Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Windows XP Pro - Consistent pop ups 2

Status
Not open for further replies.
Xaqte

Xaqte

IS-IT--Management
Oct 4, 2002
971
US
After logging in, an internal web page is brought up(normal) & pc is left alone for 10-15 mins pop ups start appearing as well as prompts to install software.
I've ran Pandasofts antivirus twice with nothing found & I've ran "Sasser (A-F) Worm Removal Tool (KB841720)" from MS with no result. Spybot S&D finds nothing. Here is a list of my processes from "Hijack This":

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\mec6954\Application Data\lanr.exe
C:\Program Files\AnyTime Deluxe\AnyTime Earth Clock\WorldTime.exe
C:\Program Files\AnyTime Deluxe\Atw.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\Msoffice.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\l?ass.exe
C:\hijack this\HijackThis.exe

Any of these look like the culprit? Any help/thoughts would be appreciated!

X
 
Sort by date Sort by votes
C:\WINDOWS\SYSTEM32\l?ass.exe

very suspicious... should be deleted...

btw. what does your Autostarts say?????



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Thanks for the response Ben! I thought I should delete that line as well. Here is the remainder of the report (slightly modified to keep users privacy):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", " (C:\Program Files\Netscape\Users\michael1\prefs.js)
O2 - BHO: (no name) - {4AFF4459-E132-79C1-8224-66550D852A1B} - C:\WINDOWS\System32\vgyipgtw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Udte] C:\Documents and Settings\Joe\Application Data\lanr.exe
O4 - HKCU\..\Run: [WorldTime.exe] C:\Program Files\AnyTime Deluxe\AnyTime Earth Clock\WorldTime.exe nosplash
O4 - Global Startup: AnyTime Organizer.lnk = C:\Program Files\AnyTime Deluxe\Atw.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: MySoftware NewsFlash.lnk.disabled
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - file://c:\x.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E98EEF1-752A-4D7E-8741-2B5BC4D612B9}: Domain = user.carolina.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E98EEF1-752A-4D7E-8741-2B5BC4D612B9}: NameServer = 42.32.86.56,42.32.86.46
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4B8CF88-907F-48CA-9337-DEC7C0AD8F08}: Domain = user.carolina.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4B8CF88-907F-48CA-9337-DEC7C0AD8F08}: NameServer = 84.93.65.64,84.93.65.67
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = user.carolina.rr.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = user.carolina.rr.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = user.carolina.rr.com
 
Upvote 0 Downvote
Remove these entries, after disabling system restore on an XP machine:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {4AFF4459-E132-79C1-8224-66550D852A1B} - C:\WINDOWS\System32\vgyipgtw.dll

Reboot.


Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
This is sketchy as well:
O4 - HKCU\..\Run: [Udte] C:\Documents and Settings\Joe\Application Data\lanr.exe


Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - file://c:\x.cab

These two look a tad iffy as well.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
lotsthat look iffy to me:) have yourun the usual? spybot etc and what antinirus are u using?
 
Upvote 0 Downvote
@Xaqte - follow what Carr and TechieMichael suggest to remove except the LANR.EXE (this seems to be a LanDriver for a Game? but I'm not sure, keep a watchful eye on it)...

@Kesser - I don't wanna sound like a A-Hole, but have you read the original postin???? there he states what he did, SPYBOT and PANDA AV, and posting the HiJackThis Log, should also tell you that he is using HiJackThis!!!



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Ok, here is what I've done:
Removed:
C:\WINDOWS\SYSTEM32\l?ass.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - file://c:\x.cab
O4 - HKCU\..\Run: [Udte] C:\Documents and Settings\Joe\Application Data\lanr.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {4AFF4459-E132-79C1-8224-66550D852A1B} - C:\WINDOWS\System32\vgyipgtw.dll

After a reboot, the following reappeared:
O4 - HKCU\..\Run: [Udte] C:\Documents and Settings\Joe\Application Data\lanr.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

I'm just waiting to see if this fixed the pop-ups. I'll post back later.
Thanks again,
X
 
Upvote 0 Downvote
Hi there,

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

this line is OK, as it points towards the SYSTEM Blank Page....

like I said, LANR.EXE should be watched... as I'm not sure that it is either a baddy or a goody (haven't found anything on the NET about it...)

Yes, keep us updated...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
The funny thing is that "lanr.exe" doesn't even exist in that file path (yes, I've checked for hidden files). No pop-ups after yesterday's changes. If they come back, I'll let ya know.

Thanks again!
X
 
Upvote 0 Downvote
Xaqte: You are welcome and I am glad you've stopped the pop-ups. :) One thing you might want to try is this:

Start->Run->cmd.exe->Enter->cd C:\Documents and Settings\Joe\Application Data\->Enter->notepad lanr.exe->Enter

If that finds the file and opens it in notepad, it is there. If it is there, is there some place where you can upload the file so I can look at it? If it complains, obviously the file is no longer there. Though I'd be curious as to why the entry reappeared, but anywho.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
270
2ffat
2ffat
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
782
Yoko Littner
Yoko Littner
goombawaho
  • Locked
  • Question
Stop Microsoft Security Essentials pop-up on XP machines 1
Replies
9
Views
226
goombawaho
goombawaho
CCX008
  • Locked
  • Question
Optimizer Pro
Replies
1
Views
87
ChrisHirst
ChrisHirst
xit
  • Locked
  • News
New beta product from Malwarebytes 1
Replies
4
Views
211
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top