HELP! POPUPS!

[Est]

Quote[/b] ]Holy cow I've only got like 6 running processes. You need to be more carefull, in some cases its alot easier to just reformat the hard drive and reinstall windows.

Betcha you've got more.

"Running processes" is more than what you think you've got going. If you're using XP, hit CTRL+ALT+DEL and go to the processes tab. If you're using 9x or anything later, go to start-> progs -> accessories -> system tools -> system information and go to the "running processes tab." Alternative to that, run adaware and look at the log, it'll show you some of the processes running.

That's one of the reason that problems like these are such a pain for people- you can't always find them the way you find other things.

 

[droseradude]

Like ozzy said, firefox is the solution to this. IE is horrible

 

[Est]

Quote[/b] ]Like ozzy said, firefox is the solution to this. IE is horrible

Firefox is not the solution because the problem isn't the popups, the problem is what's spawning the popups. The effect is unrelated to browser. HOWEVER I'd advise that people use firefox because it can help to prevent situations like this where malware is secretly installed on to your computer.

 

[Ozzy]

Quote[/b] (droseradude @ July 23 2006,1:52)]Like ozzy said, firefox is the solution to this. IE is horrible.

I agree with youdude, IE is horrible. But that is not the problem here. Like est said this is something totally different.

 

[Clint]

ok. i downloaded lspfix from cexx.com. that got rid of the 010 ones. heres my new log.


Logfile of HijackThis v1.99.1
Scan saved at 7:10:17 AM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MSAgentXP.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ted\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wxyeb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hsgimfe.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\dnr2019oe.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\



if i restart my computer it'll probably show that it got rid of more of them. i'll restart later and repost my log. you guys have been a huge help and i already notice a decrease in number and frequency of popups.

 

[Clint]

oh yeah. almost half my popups say "powered by Zedo" and then more come up.

 

[Est]

Things overlooked or to add:

C:\WINDOWS\system32\MSAgentXP.exe (you may need to use killbox for this'n.)

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wxyeb.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hsgimfe.exe

(the above two are unknowns, as far as I'm concerned, unknowns have no place in your sys32 folder or your registry.)

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe

O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
(yet another trojan horse...)

OOOOH! Something just hit me: kill all traces of Windows Messanger, that'll help.

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
(part of windows messanger)


Alright give that a shot. MAN oh MAN does norton antivirus add a LOT of crap to that list. It does the same with your hard drive, just makes random folders and files all over the freaking place. If you don't format you'll be finding vestages of that program for all eternity. You don't have to get rid of it, but I prefer AVG free. Let us know hos things look after you kill these things; the problem may be rooted in a Windows Messanger exploit (that is, its existance.)

 

[Clint]

how do i delete C:\WINDOWS\system32\MSAgentXP.exe? it's not on the list of things to delete. it starts at f2

 

[Clint]

i downloaded killbox. heres a list of processes. they all end in .exe and i'm lazy so i wont type that part

smss
services
lsass
CCPROXY
CCSETMGR
ISSVC
SNDSrvc
SPBBCS
CCEVTMGR
spoolsv
AluSchedulerSvc
NAVAPSVC
svchost
symlcsvc
wdfmgr
alg
csrss
winlogon
goiaba
explorer
wxyeb
apdproxy
qttasik
CCAPP
rundll32
firefox
msmgs
OPSCAN
killBox

 

[Est]

You can kill just about anything will killbox. If it isn't listed as a running process, you do the following, we'll use MSagentXP.exe as an example.

C:\WINDOWS\system32\MSAgentXP.exe
Tells us that the executable "MSAgentXP" is located in the system32 folder of your windows folder on your C drive.
Open up kill box and cut and paste the location (C:\WINDOWS\system32\) and the item you wish to kill (MSAgentXP.exe) in tot he box labeled "full path of fil to delete."

From the things you listed, you want to do a google search on the items you don't recognize (just type in the name of the file and the extension "EG smss.exe") From here you should eaily be able to determine if the proccess is legit or not. I'd suggest killing the things that I suggested from Hijackthis before doing so. If there's something hijackthis can't delete, keep its name in mind so you can delete it with killbox.

 

[Alvin Meister]

Cheers for your help Est. You sound like you know a lot more than me, so carry on

 

[Est]

I can't really take much credit. A lot of it is checking on google and knowing the tools. And thank you for getting the ball rolling on this one.

 

[Clint]

okay.. weird.

i typed in C:\WINDOWS\system32\rundll31.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msmsgs.exe

and tried to delete it. it wouldn't let me. i then clicked the boxes and tried to end the processes the processes, it could not end task on any.

i also didn't find any info on goiaba.exe or
wxywb.exe on google.

 

[Est]

Quote[/b] ]and tried to delete it. it wouldn't let me. i then clicked the boxes and tried to end the processes the processes, it could not end task on any.

Chances are you need to tell killbox to delete them on startup.

Be sure to only delete things that shouldn't be there. It should be fine to get rid of msmsgs (which is part of MS messenger) but I don't know off the top of my head if getting rid of spoolsv is a good idea or id rundll31 is a real windows file or not, be sure to read up on whatever you want to delete before doing anything else. If you can't find information on something, then the chances are that it's safe to delete.

You may wish to do a virus scan on all 5 of those exes before doing anything else. By the way, still getting popups? If so, do you have windows messenger open?

 

[Clint]

i am getting popups,and i dont have WM. thanks to you guys's help i'm getting few enough to live with

 

[Est]

Quote[/b] ]i am getting popups,and i dont have WM. thanks to you guys's help i'm getting few enough to live with

Well, we should be able to eliminate it down to the popups that everyone has to deal with (that is, the ones you get from visiting websites.) At the very least we've already closed some major security breaches (including trojan horses which allow others pretty much unlimited acces to your computer.) So so far so good. You shouldn't get any more popups when not browsing the internet, and your homepage should now be whatever you set it to be.

Let us know what problems persist.

 

[nrbelex]

Man you guys have patience... I would have recommend (and still do recommend) reformatting your hard drive. When your dealing with really nefarious programs and such egregious security breaches, you probably will never be able to clean your system until it's spotless. I would never feel safe entering a credit-card number, banking information or even a password into a computer that had been compromised the way you've described. You never know if rootkits (extremely well-hidden programs) are still running without your knowledge. A fresh reinstall would solve all of your problems and once you're set up properly again, immunize you from any in the future. I haven't seen a pop-up in years. Let us know what you decide to do.

~ Brett

 

[Clint]

i'm gonna have to ask my rents on that one

 

[Est]

Quote[/b] ]Man you guys have patience... I would have recommend (and still do recommend) reformatting your hard drive. When your dealing with really nefarious programs and such egregious security breaches, you probably will never be able to clean your system until it's spotless. I would never feel safe entering a credit-card number, banking information or even a password into a computer that had been compromised the way you've described. You never know if rootkits (extremely well-hidden programs) are still running without your knowledge. A fresh reinstall would solve all of your problems and once you're set up properly again, immunize you from any in the future. I haven't seen a pop-up in years. Let us know what you decide to do.

That's a fine way to go if you plan for it, but if not it sucks to have to install all of your stuff again. I don't intend on running in to any problems, but I've got my system files on a different partition than my data files. I could easily swipe the partition with XP on it and reinstall XP at any given point. Well... I feel dishonest using "easy" and "reinstall XP" in the same sentence... but you get the idea!

The biggest problem in terms of security was the trojan horses. Most of the time when somebody gets a trojan horse it amounts to nothing because there's no one "looking" anyway. But leaving a door open is a good way to get in to trouble! The popups thing isn't such a big deal; it happens. Half of the battle is STOPPING XP from the start. You need to tell it you don't want windows firewall, you don't want windows messenger, you want to undo all of the UPnP (universal plug and play,) etc, etc.

But let me just make a point about security: All these big nasties were present and we didn't hear a PEEP from Norton. Nothing is too great at preventing things from getting on to your computer (besides knowledge,) but Norton should have alerted you that there are viruses present.

 

[BigCarnivourKid]

Quote[/b] (JustLikeAPill @ July 22 2006,3:40)]please help me guys. i have yahoo,google, norton, and IE popup blockers. i have spybot search and destroy and ad-aware.

JLAP, do you use a firewall??

If not I would suggest finding one real quick. There are several free ones out there. I use Zone Alarm, but there are several others Spybot S&D and Ad-Aware are great programs, but they only treat the problems your computer already has. A firewall can prevent you from getting them and if you do get one it can prevent it from accessing the internet to download crap onto your computer. Like pop-up adds.