Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mess.exe Popup


  • This topic is locked This topic is locked
28 replies to this topic

#1 Johnfavata

Johnfavata

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 22 October 2016 - 07:16 PM

I have been having some problems lately but this popup mess.exe has just started today and it happens every couple minutes.

 

mess.exe
 
Windows cannot find 'mess.exe'. Make sure you typed name correctly, and try again.

 

I also am being told I cannot delete files from the computer. Any help is greatly appreciated.

 

Thank you

 

John

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 23 October 2016 - 10:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove the following programs via the Control Panel > Programs > Programs and Features.
Ask Shopping Toolbar (HKLM-x32\...\{4F524A00-6A76-A76A-76A7-A758B70C2806}) (Version: 12.40.6.29 - APN, LLC) <==== ATTENTION
Ask Toolbar (HKLM-x32\...\{4F524A2D-5637-4300-76A7-A758B70C2300}) (Version: 12.35.0.287 - APN, LLC) <==== ATTENTION
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1758280 2016-06-17] (APN)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-4029047770-444312503-943451505-1000 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No File
SearchScopes: HKU\S-1-5-21-4029047770-444312503-943451505-1000 -> {043C5167-00BB-4324-AF7E-62013FAEDACF} URL = hxxp://vshare.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp
SearchScopes: HKU\S-1-5-21-4029047770-444312503-943451505-1000 -> {B71956F1-86EB-48AF-9523-B6F2772C0A6E} URL = hxxp://www.search.ask.com/web?tpid=ORJ&o=100000031&pf=V7&p2=^TV^YYYYYY^YY^US&gct=&itbv=12.29.0.222&apn_uid=5B022751-FE69-4008-8172-01838E798FBA&apn_ptnrs=^TV&apn_dtid=^YYYYYY^YY^US&apn_dbr=cr_24.0.1312.57&doi=2013-02-13&trgb=IE,FF&q={searchTerms}&psv=&pt=tb
BHO: Ask Toolbar -> {4F524A2D-5637-4300-76A7-7A786E7484D7} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Passport_x64.dll [2015-09-22] (APN LLC.)
BHO: Ask Shopping Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ\Passport_x64.dll [2016-06-17] (APN LLC.)
BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
BHO-x32: vShare Plugin -> {043C5167-00BB-4324-AF7E-62013FAEDACF} -> C:\Program Files (x86)\vShare\vshare_toolbar.dll [2010-10-20] ()
BHO-x32: Ask Toolbar -> {4F524A2D-5637-4300-76A7-7A786E7484D7} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Passport.dll [2015-09-22] (APN LLC.)
BHO-x32: No Name -> {7E853D72-626A-48EC-A868-BA8D5E23E045} -> No File
BHO-x32: Ask Shopping Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-06-17] (APN LLC.)
Toolbar: HKLM - Ask Toolbar - {4F524A2D-5637-4300-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Passport_x64.dll [2015-09-22] (APN LLC.)
Toolbar: HKLM - Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ\Passport_x64.dll [2016-06-17] (APN LLC.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15] (Yahoo! Inc.)
Toolbar: HKLM-x32 - vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll [2010-10-20] ()
Toolbar: HKLM-x32 - Ask Shopping Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ\Passport.dll [2016-06-17] (APN LLC.)
Toolbar: HKLM-x32 - Ask Toolbar - {4F524A2D-5637-4300-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\ORJ-V7C\Passport.dll [2015-09-22] (APN LLC.)
Toolbar: HKU\S-1-5-21-4029047770-444312503-943451505-1000 -> No Name - {043C5167-00BB-4324-AF7E-62013FAEDACF} -  No File
Handler-x32: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vShare\vshare_toolbar.dll [2010-10-20] ()
FF user.js: detected! => C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\user.js [2014-10-17]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\6qznswps.default -> Ask.com
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\6qznswps.default -> Ask.com
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\6qznswps.default -> Ask Search
FF Extension: (My Web Search) - C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\Extensions\m3ffxtbr@mywebsearch.com [2011-12-28] [not signed]
FF SearchPlugin: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\ask-search.xml [2015-06-13]
FF SearchPlugin: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\askcom.xml [2015-06-13]
FF SearchPlugin: C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\mywebsearch.xml [2012-05-25]
FF HKLM-x32\...\Firefox\Extensions: [m3ffxtbr@mywebsearch.com] - C:\Program Files (x86)\MyWebSearch\bar\1.bin => not found
FF Plugin-x32: @mywebsearch.com/Plugin -> C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMyWebS.dll [No File]
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll [2004-02-20] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll [2011-01-28] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol500.dll [2011-01-28] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll [2010-10-06] (Coupons, Inc.)
CHR DefaultSearchURL: Default -> hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=5B022751-FE69-4008-8172-01838E798FBA&apn_ptnrs=TV&apn_sauid=272E69E4-863A-496D-A006-37E332DEA0D3&apn_dtid=OSJ000YYUS&q={searchTerms}
CHR DefaultSearchKeyword: Default -> ask.com
CHR DefaultSuggestURL: Default -> hxxp://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\gcswf32.dll => No File
CHR Plugin: (CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
CHR Plugin: (CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol500.dll (Catalina Marketing Corporation)
CHR Plugin: (Java Deployment Toolkit 6.0.310.5) - C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll => No File
CHR Plugin: (Java(TM) Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (My Web Search Plugin Stub) - C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMyWebS.dll => No File
CHR 
(MetaStream 3 Plugin) - C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-16]
R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [198216 2016-06-17] (APN LLC.)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [132]
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\shell32.dll,-153 <===== ATTENTION
C:\Program Files (x86)\AskPartnerNetwork\Toolbar
C:\Program Files (x86)\vShare
C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\Extensions\m3ffxtbr@mywebsearch.com
C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\ask-search.xml
C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\askcom.xml
C:\Users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\6qznswps.default\searchplugins\mywebsearch.xml
C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology
C:\Users\owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists.

