Messenger Service Pop Ups

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

lehmo7

Thread Starter
Joined
May 31, 2004
Messages
53
Every few minutes, I get these Messenger Service pop ups saying that my computer is infested with spyware, etc. How can stop these?


Dell Dimension 2350
Windows XP <2002, version 2/service pack 1>
Pentium 4
256 MB RAM
 
Joined
Sep 7, 2004
Messages
49,014
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
 
Joined
Sep 7, 2004
Messages
49,014
Run those others first but

Open the log in notepad

EDIT - SELECT ALL
EDIT - COPY

Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE
 
Joined
Dec 9, 2004
Messages
296
Start => control panel => performance and maintenance => administrative tools => services => Stop the messenger service, then disable it.

Note: this does not affect windows or msn messenger.
 

lehmo7

Thread Starter
Joined
May 31, 2004
Messages
53
Logfile of HijackThis v1.99.0
Scan saved at 7:23:42 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\UraV12X0.exe
C:\WINDOWS\System32\Nyx42g.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe
C:\hijackthis\HijackThis.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Temporary Directory 1 for HJT.zip\HijackThis.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Joined
Sep 7, 2004
Messages
49,014
You didn't get the full log - you have some serious problems - follow what I said earlier
 

lehmo7

Thread Starter
Joined
May 31, 2004
Messages
53
Logfile of HijackThis v1.99.0
Scan saved at 7:52:45 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\UraV12X0.exe
C:\WINDOWS\System32\Nyx42g.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\TLuhBi.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oywf2.exe
O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [[email protected]@#W58AF62E] C:\WINDOWS\System32\Preu0YNR.exe
O4 - HKLM\..\Run: [bAVJY5Uw] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Zk0HZ9Ex] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ZYpGSwow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [qsmV3qR] con_qic.exe
O4 - HKLM\..\Run: [d4iJh6Da] C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
O4 - HKLM\..\Run: [1HJ3A] C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
O4 - HKLM\..\Run: [WSKM] C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe
O4 - HKLM\..\Run: [ntao.exe] C:\WINDOWS\system32\ntao.exe
O4 - HKLM\..\Run: [QwVGSw1x] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Yw0HUA1w] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ewVGSAow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [bB59Rkd6i] cmuadhlp.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Julie Heimbach\Application Data\eetu.exe
O4 - HKCU\..\Run: [Laas] C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC169A70-A072-4C13-AE81-043A42C0904E}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Joined
Apr 2, 2004
Messages
318
Start -> Run -> "services.msc" -> Scroll down until you find "Messenger". -> Right-click and select "Stop" -> Restart Computer

Then they are all gone!
 
Joined
Sep 7, 2004
Messages
49,014
Move HiJackThis.exe to a permanent folder like C:\HJT


CWShredder http://www.intermute.com/spysubtract/cwshredder_download.html
Close all browser windows, Open cwshredder.exe then click "Fix" and let
it run.

Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.

PEPER Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Print this out – boot to safe mode – fix using HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R3 - Default URLSearchHook is missing

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\TLuhBi.dll

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Oywf2.exe

O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKLM\..\Run: [[email protected]@#W58AF62E] C:\WINDOWS\System32\Preu0YNR.exe

O4 - HKLM\..\Run: [bAVJY5Uw] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Zk0HZ9Ex] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ZYpGSwow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKLM\..\Run: [qsmV3qR] con_qic.exe

O4 - HKLM\..\Run: [d4iJh6Da] C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe

O4 - HKLM\..\Run: [1HJ3A] C:\documents and settings\julie heimbach\local settings\temp\1HJ3A.exe
O4 - HKLM\..\Run: [WSKM] C:\documents and settings\julie heimbach\local settings\temp\WSKM.exe

O4 - HKLM\..\Run: [ntao.exe] C:\WINDOWS\system32\ntao.exe

O4 - HKLM\..\Run: [QwVGSw1x] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [Yw0HUA1w] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [ewVGSAow] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe

O4 - HKCU\..\Run: [bB59Rkd6i] cmuadhlp.exe

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Julie Heimbach\Application Data\eetu.exe

O4 - HKCU\..\Run: [Laas] C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)

O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files
C:\WINDOWS\system32\ntao.exe
C:\WINDOWS\System32\Preu0YNR.exe
C:\WINDOWS\System32\Oywf2.exe

Delete these folders
C:\PROGRAM FILES\worvwpxu



Temp

START – RUN – key in %temp% - Edit – Select all – File – Delete
Empty the recycle bin
Boot and post a new log
 
Joined
Sep 7, 2004
Messages
49,014
Solid_Froggy said:
Start -> Run -> "services.msc" -> Scroll down until you find "Messenger". -> Right-click and select "Stop" -> Restart Computer

Then they are all gone!
Solid you are treating the symptom not the cause!
 

lehmo7

Thread Starter
Joined
May 31, 2004
Messages
53
I tried to run Peper Trojan uninstaller, but it would not run all the way through.

When I try to delete C:\Program Files\worvwpxu, I get a message saying Cannot delete cnml.exe....access denied.



Logfile of HijackThis v1.99.0
Scan saved at 9:32:32 PM, on 1/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\worvwpxu\LB8HAR0R.exe
C:\documents and settings\julie heimbach\local settings\temp\d4iJh6Da.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Julie Heimbach\Application Data\ettu.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Julie Heimbach\Local Settings\Temp\Mc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RQpHZsEx] C:\PROGRA~1\worvwpxu\R0RAH8BL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC169A70-A072-4C13-AE81-043A42C0904E}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top