pls help me kill this annoying popup

Discussion in 'adware, spyware & hijack cleaning' started by www.belgiandip.com?, Feb 28, 2004.

Thread Status:
Not open for further replies.
  1. the problem i have is that sometimes after i open IE (but no surfing) or sometimes after i close the IE, a popup, ad or whatever it is appears - www.belgiandip.com and after that it goes to 'fastrewards' or something...tried a lot of antispyware but no luck...pls help, thanks.


    Logfile of HijackThis v1.97.7
    Scan saved at 12:16:34 AM, on 2/29/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\MMTray.exe
    C:\WINDOWS\System32\MMTray2k.exe
    C:\WINDOWS\System32\MMTrayLSI.exe
    C:\WINDOWS\System32\omsvcsc.exe
    C:\WINDOWS\System32\cardsvrs.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\cosmin\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MMTray] MMTray.exe
    O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
    O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe
    O4 - HKLM\..\Run: [cardsvrs] C:\WINDOWS\System32\cardsvrs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS2\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Any idea what these are or do?
    O4 - HKLM\..\Run: [omsvcsc] C:\WINDOWS\System32\omsvcsc.exe
    O4 - HKLM\..\Run: [cardsvrs] C:\WINDOWS\System32\cardsvrs.exe

    If you don't could you send those two files to the address in my profile?
    They look suspicious.

    Regards,

    Pieter
     
  3. cos

    cos Guest

    can't find those files in my computer, they don't seem to exist
     
  4. cos

    cos Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 10:31:17 AM, on 2/29/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\MMTray.exe
    C:\WINDOWS\System32\MMTray2k.exe
    C:\WINDOWS\System32\MMTrayLSI.exe
    C:\WINDOWS\System32\mpstubw.exe
    C:\WINDOWS\System32\sctrlsa.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\cosmin\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MMTray] MMTray.exe
    O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
    O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\System32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mpstubw] C:\WINDOWS\System32\mpstubw.exe
    O4 - HKLM\..\Run: [sctrlsa] C:\WINDOWS\System32\sctrlsa.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS2\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10

    the new log
     
  5. cos

    cos Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 11:19:51 AM, on 2/29/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\MMTray.exe
    C:\WINDOWS\System32\MMTray2k.exe
    C:\WINDOWS\System32\MMTrayLSI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\lecnv32o.exe
    C:\WINDOWS\System32\ysinvs.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Documents and Settings\cosmin\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MMTray] MMTray.exe
    O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
    O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
    O4 - HKLM\..\Run: [lecnv32o] C:\WINDOWS\System32\lecnv32o.exe
    O4 - HKLM\..\Run: [ysinvs] C:\WINDOWS\System32\ysinvs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4329/mcfscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS1\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10
    O17 - HKLM\System\CS2\Services\Tcpip\..\{63155C11-EBFF-4499-BAA6-6D53D2B4DD8B}: NameServer = 193.231.236.17,193.231.236.10

    the newer log even...notice the 2 files:

    C:\WINDOWS\System32\lecnv32o.exe
    C:\WINDOWS\System32\ysinvs.exe

    both files properties show that are made by totempole and that the original file name is "pup.exe" ... both size 64kb
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Ah good, you identified the culprit.

    Please download and install Regprot from: http://www.diamondcs.com.au/index.php?page=regprot

    At first allow all the keys it asks permission for.
    Then run HijackThis and fix:
    O4 - HKLM\..\Run: [lecnv32o] C:\WINDOWS\System32\lecnv32o.exe
    O4 - HKLM\..\Run: [ysinvs] C:\WINDOWS\System32\ysinvs.exe

    Then you will be warned about new Runkeys being added. Deny permission by clicking no and reboot.

    Then run HijackTHis again and post the log so we can see if we were successful.

    Regards,

    Pieter
     
  7. cos

    cos Guest

    ouch...i did something before u posted your reply.
    what i did is end the 2 processes, deleted the 2 files, remove the 2 registry keys associated with these 2 files, disabled xp system restore, booted and...until now no more popups...i will come back and apply your solution if it starts appearing again (i have to mention that i deleted pup.exe a day ago but it seems it replicates under different names like those 2 files we'retalking about)
    thank for your time and i'll come back if this happens again
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    No problem. Good job. :cool:
    Install Regprot anyway. It will warn you, so they can't sneak in without you knowing.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.