Annoying Messages

Hi I'm new here and have a really annoying problem. I keep getting these 2 messages:

http://www.sentex.net/~jgsahota/message.JPG

They pop up at random points during the day and often kick me out of games and minimizes other programs. It asks me to download some spyware remover (hah :p). I think it may also be related to a process that takes me to palsol.com at random points. It hasn't done any damage (yet) but it's still aggravating. These are processes I thought might be related to it:

nmevtmsg.exe (no clue)
msses.exe (another user posted about this)
svvhost.exe (fake svc according to sophos)

The messages ask me to download XoftSpySetup_3.2.exe from paretologic.com and the other message takes me to search page from likesurfing.com

I'd really appreciate it if someone can help me figure all this out. Oh, and if you need it, here's my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 5:31:40 PM, on 24/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\windows\winlogon.exe
C:\WINDOWS\System32\msses.exe
C:\WINDOWS\System32\svvhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\4LE3SXQJ\HijackThis[1].exe
C:\WINDOWS\System32\nmevtmsg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ckco.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DSL Monitor] C:\Program Files\Efficient Networks\SpeedStream DSL\SPDSTRM.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [nmevtmsg] C:\WINDOWS\System32\nmevtmsg.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1082153427416
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...093.5194444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7313EDD-315E-46B6-AC86-D7E11C0FC274}: NameServer = 64.7.128.99 199.212.134.1

Since it asks you to download a spyware scanner...Have you tried doing a spyware scan yet?

Ok... this is easy to remedy:
open the administrative tools (in the control panel, or start menu) and select "services". Scroll down until you find "Messenger". Double click that service. First, press the "Stop" button and wait for the service to end. Then under "startup type" select "Disabled". You should also do this with the "Alerter" service.

FYI: this is not the same as the MSN messenger chat program.

to test if you left the messenger service running, open a command prompt and type:
net send 127.0.0.1 HI
if you got a pop-up message saying HI then you need to turn the messenger service off.

More information on windows services can be found at black viper's website: http://www.blackviper.com

Is this really the best way to try and get people to buy your programs? scare tactics suck

Welcome to AO

Don't install what the program is tellin you yet. Its probably spyware installed from the "spyware scanner" Just run SPybot S&D, and Adaware.

If you're lazy, you can also use "Shoot the Messenger" at www.grc.com.

I disabled the messenger and alerter services. Seems to be working for now. I did do a spyware search but Ad Aware only found some cookies. I did a scan on housecall and found 2 viruses that AVG didn't pick up. Cleaning them right now. And yes, that program probably is spyware. I'll post again if it comes back.

Thanks,
Komodo

Damn.. the messages are still coming. I checked an messenger/alerter are still disabled. Any ideas?

Have you tried Spybot and/or Adaware yet? That should weed out the rest.

"Windows has been detected spyware module on this computer"

Oh wow, you would think that a real program for file/sys auditing and policies which also magicly has the ability to detect if these changes made are really the work of malware would atleast be able to properly form sentences a bit better. Hey, and it even tells you to go out and download more spyware *cough... tools.

(Edited) Well there you have it. Windows is clearly a spyware module. Go get yourself a pet rock.

Ya, it really sucks. I tried Ad Aware but it isn't finding much. Is there a way to check what program executed the message? Maybe I can just delete that file. Oh, and does anyone know where I can get a clean copy of winlogon.exe?

Thanks,
Komodo

Make sure you try both Adaware and Spybot. One often catches what the other misses. Also make sure they both have the latest updates.

If that doesn't work, have a baseball bat ready.

Ummm yes you'll find backup in C:\WINDOWS\system32\winlogon.exe Hehehe....
There should not be two. The one in C:\WINDOWS\winlogon.exe is most likely part of your problems.

AngelicKnight, its your kinda additude that not only helps spin the hype around alot of malware but also gives peaple like me food on the table. Not to mention it makes *******s like me look smart over nothing and thats just plain sick 'n sad.

Quote:

---

Originally posted here by komodo_00
Hi I'm new here and have a really annoying problem. I keep getting these 2 messages:

C:\WINDOWS\System32\svvhost.exe

---

From the looks of your log file it looks like ya got the AGOBOT or GAOBOT worm!!! It drops SVVHOST.EXE onto your system. Pretty tricky since SVCHOST.EXE is ok and a Windows system file.

This SVVHOST.EXE is a backdoor...


Check out this link for description and cleaning information.
http://www.sophos.com/virusinfo/anal...2agobothl.html

I would recommend booting into SAFE MODE first and try scanning your system with your antivirus.

Good luck!

If it's AgoBot then clearly the box is worm and backdoor heaven. If thats the case you may also want to checkout C:\WINDOWS\System32\RunDll32.exe

Agobot, adware, welchia/MSblaster? Ahhh man :cool:

There we go. First, I removed all instances of c:\windows\winlogon.exe in my registry. Then I was able to delete the file in safe mode because it was no longer in use. For the other files, I just deleted them. Cleaned up some spyware Ad Aware didn't find and everything seems to be running fine. Oh, I installed PC-Cillin, did a scan and everything looks fine.

Thanks,
Komodo

Just curious, how did you get rid of your peper trojan? PC-cillin won't touch it, nor any other scanner that I am aware of. :confused:

I deleted the decoy winlogon.exe. Since it was in use, I disabled it by removing it from the registry. If you're talking about the svvhost.exe one, I simply cancelled the process and deleted the file.