HolidayBuyer's Guide

Windows Legacy OS forum

General discussion

Network Connections pop-up boxes

by Gary Sutton / July 22, 2005 3:27 AM PDT

Is there a way to stop the grey network connections pop-up boxes from appearing when I start up my browser? They are becomming annoying. Should I allow them to access the information they request? Thanking you in advance.
G

Discussion is locked
You are posting a reply to: Network Connections pop-up boxes
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Network Connections pop-up boxes
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
More information
by MarkFlax Forum moderator / July 22, 2005 4:42 AM PDT

Gary,

Please supply the information in red above the subject title.

Also, what grey boxes are these? Do they have a heading, if so what does it say?

What information are they requesting?

Do you have a firewall installed, if so which one?

What protection do you use against viruses, spyware, adware, etc?

Mark

Collapse -
Network Connections Popups
by Gary Sutton / July 22, 2005 5:06 AM PDT
In reply to: More information

I am using Windows XP Home SP2. On a Compaq Presario model 5400us. It runs at 1.2G

what grey boxes are these? Do they have a heading, if so what does it say?
The heading is '' Network Connections''

What information are they requesting?
It says: ''You (or a program is requesting information from [example: acs.download.aol.com] which program do you want to use?
In a box below is highlighted ''America Online''. I usually check a box saying ''Do not ask me again until the next time I log on'' thin click ''cancel'' as opposed to ''connect''

Do you have a firewall installed, if so which one?
Windows Firewall

What protection do you use against viruses, spyware, adware, etc?
I am running Spyware Doctor, Microsoft Antispyware beta, Aol users have McAfee Viruscan. In addition I use AdAware SE and Spybot S&D (both updated and run earlier today.

Collapse -
Very strange
by MarkFlax Forum moderator / July 22, 2005 7:25 PM PDT

Hi again Gary, and thanks for the further information.

I have to say I am still confused about this. Do you have a broadband connection or a dial up?

If it is broadband, then all I can assume at the moment is that Internet Explorer, (your browser), is asking how you want to connect to the internet whenever you open it, but being on broadband, you have an ''always open'' connection.

Try this;

For broadband

Open up Internet Explorer and click Tools > Intrernet Options, then in the Internet Options dialogue, click the Connections tab.

Find the option ''Never dial a connection'' and select that. Click Apply, then OK. Close down the browser, and then open it again, and see if the popup still appears.

For dial-up

If you have a dial-up connection, in the same dialogue window, make sure your main ISP is set as default under ''Dial-up and Virtual Private Network Settings'', (eg highlight it and then click the ''Set as default'' button).

Then your next step is up to you. Either set ''Dial whenever a network connection is not present'', or ''Always dial my default connection''.

However, when I had dial-up I did neither. I set it to ''Never dial a connection'', then in My Network Places on the desktop I right clicked my main ISP and chose ''Create a shortcut'', which placed a shortcut of the DUN, (DIal up Network connection), on my desktop. Then whenever I wanted to connect to the ISP, I opened this and clicked ''Connect'', rather than have my browser do it for me.

See if any of that helps.

By the way, although the WIndows Firewall is better than none, you may want to consider getting a better firewall, iinstalling it and then turning the WIndows Firewall off. There are many good free ones around and they offer inbound and outbound protection whereas the WF only offers inbound protection.

I use ZoneAlarm from http://www.zonelabs.com

Good luck

Mark

Collapse -
Very Strange (further info)
by Gary Sutton / July 25, 2005 7:44 AM PDT
In reply to: Very strange

Do you have a broadband connection or a dial up?
I guess it would be called broadband (a wireless 2.4 G connection like a phone that has a download speed of 256k.

Find the option ''Never dial a connection'' and select that. Click Apply, then OK. Close down the browser, and then open it again, and see if the popup still appears.
Checked it out and the "Never dial a connection box is already checked.

By the way, although the WIndows Firewall is better than none, you may want to consider getting a better firewall
AOL offers McAfee firewall free to subscribers... I can't say that the windows firewall has given me problems or has had any security breaches.

Collapse -
Does that mean
by MarkFlax Forum moderator / July 25, 2005 8:49 AM PDT

you have two firewalls running, Windows Firewall and McAfee's firewall?

If so, they could conflict with each other.

If you have got your McAfee working well, then it's firewall is very good and is all you need. You might want to turn off the Windows Firewall from the Control Panel > Windows Firewall.

It may be a source of the popup network window. Other than that I don't know what else the popup could be.

Mark

Collapse -
more on Network Connections pop-up boxes
by wilsond212 / August 1, 2005 11:21 PM PDT
In reply to: Does that mean

I've been running into the same problem.

I'm running a Compaq Presario SR1256CL with Windows XP; I bought it about 6 months ago. I've got a wireless network -- Belkin 54g router, Netgear WG311v2 wireless interface card, Internet access through Adelphia fiber optic cable. My usual Internet access is through AOL. My Norton personal firewall is enabled, the Windows firewall is off, and so is AOL's McAfee firewall. The wireless signal strength is good. My virus (Norton Antivirus 2004) and spyware (Spybot S&D)scans are current with the latest updates to the definitions.

I only recently installed the wireless card, and that's when the pop-up's started. Oddly enough, in addition to the pop-ups requesting access to acs.download.aol.com, I also get occasional requests to connect to the IP adddress for my router!

So, are there any further suggestions?

Collapse -
Firewalls
by Gary Sutton / August 6, 2005 11:40 AM PDT
In reply to: Does that mean

Does that mean you have two firewalls running, Windows Firewall and McAfee's firewall?

No McAfee is turned off.

Collapse -
Very strange
by muthus / August 18, 2005 10:39 PM PDT
In reply to: Very strange

I had the same problem, but my browser is firefox.

It turns out that when I had a network drive sharing problem, I had used the Network Wizard and that had turned the

''Dial whenever a network connection is not present'' option in the connections tab of Control Panel ->Connections.

I have a ''slow'' broadband and my connection drops packets and that would force these popups.

Changing the option to ''Never dial a connection'' fixed the problem.


Muthu

Collapse -
NETWORK PROBLEMS
by father time / July 26, 2005 3:40 AM PDT

GET RID OF AOL .ITS SPYWARE AND TRACKING WARE.I CUSTOM BUILD COMPUTERS AND I WONT HAVE AOL IN ANY OF MY MACHINES.THERE ALLSO SOFTWARE INTENSIVE.


FATHER TIME

Collapse -
What has that got to do
by MarkFlax Forum moderator / July 26, 2005 4:00 AM PDT
In reply to: NETWORK PROBLEMS

with the problem in hand?

Mark

Collapse -
I also have this annoying popup
by wattene / August 17, 2006 7:41 AM PDT

I believe that this popup is virus related, although at the moment I don't have the answer. The reason for my assumption is the fact that the popup invites you to connect to different sites. The 3 I have noted so far are new.reptar.info - go.microsoft.com - and webroot.com. The last 2 make some sense as I use Spyware, and obviously microsoft. At the moment I have found that the best option is to leave the popup open ie do not cancel, close, and certainly do not connect to any of your connections. I do not use AOL and therefore whilst it can be annoying, it is not the cause.

Collapse -
Maybe a solution
by wattene / August 18, 2006 7:42 AM PDT

I haven't yet checked this out myself, but I found this on the web and it looks promising: credit goes to those concerned and I hope this helps.

Request for Question Clarification by hummer-ga on 19 Jun 2004 12:59 PDT

Hi bill99,

1) Please run HouseCall, a very thorough online virus scan, just to be sure.

HouseCall:
http://housecall.trendmicro.com/

2) Next, run Ad-aware - the chances are you've picked up some spyware
along the way.

Adaware ("check for updates" before running):
http://www.spychecker.com/program/adaware.html

3) If that didn't solve it, try SpyBot.

Sybot Search and Destroy (check for updates before running):
http://www.safer-networking.org/

Please let us know how that goes so we'll know whether to continue to
look for a solution for you, or to post this as an answer.

Thank you,
hummer

Clarification of Question by bill99-ga on 20 Jun 2004 01:04 PDT

I've run the three suggested apps. They claimed to find and clean up
some things, but the problem still persists. Any other ideas?

Bill

Request for Question Clarification by hummer-ga on 20 Jun 2004 02:51 PDT

Hi Bill,

Hmm, that's too bad. Ok, try HijackThis.

HijackThis (check for updates before running):
http://www.spychecker.com/program/hijackthis.html

Post your HijackThis log on the following forum:
Spyware and Hijackware Removal Support:
http://www.spywareinfo.com/forums/

Good luck,
hummer

Clarification of Question by bill99-ga on 25 Jun 2004 12:04 PDT

Hi-

I submitted the following log to the Spyware forum on 6/22, and have
no reply yet. Do you see anything useful in it?

I'll be away a few days, and probably won't respond to anything before July 1.

