Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: windows pop up msg

  1. #1
    Senior Member
    Join Date
    Mar 2002
    Posts
    153

    windows pop up msg

    Hello All,
    I'm Using windows xp sp1 dual boot with windows 2k. Yesterday I reinstall windows ( I choose repair option). Then suddenly when I online Pop Up msg come out said sth bout my security in my computer. I had done spyware scan. I'm using adware program.when I do scanning adware detected some spyware.after delete the spyware but the problem still persist.I still get the pop up msg. My computer has norton antivirus which is the virus patern is up to date.

    Here I attach some of the pop up msg and HijackThis.log. Appreciate any help. Thank you

    Here is my HIjackThis.log.
    Logfile of HijackThis v1.97.7
    Scan saved at 1:13:27 PM, on 6/15/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A47AFE4E-D56D-412C-9A22-36582B29A3AA}: NameServer = 202.188.0.132 202.188.0.133

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    messenger

    You get the popups, because
    - your messenger services (windows) is running and listening
    - you have no firewall blocking some specific incoming requests. We
    had an example of this a few days ago[0]. Actually, one of your
    pop ups has been brought up there as an example

    Solution:
    1. Start->Run: services.msc
    2. messenger->properties->Startup type: disabled.


    hijackthis

    My goal is to provide you information, such that you also can check
    these logs yourself. First: there is an excellent page, which analysies
    the log-files automatically[1]. Learn about the tools itself[2].

    Running processes

    There are sites, which explain running processes[3-5]. I did not know
    pctspk.exe, so I checked for it- if you have a PCTEL (HSP) Modem,
    this is fine (also check the registry in the links I have provided).

    The directory %WINDIR%=c:\winnt (in your case) is the correct place
    to find explorer.exe for Windows XP SP1.

    O's

    Usually, you know best what you have installed. The automated analyser
    had problems with
    Code:
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    but, assuming you have done Trendmicros Housecall, this is all fine?

    Finally, the explicit nameservers O17. Are these the numbers provided
    by your ISP (check the documentation or their homepage). If so, this
    is fine as well.

    From this quick glance, you system is clean. Learn to keep clean also here[6-7].

    Cheers

    [0] http://www.antionline.com/showthread...hreadid=268609
    [1] http://www.hijackthis.de
    [2] http://www.antionline.com/showthread...ht=hijack+this
    [3] http://www.neuber.com/taskmanager/pr...ctspk.exe.html
    [4] http://www.liutilities.com/products/...ibrary/pctspk/
    [5] http://www.processlibrary.com/directory/files/pctspk/
    [6] http://www.antionline.com/showthread...hreadid=265440
    [7] http://www.antionline.com/showthread...hreadid=267907
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Senior Member
    Join Date
    Mar 2002
    Posts
    153
    Thank q bro for your respond.When I see the hijackthis log i cannot find anything suspicios. but Yes after I disable messenger the is no pop up msg anymore. but what is the purpose of messenger anyway if it is display that kind of msg. and comment.

    But one more thing, I not really understand with explicit nameservers O17.What you mean by that. view the hijack this log cannot find such thing.

    well lastly thank a lot for all your help

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by y2k
    {..} but what is the purpose of messenger anyway if it is display that kind of msg. and comment.
    It's meant to be used for example by system administrators to send messages to their users to warn them a system will be shut down. Or for printer servers to give a message to the user the printer is out of paper.. Lot's of legitimate reasons but most (if not all) home users don't need it.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    Scaring classmates with a spoofed message from the teacher telling them to stop ****ing around was fun while it lasted too.
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by MoonWolf
    Scaring classmates with a spoofed message from the teacher telling them to stop ****ing around was fun while it lasted too.
    Hehehe... During courses too
    A small batch script will make 'm go nuts.. Ahhh... the good ol' days...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member
    Join Date
    Mar 2002
    Posts
    153
    But where all the msg come from.(refer to my attachment).Must be some source.can it consider the messenger being exploit and someone send me all the kind of msg.mean isn't my box vurnerible. can say someone attack my computer. any comment

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    But where all the msg come from.(refer to my attachment).Must be some source.can it consider the messenger being exploit and someone send me all the kind of msg.mean isn't my box vurnerible. can say someone attack my computer. any comment
    You were SPAMMED with advertisements for rubbish, alleged security software. If you had visited the site they would have offered to "scan" your machine and then charge you 50 bucks to "clean" it of things it didn't even have.



    You left MS Messenger enabled (a known vulnerability) and hence you got the spam. It was not "exploited" as such, you just had it turned on. Not really different from your telephone or your mailbox...........apart from that they have better legal protection?


  9. #9
    What is meant by the explicit nameservers:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{A47AFE4E-D56D-412C-9A22-36582B29A3AA}: NameServer = 202.188.0.132 202.188.0.133

    You most likely connect to your ISP using DHCP and the nameservers are provided by the DHCP server. You can check on the ISP's homepage and if these are the authorized nameservers for the ISP then everything is ok.

  10. #10
    Banned
    Join Date
    Aug 2004
    Posts
    534
    just curious ... how do you spoof "net send"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •