"Repair Registry Pro" - malicious spyware?

[radiostar1]

Hello guys,

You have been very helpful to others users, so I just try my luck.

This is my problem. For about a week I am observing weird pop-ups that come up about every 5 minutes, which I have to prompt for them to go away - very annoying! And I have a feeling this might be dangerous as well...
The pop-ups always start as a notification, saying "to" and "from". Most of the time the message comes from "microsoft" and tells me that my system is infected or corrupt or something and that I have to go to a website (regfixup.com and many others) to save my system... yeah, right! Then the pop-up gives me directions to download a software called "Repair Registry Pro".

As you will see in the HJT log, I have installed every kind of anti-spyware I can think of but it did not help. Most of them did not even find anything (e.g. ad aware, spybot, avast, ewido...).

My questions:
1. What is it? Just adware, a trojan, or what?
2. How dangerous is it, how can it harm my computer?
3. Where is an infection like this coming from?
4. HOW  an I get rid of this?
5. How can I prevent this from coming back?

I am using a subnotebook without any drives installed in the BIOS, so it's a real pain to install a new operating system! I would be really grateful if I could do without.

This is what HJT says:

Logfile of HijackThis v1.99.1
Scan saved at 01:45:13, on 18.10.2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\MSI\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\LTSMMSG.exe
C:\Programme\Gemeinsame Dateien\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programme\FIDMOU\WIN2K\FTMSFLT.EXE
C:\Programme\Gemeinsame Dateien\Nokia\Services\ServiceLayer.exe
C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclTray.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\FIDMOU\WIN2K\Fidvrpad.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\internat.exe
C:\Programme\MSI\Bluetooth Software\BTTray.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\Silverjuke\Silverjuke.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Programme\Gemeinsame Dateien\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [FTMSFLT] C:\Programme\FIDMOU\WIN2K\FTMSFLT.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ServiceLayer] C:\Programme\Gemeinsame Dateien\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Programme\Gemeinsame Dateien\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = C:\Programme\MSI\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Programme\MSI\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\MSI\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\MSI\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\MSI\Bluetooth Software\bin\btwdins.exe
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Hope you can help me!

All the best,
Radiostar

[guestolo]

Can you do the following
See if this is what it's related too

# Click Start->   Settings->  Control Panel->  Administrative Tools->Services
# Scroll down and highlight "Messenger"
# Right-click the highlighted line and choose Properties.
# Click the STOP button.
# Select Disable Type scroll bar
# Click OK

See if you still get the popups

I see your running 2 anti-virus software on your computer
This is not recommended as it can cause conflicts and decrease system performance

You should uninstall one or the other
Myself, I'm partial to Avast

Restart the computer

Post back a fresh hijackthis log

[Guest_Eric_*]

This is a UDP brodcast message. It comes in on UDP port 1026 and 1027. You might want to look into a firewall as it will stop these messages.

Here's a dump of what I normally capture on those ports:

FROM IP:221.5.251.222_1027 10/28/2005 9:34:47 PM
04 00 28 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ..(.................
00 00 00 00 F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 E6 FC    ......{Z........O...
0E 95 C8 59 30 9E D6 42 75 9F 96 48 B8 1A D6 0A 00 00 00 00    ...Y0..Bu..H........
01 00 00 00 00 00 00 00 00 00 FF FF FF FF 83 01 00 00 00 00    ....................
10 00 00 00 00 00 00 00 10 00 00 00 46 52 4F 4D 00 00 00 00    ............FROM....
00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 00 00    ....................
54 4F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3F 01 00 00    TO..............?...
00 00 00 00 3F 01 00 00 53 54 4F 50 21 20 57 49 4E 44 4F 57    ....?...STOP!.WINDOW
53 20 52 45 51 55 49 52 45 53 20 49 4D 4D 45 44 49 41 54 45    S.REQUIRES.IMMEDIATE
20 41 54 54 45 4E 54 49 4F 4E 2E 0A 0A 57 69 6E 64 6F 77 73    .ATTENTION...Windows
20 68 61 73 20 66 6F 75 6E 64 20 35 35 20 43 72 69 74 69 63    .has.found.55.Critic
61 6C 20 53 79 73 74 65 6D 20 45 72 72 6F 72 73 2E 0A 0A 54    al.System.Errors...T
6F 20 66 69 78 20 74 68 65 20 65 72 72 6F 72 73 20 70 6C 65    o.fix.the.errors.ple
61 73 65 20 64 6F 20 74 68 65 20 66 6F 6C 6C 6F 77 69 6E 67    ase.do.the.following
3A 0A 0A 31 2E 20 44 6F 77 6E 6C 6F 61 64 20 52 65 70 61 69    :..1..Download.Repai
72 20 52 65 67 69 73 74 72 79 20 50 72 6F 20 66 72 6F 6D 3A    r.Registry.Pro.from:
20 77 77 77 2E 66 69 78 2D 6D 73 2E 63 6F 6D 0A 32 2E 20 49    .www.fix-ms.com.2..I
6E 73 74 61 6C 6C 20 52 65 70 61 69 72 20 52 65 67 69 73 74    nstall.Repair.Regist
72 79 20 50 72 6F 0A 33 2E 20 52 75 6E 20 52 65 70 61 69 72    ry.Pro.3..Run.Repair
20 52 65 67 69 73 74 72 79 20 50 72 6F 0A 34 2E 20 52 65 62    .Registry.Pro.4..Reb
6F 6F 74 20 79 6F 75 72 20 63 6F 6D 70 75 74 65 72 0A 0A 46    oot.your.computer..F
41 49 4C 55 52 45 20 54 4F 20 41 43 54 20 4E 4F 57 20 4D 41    AILURE.TO.ACT.NOW.MA
59 20 4C 45 41 44 20 54 4F 20 53 59 53 54 45 4D 20 46 41 49    Y.LEAD.TO.SYSTEM.FAI
4C 55 52 45 21 0A 00                                           LURE!..

[Guest]

BTW,

My questions:
1. What is it? Just adware, a trojan, or what?
it's just a UDP message. No biggie.

2. How dangerous is it, how can it harm my computer?
The message is not dangerous at all. That you have open ports to the internet could be dangerous.

3. Where is an infection like this coming from?
Some computers simply send out these messages in hope that you'll download the software. If you were to do that bad things could happen.

4. HOW an I get rid of this?
Use a firewall: ZoneAlarm (free) or if you you have Windows XP use the firewall that it has built in (search help for instructions) or buy a hardware firewall router (Netgear,  Dlink)

5. How can I prevent this from coming back?
Do #4

[guestolo]

The very first thing you can do is get all your windows updates

Without the latest service pack you are vunerable

Click Here