Bill

Logfile of HijackThis v1.97.7
Scan saved at 1:12:55 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wkssvrs.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\OCENS\OCENS Mail\xgate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\$Downloads\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.intergate.com/startpage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
www.intergate.com/startpage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
www.intergate.com/startpage
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Intergate
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
http://go.microsoft.com/fwlink/?LinkId=3448&clcid=0x0409
F2 - REG:system.ini:
UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O1 - Hosts: 64.192.180.49 findawireless.com
O1 - Hosts: 64.192.180.49 mailmarinenet.net
O1 - Hosts: 216.157.143.52 mail.marinenet.net
O1 - Hosts: 216.157.143.52 mail.ocens.net
O1 - Hosts: 216.157.143.52 gateway.ocens.net
O1 - Hosts: 216.157.143.52 gateway.marinenet.net
O1 - Hosts: 195.244.224.102 radio.kieldradio.net kielradio.net
O1 - Hosts: 195.244.224.102 www.kielmail.net
O1 - Hosts: 192.67.198.35 www.kielradio.de kielradio.de
O1 - Hosts: 216.157.143.52 email.ocens.net
O1 - Hosts: 64.246.60.78 ocens.net
O1 - Hosts: 216.168.47.100 ocens.com
O1 - Hosts: 198.31.176.178 wlc.marinenet.net wlc.mn.net
O1 - Hosts: 216.157.143.52 fastweb.marinenet.net fastweb
O1 - Hosts: 216.157.143.52 proxy.marinenet.net proxy
O1 - Hosts: 64.246.60.78 weathernet.ocens.net weathernet
O1 - Hosts: 64.246.60.78 weather.ocens.net weather
O1 - Hosts: 64.246.60.78 wxnet.ocens.net wxnet
O1 - Hosts: 216.157.143.61 xgate.gmn-usa.com xgate
O1 - Hosts: 216.157.143.61 proxy.gmn-usa.com proxy
O1 - Hosts: 216.157.143.61 xweb.gmn-usa.com xweb
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Internet Security Professional\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
Internet Security Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet
Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS
Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [99937DEB] C:\WINDOWS\System32\mvgeioh.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - Startup: restart_vs.lnk = D:\Viewsonic.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: OCENS Mail.lnk = C:\Program Files\OCENS\OCENS Mail\xgate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil -
https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web
Collaboration Class) -
http://ec112.ecicorp.com/netagent/objects/emagic.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
- http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class)
- https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj
Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj
Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE68B98-D6D9-4F43-8BB6-E1976584BF53}:
NameServer = 216.139.64.16 216.139.64.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F09481B-BACB-4A52-85C2-D38A7059F439}:
Domain = intergate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F09481B-BACB-4A52-85C2-D38A7059F439}:
NameServer = 216.139.64.16,216.139.64.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF8269A1-6ADA-4594-BC72-0A5B595C70F4}:
Domain = intergate.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CE68B98-D6D9-4F43-8BB6-E1976584BF53}:
NameServer = 216.139.64.16 216.139.64.17

Request for Question Clarification by hummer-ga on 26 Jun 2004 18:26 PDT

I think we've found it, Bill - here you go -

C:\WINDOWS\System32\wkssvrs.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe

WORM_SPYBOT.AP
This malware may arrive via network shares. Upon execution, this
memory-resident worm drops a copy of itself as WKSSVRS.EXE in the
Windows system folder.
It creates the following registry entries to ensure its automatic
execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
Microsoft Updates = "wkssvrs.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP&VSect=T

You can either tell HijackThis to "fix this" (all entries with
wkssvrs.exe) or you'll find directions for manual removal here:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP

When you are finished, run HouseCall and Ad-aware again (run ad-aware
several times until it comes back clean, make sure to update it
first).

Will look forward to your next report!
hummer

Clarification of Question by bill99-ga on 03 Jul 2004 11:09 PDT

Hi-

I followed your last set of suggestions, and they seem to work. The
problem is no longer occurring.

I consider the question to be answered successfully. Thanks for your help.

Bill

Answer
Subject: Re: lmao.zapto.org: an annoying Network Connection popup
Answered By: hummer-ga on 03 Jul 2004 12:12 PDT
Rated:5 out of 5 stars

Dear Bill,

Thank you for the good news - that's terrific! I'm was sorry to hear
that the Spyware forum didn't respond to your post, I wonder why not.
Reading those logs is not my expertise and I thought posting the log
over there would be more appropriate. When you posted it here, I
buckled down and slowly researched every line, one by one, and was so
excited when I finally hit on wkssvrs.exe - one of those "eureka"
moments! I wondered, though, why your Norton hadn't picked it up for
you to begin with (?).

Thanks again, Bill - wishing you trouble-free computing for the
remainder of the year.
hummer

>>>>>>>>>>

Here it is again, to make it official:

C:\WINDOWS\System32\wkssvrs.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Microsoft Updates] wkssvrs.exe

WORM_SPYBOT.AP
This malware may arrive via network shares. Upon execution, this
memory-resident worm drops a copy of itself as WKSSVRS.EXE in the
Windows system folder.
It creates the following registry entries to ensure its automatic
execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
Microsoft Updates = "wkssvrs.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Updates = "wkssvrs.exe"
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP&VSect=T

You can either tell HijackThis to "fix this" (all entries with
wkssvrs.exe) or you'll find directions for manual removal here:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SPYBOT.AP

When you are finished, run HouseCall and Ad-aware again (run ad-aware
several times until it comes back clean, make sure to update it
first).

bill99-ga rated this answer:5 out of 5 stars and gave an additional tip of: $15.00

Researcher was persistent, thorough, knowledgeable, and prompt. Excellent help.


Comments Log in to add a comment
Subject: Re: lmao.zapto.org: an annoying Network Connection popup
From: hummer-ga on 04 Jul 2004 10:52 PDT

Dear Bill,

Thank you for the nice rating, generous tip and especially for the
nice note - I'm so glad we (you and me) were finally able to solve it,
and in the process I forced myself to learn about those logs!

Take care, hummer

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.