Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Constant Popups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Constant Popups

Unread postby thedom » November 19th, 2005, 3:56 pm

Hi Ppl, just wondered if anyone here could help me out. I have been getting loads of popups and cant get rid of them. I ran Norton and it told me it was "look2me" and claimed it had removed it. No :( I discovered that everytime i got a popup that it was winlogon.exe that initiated it. So i killed that process and guess what happened, Critical system process and me pc rebooted. I have ran probably every software solution there is to remove this with no success.

My Hijack this report is as follows :

Logfile of HijackThis v1.99.1
Scan saved at 19:44:37, on 19/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
L:\steam\steam.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\Dom\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "l:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\p26s0cj7efo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


I have tried removing reg entries that other sites have provided but when in the registry, havent been able to find the ones they suggest.

Please if anyone can help It would be most appreciated as i think I am starting to go bald with all the hair I have pulled out today

Thx
thedom
Active Member
 
Posts: 5
Joined: November 19th, 2005, 3:41 pm
Advertisement
Register to Remove

Unread postby amateur » November 19th, 2005, 4:32 pm

Hi thedom,

Welcome to MRU. :D
I would like to help you. I'll be researching the items in your log. It will take some time, so please be patient. I'll be back as soon as possible.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby thedom » November 19th, 2005, 10:24 pm

ok fella, thanks for looking into it for me although i have finally managed to get rid of it :D

I spent 12 hours solid at this thing trying every known software for removing this and nothing worked, Then finally i came across a program i hadnt tried and slap me with a big stick, It worked !!! Webroot Spy Sweeper found it and got rid of it completely. I think i found a post mentioning this software in this forum and i'm most grateful to you guys who know about these things helping us little guys out !

And Bonus ! I didnt have to format :)

Thanks again fella
thedom
Active Member
 
Posts: 5
Joined: November 19th, 2005, 3:41 pm

Unread postby amateur » November 20th, 2005, 8:07 am

Hi Dedom,

I am glad you were able to solve your problem. Good job. :) However, it would be a good idea to post a new HijackThis log to make sure that the infeaction is totally cleared and that you have no other malware.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby thedom » November 20th, 2005, 9:29 am

Ok fella , here is the new hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 13:25:54, on 20/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
L:\steam\steam.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
D:\BitLord\BitLord.exe
C:\Program Files\winKeyLock\winKeyLock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Documents and Settings\Dom\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "l:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: winKeyLock.lnk = C:\Program Files\winKeyLock\winKeyLock.exe
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Also it may be worth noting that this malware also removed an entry somewhere that prevents the playing of Punkbuster enabled games.

This was cured by hitting "restore policy" in vx2finder
thedom
Active Member
 
Posts: 5
Joined: November 19th, 2005, 3:41 pm

Unread postby thedom » November 20th, 2005, 9:32 am

Also to note, I now have webroot spy sweeper, spybot, Xoftspy, kaspersky installed along with the packet firewall now enabled on my NAT router, Hopefully this will prevent this kind of thing happening again.
thedom
Active Member
 
Posts: 5
Joined: November 19th, 2005, 3:41 pm

Unread postby amateur » November 20th, 2005, 12:27 pm

Hi Dedom,

The HijackThis log is clean. However, I don't see any sign of an antivirus software. I would recommend that you install an antivirus software. See this link for a listing of some on line & their stand-alone anti virus programs:

Computer Safety On line - Anti-Virus

When you have removed malware, and now clean which you seem to be, it's recommended to remove old restorepoints and let Windows make a new, clean one.
Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you have to put Windows back to such a restorepoint, this malware will be put back, as well.
You can find instructions on how to disable and re enable system restore here:

Windows XP System Restore Guide

Update your Anti Virus Software -
It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Enjoy safe surfing :)
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby thedom » November 21st, 2005, 8:33 pm

Yeah, all noted.

There was antivirus installed but it wasnt runnning when i did the log, plus i dont have system restore running at all. This is the first problem i have ever had that i have struggled to get rid of therfore have never relied on system restore to bail me out.

Your assistance has been greatly appreciated

Thanx again
thedom
Active Member
 
Posts: 5
Joined: November 19th, 2005, 3:41 pm

Unread postby amateur » November 21st, 2005, 8:44 pm

You're welcome. :thumbright:
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby NonSuch » November 30th, 2005, 8:19 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 267 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware