn.com
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0943224E-FA39-4366-B89F-AE7D7561B178}: NameServer = 202.27.158.40 202.27.156.72
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher (PRTG4Service) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe 		John W (523)
433339 2006-02-24 07:40:00 Start by removing these:



F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe

Restart the PC and run HijackThis again to see if they are still gone. 		CYaBro (73)
433340 2006-02-24 07:46:00 Also run rootkitrevealer (www.sysinternals.com)
and post results.

I found an ad popup program with its own hidden folder the other day - it was able to startup by means of a fake driver file. No scanners were detecting it at all and it was sneaky in it that it would popup an ad only every few hours.
The ads were Christian Dating, Free Slots and a Registry Cleaner etc. 		gibler (49)
433341 2006-02-24 07:55:00 I'd be careful removing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
userinit or userinit.exe is an application used to run a program before a shell starts. The service runs logon scripts, reestablishes network connections and starts the shell.

The bad one is
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
Note the , at the end
It is possible to add further programs that will launch from this key by separating the programs with this comma.
e.g. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badpr ogram.exe. This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

Yours doesn't have a comma after it so I'd try the others before you delete it

Also
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe
It's a process which belongs to the Folding@Home Client which uses your computer's resources on behalf of Stanford University. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems

I guess you've allowed Stanford to share your PC's resources??

You might also want to download ewido from www.ewido.net (http://www.ewido.net) it's pretty good at hunting out hard to find nasties
Install, update online then do a full system scan
Might pay to run crap cleaner first so ewido doesn't spend time scanning junk files 		bartsdadhomer (80)
433342 2006-02-24 07:59:00 I would also tick these after u run Hijackthis in safe mode. And then tick fix checked.

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - a1540.g.akamai.net 		Speedy Gonzales (78)
1 2