Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Getting some 'popup error' every 15 minutes


  • Please log in to reply

#1
Lexxi

Lexxi

    Member

  • Member
  • PipPip
  • 10 posts
I've recently had a new harddrive installed as soon as i recived my computer back i was getting popups that say the following:

Message from SECURITY MONITOR to USER on [DATE] [TIME]
WINDOWS REQUIRES IMMEDIATE ATTENTION
=======================
Buffer Overflow in Messenger Service Causes Unexpected Computer Shutdown
Virus Infection and Remote Code Execution

Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win89
Microsoft Windows Server 2003

Non Affected Software:
Microsoft Windows Millennium Edition

Your system IS affected, download the patch from the address below !
FIRST TYPE THE URL BELOW INTO YOUR INTERNET BROWSER, THEN CLICK 'OK'

WWW.DOWNLOADPATCH.NET



Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:57:14, on 23/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Kayley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Kayley\Desktop\gam\LimeWire\LimeWire.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks for any help.
  • 0

Advertisements


#2
Cookiegal

Cookiegal

    Malware Expert

  • Expert
  • 885 posts
  • MVP
Hi and welcome to Geeks to Go!

You do have the Alcan worm and we will take care of that.

First though, you can disable Windows Messenger so you don't get those messages:

Go to StartRun – type Services.msc

Right click on Messenger - select stop and then change startup type to disabled.


Please move the HijackThis program into a permanent folder of its own. It can remain on the desktop but it needs to be in its own folder. Please do that before posting your next log.


Download Cleanup from Here
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.
Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


Run Cleanup:
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.

Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Restart back into Windows normally now.


Do a Panda Active Scan. Be sure to save the log it creates.


Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
  • 0

#3
Lexxi

Lexxi

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi thanks for the help.
I did as you said.
All except the panda scan as that wouldnt work for some reason.
when i reset the web settings my computer when into windows classic mode and when i went to change it the Xp tab had gone leaving only cclassic is there a way to ger that back?

Here is the Ewido log and HJT log.

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:21:30, 28/11/2005
+ Report-Checksum: 597C3CBF

+ Scan result:

:mozilla.20:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Kayley\Application Data\Mozilla\Firefox\Profiles\wqcyayis.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup


::Report End



HJT

Logfile of HijackThis v1.99.1
Scan saved at 16:39:35, on 28/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Kayley\Desktop\gam\LimeWire\LimeWire.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Kayley\Desktop\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Kayley\Desktop\gam\LimeWire\LimeWire.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks again
  • 0

#4
Cookiegal

Cookiegal

    Malware Expert

  • Expert
  • 885 posts
  • MVP
I recommend that you uninstall LimeWire as it is the source of many infections. You can remove it via the Control Panel - Add/Remove programs utiliity.


Click Here and download Killbox and save it to your desktop but don’t run it yet.


Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto


Then boot to safe mode:


How to restart to safe mode


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\Program Files\winupdates\winupdates.exe

C:\Program Files\MsConfigs\MsConfigs.exe

C:\WINDOWS\system32\p2pnetwork.exe

C:\WINDOWS\system32\CMD.COM

C:\WINDOWS\system32\netstat.com

C:\WINDOWS\system32\ping.com

C:\WINDOWS\system32\regedit.com

C:\WINDOWS\system32\tasklist.com

C:\WINDOWS\system32\taskkill.com

C:\WINDOWS\system32\taskmgr.com

C:\WINDOWS\system32\tracert.com



Exit the Killbox.


Locate and delete thes folders:

C:\Program Files\winupdates

C:\Program Files\MsConfigs


Boot back to Windows normally and post another HijackThis please.
  • 0

#5
Cookiegal

Cookiegal

    Malware Expert

  • Expert
  • 885 posts
  • MVP
To restore the XP style theme:

Click here to download Luna.zip. Download it and unzip it to extract the luna.msstyles file it contains. Copy the luna.msstyles file to the C:\WINDOWS\Resources\Themes\Luna folder.

Restart your machine and go to Display Properties and you should be able to choose the XP theme again.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP