Random popups, even when not online

OS: XP
Location: English Room

The computer will be just sitting there, on the network (We share a LAN for I-Net) and the computer will just randomly popup with something. I have looked at the running processes and I found MWSUM.EXE (aka STLOADER.EXE) and SLMSS.EXE. I know that these programs are in relation to spyware and this might be the cause of the problem. I have also looked in the registry to see if the file was there that it makes for itself, and it is not.
How do I get rid of this little problem?

bluedos82

Posting Pro

588 posts since Oct 2003

Reputation Points: 56

Solved Threads: 0

8 Years Ago

Download HijackThis from http://209.133.47.200/~merijn/files/HijackThis.exe & unzip it into it's own, permanent folder, not a temporary one. Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file & paste it into the body of your post. DO NOT FIX ANYTHING YET.

crunchie

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

8 Years Ago

what exactly is Hijack This?

bluedos82

Posting Pro

588 posts since Oct 2003

Reputation Points: 56

Solved Threads: 0

8 Years Ago

Here is the Log

Logfile of HijackThis v1.97.7
Scan saved at 3:53:52 PM, on 4/13/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\SISAUDUT.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
\\ATHENA SERVER\ALSDATA03\STAR UPDATE 2.3\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\SYSTEM\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O10 - Broken Internet access because of LSP provider 'c:\windows\system\inetadpt.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37902.3134259259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

bluedos82

Posting Pro

588 posts since Oct 2003

Reputation Points: 56

Solved Threads: 0

8 Years Ago

Here is the Log -- 041304

You have multiple problems. After you fix these, you may have a problem connecting because one of your bits of malware has replaced part of yourWinsock chain with its own stuff. Here is the link to LSPFix , which should help.

musemaker then responded with: It worked! And here's the process order:

* Run LSPfix.
* Delete all Dial-up adapters and network protcols.
* Delete all Winsock and Winsock2 registry keys.
* Under Add/Remove programs uncheck all of the listings under Communications.
* Reboot and then add back ALL the Communications items (although netmeeting and chat weren't necessary). It didn't work for me the first time as I have no need for a dial-up adapter, but it is the only way to get Windows to add back winsock2.
* Reinstall network protocol settings.

Also, there are some free prevention measures you can take as well, including SpywareBlaster and SpywareGuard . Considering the number of machines you deal with, they might lighten your load.

Now on to what your HjT log shows, and what should be removed:

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O10 - Broken Internet access because of LSP provider 'c:\windows\system\inetadpt.dll' missing
This indicates a possible problem. It's why I mentioned LSPFix earlier.

Reboot into safe mode and remove the following directories:

C:\Program Files\Common Files\slmss
C:\Program Files\Common files\updater

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here's a couple that are resource wasters:

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

This one should only show up if you have just installed something new and not rebooted yet. What's it doing here?

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

TallCool1

Practically a Posting Shark

Team Colleague

865 posts since May 2003