Google Answers: lmao.zapto.org: an annoying Network Connection popup

View Question

Q: lmao.zapto.org: an annoying Network Connection popup ( Answered 5 out of 5 stars

Question

Subject: lmao.zapto.org: an annoying Network Connection popup
Category: Computers > Internet
Asked by: bill99-ga
List Price: $20.00

Posted: 19 Jun 2004 12:24 PDT
Expires: 19 Jul 2004 12:24 PDT
Question ID: 363412

Any information about lmao.zapto.org. I keep getting an annoying Network Connection popup requesting connection to that site. I have used all the facilities of Norton Internet Security Pro 2004 and found nothing. Norton tech support says it's not a virus, just some kind of nuisance joke, and they can't help me with it. Help?
Request for Question Clarification by hummer-ga on 19 Jun 2004 12:59 PDT Hi bill99, 1) Please run HouseCall, a very thorough online virus scan, just to be sure. HouseCall: http://housecall.trendmicro.com/ 2) Next, run Ad-aware - the chances are you've picked up some spyware along the way. Adaware ("check for updates" before running): http://www.spychecker.com/program/adaware.html 3) If that didn't solve it, try SpyBot. Sybot Search and Destroy (check for updates before running): http://www.safer-networking.org/ Please let us know how that goes so we'll know whether to continue to look for a solution for you, or to post this as an answer. Thank you, hummer
Clarification of Question by bill99-ga on 20 Jun 2004 01:04 PDT I've run the three suggested apps. They claimed to find and clean up some things, but the problem still persists. Any other ideas? Bill
Request for Question Clarification by hummer-ga on 20 Jun 2004 02:51 PDT Hi Bill, Hmm, that's too bad. Ok, try HijackThis. HijackThis (check for updates before running): http://www.spychecker.com/program/hijackthis.html Post your HijackThis log on the following forum: Spyware and Hijackware Removal Support: http://www.spywareinfo.com/forums/ Good luck, hummer
Clarification of Question by bill99-ga on 25 Jun 2004 12:04 PDT Hi- I submitted the following log to the Spyware forum on 6/22, and have no reply yet. Do you see anything useful in it? I'll be away a few days, and probably won't respond to anything before July 1. Bill Logfile of HijackThis v1.97.7 Scan saved at 1:12:55 PM, on 6/22/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\TSI32\tsircusr.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\WINDOWS\TPPALDR.EXE C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\WINDOWS\System32\pctspk.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\wkssvrs.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\OCENS\OCENS Mail\xgate.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\TSIRCSRV.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Messenger\msmsgs.exe C:\$Downloads\spyware\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intergate.com/startpage R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.intergate.com/startpage R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.intergate.com/startpage R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Intergate R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe O1 - Hosts: 64.192.180.49 findawireless.com O1 - Hosts: 64.192.180.49 mailmarinenet.net O1 - Hosts: 216.157.143.52 mail.marinenet.net O1 - Hosts: 216.157.143.52 mail.ocens.net O1 - Hosts: 216.157.143.52 gateway.ocens.net O1 - Hosts: 216.157.143.52 gateway.marinenet.net O1 - Hosts: 195.244.224.102 radio.kieldradio.net kielradio.net O1 - Hosts: 195.244.224.102 www.kielmail.net O1 - Hosts: 192.67.198.35 www.kielradio.de kielradio.de O1 - Hosts: 216.157.143.52 email.ocens.net O1 - Hosts: 64.246.60.78 ocens.net O1 - Hosts: 216.168.47.100 ocens.com O1 - Hosts: 198.31.176.178 wlc.marinenet.net wlc.mn.net O1 - Hosts: 216.157.143.52 fastweb.marinenet.net fastweb O1 - Hosts: 216.157.143.52 proxy.marinenet.net proxy O1 - Hosts: 64.246.60.78 weathernet.ocens.net weathernet O1 - Hosts: 64.246.60.78 weather.ocens.net weather O1 - Hosts: 64.246.60.78 wxnet.ocens.net wxnet O1 - Hosts: 216.157.143.61 xgate.gmn-usa.com xgate O1 - Hosts: 216.157.143.61 proxy.gmn-usa.com proxy O1 - Hosts: 216.157.143.61 xweb.gmn-usa.com xweb O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [99937DEB] C:\WINDOWS\System32\mvgeioh.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: OCENS Mail.lnk = C:\Program Files\OCENS\OCENS Mail\xgate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://ec112.ecicorp.com/netagent/objects/emagic.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc/opuc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319 O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE68B98-D6D9-4F43-8BB6-E1976584BF53}: NameServer = 216.139.64.16 216.139.64.17 O17 - HKLM\System\CCS\Services\Tcpip\..\{4F09481B-BACB-4A52-85C2-D38A7059F439}: Domain = intergate.com O17 - HKLM\System\CCS\Services\Tcpip\..\{4F09481B-BACB-4A52-85C2-D38A7059F439}: NameServer = 216.139.64.16,216.139.64.17 O17 - HKLM\System\CCS\Services\Tcpip\..\{DF8269A1-6ADA-4594-BC72-0A5B595C70F4}: Domain = intergate.com O17 - HKLM\System\CS1\Services\Tcpip\..\{0CE68B98-D6D9-4F43-8BB6-E1976584BF53}: NameServer = 216.139.64.16 216.139.64.17
Request for Question Clarification by hummer-ga on 26 Jun 2004 18:26 PDT I think we've found it, Bill - here you go - C:\WINDOWS\System32\wkssvrs.exe O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe WORM_SPYBOT.AP This malware may arrive via network shares. Upon execution, this memory-resident worm drops a copy of itself as WKSSVRS.EXE in the Windows system folder. It creates the following registry entries to ensure its automatic execution at every system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices Microsoft Updates = "wkssvrs.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Updates = "wkssvrs.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Updates = "wkssvrs.exe" http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP&VSect=T You can either tell HijackThis to "fix this" (all entries with wkssvrs.exe) or you'll find directions for manual removal here: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP When you are finished, run HouseCall and Ad-aware again (run ad-aware several times until it comes back clean, make sure to update it first). Will look forward to your next report! hummer
Clarification of Question by bill99-ga on 03 Jul 2004 11:09 PDT Hi- I followed your last set of suggestions, and they seem to work. The problem is no longer occurring. I consider the question to be answered successfully. Thanks for your help. Bill

