PDA

View Full Version : Popups keep appearing


ovatsus
2006-09-10, 23:29
Hi

My computer has popups appearing all the time to all sorts of sites. Can you help me please?

Normally the popups open in Internet Explorer, but if I'm using Opera or Firefox at the time, they open inside that browser.

In process explorer, sometimes I can see a suspicious rundll32 executing a file in c:\windows\system32, but if I kill it the popups will continue to appear and some time after I'll get another suspiciuos rundll32 executing another file.
I've tried to delete all those files in safe mode, but they just come back

A spybot scan doesn't detect anything and neither does Trend Micro antivirus.

Here's the hijackthis log: At the time there was a rundll32 running c:\windows\system32\npevtmsg.dll

Logfile of HijackThis v1.99.1
Scan saved at 21:20:04, on 10-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\CVSNT\cvslock.exe
C:\Program Files\CVSNT\cvsservice.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\TEMP\ZYA969.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\trayit!.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\logon.scr
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
c:\program files\outsystems\hub server\compilerservice.exe
c:\program files\outsystems\hub server\deployservice.exe
c:\program files\outsystems\hub server\logserver.exe
c:\program files\outsystems\hub server\scheduler.exe
c:\program files\outsystems\hub server\smsconnector.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Documents and Settings\gmg\Desktop\HJT\HijackThis.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\CVSNT\cvs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Omea - {35402C01-1777-4159-9ABA-3480BA70D90A} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TrayIt!.lnk = C:\Program Files\trayit!.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Clip and Edit - res://C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll/1000
O8 - Extra context menu item: Clip and Save - res://C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll/1001
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe to Feed - res://C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll/1002
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: (no name) - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra 'Tools' menuitem: Omea Add-on Options… - {35402C01-1777-4159-9ABA-3480BA70D901} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Subscribe to Feed - {35402C01-1777-4159-9ABA-3480BA70D903} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Edit - {35402C01-1777-4159-9ABA-3480BA70D905} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Clip and Save - {35402C01-1777-4159-9ABA-3480BA70D907} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O9 - Extra button: Annotate - {35402C01-1777-4159-9ABA-3480BA70D909} - C:\Program Files\JetBrains\Omea\IexploreOmeaW.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://srvexc001.domain.outsystems.com:4343/SMB/console/html/root/AtxEnc.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.3dlisboadakar.com/resources/TEInstall/TE.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148771596887
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.outsystems.com
O17 - HKLM\Software\..\Telephony: DomainName = domain.outsystems.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.outsystems.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = domain.outsystems.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\irpql5751.dll
O20 - Winlogon Notify: RunServices - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - c:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - c:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OutSystems Deployment Controller Service - - c:\program files\outsystems\hub server\compilerservice.exe
O23 - Service: OutSystems Deployment Service - - c:\program files\outsystems\hub server\deployservice.exe
O23 - Service: OutSystems Log Service - - c:\program files\outsystems\hub server\logserver.exe
O23 - Service: OutSystems Scheduler Service - - c:\program files\outsystems\hub server\scheduler.exe
O23 - Service: OutSystems SMS Connector Service - - c:\program files\outsystems\hub server\smsconnector.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
pskelley
2006-09-13, 12:57
Welcome to the forum, if you still need help and are not receiving it elsewhere, please follow these instructions.

1) Tell me if this is a safe program running from this service:
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe

2) Use these free online scanners to tell me what this is: C:\WINDOWS\system32\logon.scr
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Thanks to Atribune and any others who helped with this fix.

3) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Make sure the computer is restarted and post the two logs bolded above. Let me know of any problems now, and the information I requested.

Thanks
tashi
2006-09-19, 17:37
This topic is closed due to lack of a response to helper, if you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.