Edited by nasdaq, 23 October 2016 - 12:09 PM.


#3 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 23 October 2016 - 01:16 PM

Hi Nasdaq,
 
I can't get Adware program to run. I am attaching a screenshot of the error I keep getting trying to run the program. If just knocks me out every time. Attaching other logs. Thank you for your help!!!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 24 October 2016 - 08:50 AM



Run the sfc /scannow command as an Administrator.

How To here.
http://answers.microsoft.com/en-us/windows/wiki/windows_10-update/system-file-check-sfc-scan-and-repair-system-files/bc609315-da1f-4775-812c-695b60477a93

When completed restart the computer normally.

Remove the AdwCleaner tool (You will find the Removal function on the File Menu)

Reinstall the application and post the results if possible.

Let me know what problem persists.

#5 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 October 2016 - 06:48 PM

To run a system file check (SFC)
Go to start>Type CMD
Right click and run as Administrator
(called an elevated command prompt)
If you want to verify and repair the OS type sfc /scannow (note the space between sfc and "/")
If you just want to check (verify only) the OS type sfc /verifyonly (no changes will be made using verify only)


When I right click there is nothing that says "run as Administrator"

#6 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 October 2016 - 06:54 PM

Sorry.I was able to find it through accessories. I will let you know the finding once done.

#7 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 October 2016 - 07:42 PM

Well could not complete that either. It got to 86% complete twice and stopped and said:

"Windows Resource Protection could not perform the requested operation"

I had to force restart the computer and so I did not remove the AdwCleaner tool.

#8 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 October 2016 - 08:53 PM

I wanted to add that the computer continues to run normal except the constant mess.exe popups. Will await further instructions.

Thank you,
John

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 26 October 2016 - 08:52 AM


Lets see what we can fin in the Registry.

Please run the Farbar Recovery Scan Tool. Enter mess.exe in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#10 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 26 October 2016 - 06:49 PM

Here is the search file:

Attached Files


Edited by Johnfavata, 26 October 2016 - 06:50 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 27 October 2016 - 09:24 AM



The search reported testmess.exe and No mess.exe Not exactly what we are looking for.

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#12 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 27 October 2016 - 07:52 PM

Results are attached. As far as the computer, it is continuing to run normal but the constant mess.exe popup is continuing. I will await further instruction.

Thank you

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 28 October 2016 - 09:56 AM


Have you ever install some sort of imulator?

Can this give you some clues?

https://www.reasoncoresecurity.com/mess.exe-283af2dfd56c63aab951f8a03b4a3f38fd7e8b21.aspx

#14 Johnfavata

Johnfavata
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 28 October 2016 - 11:36 AM

I am not sure what an imulater is or if installed one??? I am sort of confused. Do you want me to download that.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:48 PM

Posted 28 October 2016 - 12:43 PM

No!

Lets check further. The files and the registry settings.

Please run the Farbar Recovery Scan Tool. Enter *mess* in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets see what we can fin in the Registry.

Please run the Farbar Recovery Scan Tool. Enter mess in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users