Answer

Subject: Re: lmao.zapto.org: an annoying Network Connection popup
Answered By: hummer-ga on 03 Jul 2004 12:12 PDT
Rated: 5 out of 5 stars

Dear Bill,

Thank you for the good news - that's terrific! I'm was sorry to hear
that the Spyware forum didn't respond to your post, I wonder why not.
Reading those logs is not my expertise and I thought posting the log
over there would be more appropriate. When you posted it here, I
buckled down and slowly researched every line, one by one, and was so
excited when I finally hit on wkssvrs.exe - one of those "eureka"
moments! I wondered, though, why your Norton hadn't picked it up for
you to begin with (?).

Thanks again, Bill - wishing you trouble-free computing for the
remainder of the year.
hummer

>>>>>>>>>>

Here it is again, to make it official:

C:\WINDOWS\System32\wkssvrs.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe

WORM_SPYBOT.AP
This malware may arrive via network shares. Upon execution, this
memory-resident worm drops a copy of itself as WKSSVRS.EXE in the
Windows system folder.
It creates the following registry entries to ensure its automatic
execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices 
Microsoft Updates = "wkssvrs.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP&VSect=T

You can either tell HijackThis to "fix this" (all entries with
wkssvrs.exe) or you'll find directions for manual removal here:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP

When you are finished, run HouseCall and Ad-aware again (run ad-aware
several times until it comes back clean, make sure to update it
first).

bill99-ga rated this answer: 5 out of 5 stars

and gave an additional tip of: $15.00

Researcher was persistent, thorough, knowledgeable, and prompt. Excellent help.

Comments

Subject: Re: lmao.zapto.org: an annoying Network Connection popup
From: hummer-ga on 04 Jul 2004 10:52 PDT

Dear Bill,

Thank you for the nice rating, generous tip and especially for the
nice note - I'm so glad we (you and me) were finally able to solve it,
and in the process I forced myself to learn about those logs!

Take care, hummer

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy