HTL - pcnovice

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

HTL - pcnovice, empty pop ups and poker pop ups

Options

pcnovice View Member Profile	Nov 2 2004, 08:14 PM Post #1
New Member Group: Members Posts: 4 Joined: 2-November 04 Member No.: 4,475	Been trying to get rid of these pop ups for months. Norton has been blocking the content of 95% of them but I still get the empty windows continually. Thanks for looking at this. pcnovice Logfile of HijackThis v1.98.2 Scan saved at 4:47:27 PM, on 11/2/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINNT\system32\cisvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\GEARSEC.EXE C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\Promon.exe C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe C:\PROGRA~1\Adaptec\DirectCD\directcd.exe C:\winnt\temp\Dc.exe C:\Program Files\Navnt\POPROXY.EXE C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\WINNT\DHUpdt.exe C:\WINNT\QuickBrowser.exe C:\Program Files\Windows AdTools\WinAdTools.exe C:\Program Files\Windows AdTools\WinRatchet.exe C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe C:\WINNT\system32\fc42um.exe C:\HPDESK\hppddir.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe C:\Program Files\Navnt\navapw32.exe C:\Palm\AlarmApp.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\arratorn.exe C:\WINNT\system32\VrvQa.exe C:\WINNT\system32\LvcCN67i.exe C:\Program Files\Crazy Browser\Crazy Browser.exe C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R3 - Default URLSearchHook is missing F1 - win.ini: run=C:\MP60\ezgrp.exe O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINNT\system32\mskceo.dll O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteBar\ELITEB~1.DLL O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\msfaol.dll O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jack Dortignac\Local Settings\Temp\68s7dr.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msnkmi.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteBar\ELITEB~1.DLL O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe" O4 - HKLM\..\Run: [Dc] C:\winnt\temp\Dc.exe O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\HotEkc.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [9eRh8A] C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winxij32.exe O4 - HKLM\..\Run: [izczif] C:\WINNT\izczif.exe O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe O4 - HKLM\..\Run: [apicomc] C:\WINNT\system32\apicomc.exe O4 - HKLM\..\Run: [vsgih] C:\WINNT\irwuftj.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [fc42um] C:\WINNT\system32\fc42um.exe O4 - HKLM\..\Run: [arratorn] C:\WINNT\system32\arratorn.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msedpb.exe O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe O4 - HKCU\..\Run: [Rletvsxp] C:\WINNT\system32\?ttrib.exe O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/118e4119eb9834...ip/RdxIE601.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll

~Ayeka~ View Member Profile	Nov 2 2004, 09:26 PM Post #2
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	Hi pcnovice, Welcome to BC! I'm looking over your log and will be back shortly. -------------------- Ayeka AVs/ATs: Avast! ~ AVG ~ Ewido (2000 & XP) ~ Tauscan (trial) ~ TrojanHunter (trial) Online scanners: Trojan scan ~ Panda Active Scan ~ TrendMicro Housecall Basic Tools: Ad-aware ~ HijackThis ~ SpyBot S&D Special Case Tools: About:Buster ~ CWShredder ~ KillBox ~ LSP Fix ~ PeperFix Prevention: How did I get infected in the first place? ~ IESPYAD ~ Kerio Personal Firewall ~ Spyware Blaster ~ Windows Update Tutorials: Safe Mode ~ Show all Files ~ System Restore ME ~ System Restore XP

~Ayeka~ View Member Profile	Nov 2 2004, 09:46 PM Post #3
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	Hi again , You are infected with the Peper Trojan. Download PeperFix from here: http://www.bleepingcomputer.com/files/virus/PeperFix.exe Then go into Safe Mode, and run the program twice. You may want to print out these instructions so that they are easier to follow. Be sure your system is configured to show hidden files. Run HijackThis and put a check in the boxes next to the following: R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINNT\system32\mskceo.dll O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteBar\ELITEB~1.DLL O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\msfaol.dll O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jack Dortignac\Local Settings\Temp\68s7dr.dll O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msnkmi.dll O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteBar\ELITEB~1.DLL O4 - HKLM\..\Run: [Dc] C:\winnt\temp\Dc.exe O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\HotEkc.exe O4 - HKLM\..\Run: [9eRh8A] C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winxij32.exe O4 - HKLM\..\Run: [izczif] C:\WINNT\izczif.exe O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe O4 - HKLM\..\Run: [apicomc] C:\WINNT\system32\apicomc.exe O4 - HKLM\..\Run: [vsgih] C:\WINNT\irwuftj.exe O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [fc42um] C:\WINNT\system32\fc42um.exe O4 - HKLM\..\Run: [arratorn] C:\WINNT\system32\arratorn.exe O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msedpb.exe O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe O4 - HKCU\..\Run: [Rletvsxp] C:\WINNT\system32\?ttrib.exe O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/118e4119eb9834...ip/RdxIE601.cab O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll Close all browsers and windows (except for HijackThis) and click Fix checked Reboot into Safe Mode. Go to Add/Remove programs, find and remove the following: BullsEye Network Web_Rebates Windows AdTools Find and delete the following files and folders in red (some may not be present): C:\WINNT\system32\?ttrib.exe C:\WINNT\system32\apicomc.exe C:\WINNT\system32\arratorn.exe C:\WINNT\system32\fc42um.exe C:\WINNT\system32\HotEkc.exe C:\WINNT\system32\msedpb.exe C:\WINNT\system32\msfaol.dll C:\WINNT\system32\msjfbl.dll C:\WINNT\system32\mskceo.dll C:\WINNT\system32\mskhhe.dll C:\WINNT\system32\msnkmi.dll C:\WINNT\system32\window.exe C:\winnt\system32\winxij32.exe C:\WINNT\system32\mseggo.gif C:\WINNT\dhbrwsr.exe C:\WINNT\DHUpdt.exe C:\WINNT\EliteBar C:\WINNT\irwuftj.exe C:\WINNT\izczif.exe C:\WINNT\QuickBrowser.exe C:\ Documents and Settings\All Users\ Application Data\IEService C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe C:\Program Files\BullsEye Network C:\Program Files\Web_Rebates C:\Program Files\Windows AdTools Then, clean out your Temp folders: Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press ok to remove: Temporary Files Temporary Internet Files Recycle Bin Reboot normally and post a new log here. This post has been edited by ~Ayeka~: Nov 2 2004, 09:49 PM -------------------- Ayeka AVs/ATs: Avast! ~ AVG ~ Ewido (2000 & XP) ~ Tauscan (trial) ~ TrojanHunter (trial) Online scanners: Trojan scan ~ Panda Active Scan ~ TrendMicro Housecall Basic Tools: Ad-aware ~ HijackThis ~ SpyBot S&D Special Case Tools: About:Buster ~ CWShredder ~ KillBox ~ LSP Fix ~ PeperFix Prevention: How did I get infected in the first place? ~ IESPYAD ~ Kerio Personal Firewall ~ Spyware Blaster ~ Windows Update Tutorials: Safe Mode ~ Show all Files ~ System Restore ME ~ System Restore XP

pcnovice View Member Profile	Nov 3 2004, 08:05 PM Post #4
New Member Group: Members Posts: 4 Joined: 2-November 04 Member No.: 4,475	Thanks for the help. Logfile of HijackThis v1.98.2 Scan saved at 5:07:48 PM, on 11/3/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINNT\system32\cisvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\GEARSEC.EXE C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\Promon.exe C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe C:\PROGRA~1\Adaptec\DirectCD\directcd.exe C:\Program Files\Navnt\POPROXY.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\temp\msbb.exe C:\HPDESK\hppddir.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe C:\Program Files\Navnt\navapw32.exe C:\WINNT\system32\atsrvutc.exe C:\WINNT\system32\PDAEM35I.exe C:\Palm\AlarmApp.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ F1 - win.ini: run=C:\MP60\ezgrp.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe" O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe O4 - HKLM\..\Run: [atsrvutc] C:\WINNT\system32\atsrvutc.exe O4 - HKLM\..\Run: [PDAEM35I] C:\WINNT\system32\PDAEM35I.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

~Ayeka~ View Member Profile	Nov 3 2004, 08:25 PM Post #5
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	Hi again pcnovice, Run HijackThis and put a check in the boxes next to the following: O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe O4 - HKLM\..\Run: [atsrvutc] C:\WINNT\system32\atsrvutc.exe O4 - HKLM\..\Run: [PDAEM35I] C:\WINNT\system32\PDAEM35I.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm Close all browsers and windows (except for HijackThis) and click Fix checked Reboot into Safe Mode. Go to Add/Remove programs, find and remove the following: Web_Rebates Find and delete the file in red: C:\WINNT\system32\atsrvutc.exe C:\WINNT\system32\PDAEM35I.exe C:\Program Files\Web_Rebates Navigate to c:\temp and delete the contents of that folder. (Note: Do not delete the 'temp' folder.) Reboot normally and post a new log here. This post has been edited by ~Ayeka~: Nov 3 2004, 08:28 PM -------------------- Ayeka AVs/ATs: Avast! ~ AVG ~ Ewido (2000 & XP) ~ Tauscan (trial) ~ TrojanHunter (trial) Online scanners: Trojan scan ~ Panda Active Scan ~ TrendMicro Housecall Basic Tools: Ad-aware ~ HijackThis ~ SpyBot S&D Special Case Tools: About:Buster ~ CWShredder ~ KillBox ~ LSP Fix ~ PeperFix Prevention: How did I get infected in the first place? ~ IESPYAD ~ Kerio Personal Firewall ~ Spyware Blaster ~ Windows Update Tutorials: Safe Mode ~ Show all Files ~ System Restore ME ~ System Restore XP

pcnovice View Member Profile	Nov 4 2004, 02:18 AM Post #6
New Member Group: Members Posts: 4 Joined: 2-November 04 Member No.: 4,475	Hi Ayeka, I've done my best to do all you've said, however I couldn't find all the files that I was to remove. Sometimes I found the files minus the .exe . In each case they were applications and I deleted them anyway. Everything seems to be working and I haven't seen a pop up since the last time I posted. Here is my scan. Thanks again, pcnovice Logfile of HijackThis v1.98.2 Scan saved at 11:13:30 PM, on 11/3/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\WINNT\system32\cisvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\GEARSEC.EXE C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\Promon.exe C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe C:\PROGRA~1\Adaptec\DirectCD\directcd.exe C:\Program Files\Navnt\POPROXY.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe C:\HPDESK\hppddir.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe C:\Program Files\Navnt\navapw32.exe C:\Palm\AlarmApp.exe C:\WINNT\system32\OLDERF.exe C:\WINNT\system32\ERFNETP.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/ F1 - win.ini: run=C:\MP60\ezgrp.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe" O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ERFNETP] C:\WINNT\system32\ERFNETP.exe O4 - HKLM\..\Run: [OLDERF] C:\WINNT\system32\OLDERF.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

~Ayeka~ View Member Profile	Nov 4 2004, 06:08 PM Post #7
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	Almost clean, just a few more to fix. Run HijackThis and put a check in the boxes next to the following: O4 - HKLM\..\Run: [ERFNETP] C:\WINNT\system32\ERFNETP.exe O4 - HKLM\..\Run: [OLDERF] C:\WINNT\system32\OLDERF.exe Close all browsers and windows (except for HijackThis) and click Fix checked Reboot into Safe Mode. Find and delete the following files and folders in red (some may not be present): C:\WINNT\system32\ERFNETP.exe C:\WINNT\system32\OLDERF.exe Reboot normally and post a new log here. -------------------- Ayeka AVs/ATs: Avast! ~ AVG ~ Ewido (2000 & XP) ~ Tauscan (trial) ~ TrojanHunter (trial) Online scanners: Trojan scan ~ Panda Active Scan ~ TrendMicro Housecall Basic Tools: Ad-aware ~ HijackThis ~ SpyBot S&D Special Case Tools: About:Buster ~ CWShredder ~ KillBox ~ LSP Fix ~ PeperFix Prevention: How did I get infected in the first place? ~ IESPYAD ~ Kerio Personal Firewall ~ Spyware Blaster ~ Windows Update Tutorials: Safe Mode ~ Show all Files ~ System Restore ME ~ System Restore XP

pcnovice View Member Profile	Nov 4 2004, 08:57 PM Post #8
New Member Group: Members Posts: 4 Joined: 2-November 04 Member No.: 4,475	I ran the scan, but I couldn't find either of the files that you said to check. I also couldn't find them following the file addresses in safe mode. I hope I'm not doing something wrong. I have'nt had a single pop up add all day! You did good! Thanks so much ~Ayeka~. pcnovice

~Ayeka~ View Member Profile	Nov 5 2004, 06:00 PM Post #9
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	No problem, glad we could help you out. :D Follow these steps to ensure that your system is protected from future attacks: Download & install these programs: IE-SPYAD <--adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer Spyware Blaster <--Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests; blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox; restricts the actions of potentially dangerous sites in Internet Explorer. These recommendations are based on veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place? Check it out for even more information and other helpful programs to prevent future attacks. I also highly recommend the information in Bleepingcomputer's own Simple steps to keep your computer secure!, which includes helpful hints and programs. Visit Windows Update regularly. Make sure that you always have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defense against infection is a properly patched OS. http://www.microsoft.com/windowsxp/sp2/topten.mspx -------------------- Ayeka AVs/ATs: Avast! ~ AVG ~ Ewido (2000 & XP) ~ Tauscan (trial) ~ TrojanHunter (trial) Online scanners: Trojan scan ~ Panda Active Scan ~ TrendMicro Housecall Basic Tools: Ad-aware ~ HijackThis ~ SpyBot S&D Special Case Tools: About:Buster ~ CWShredder ~ KillBox ~ LSP Fix ~ PeperFix Prevention: How did I get infected in the first place? ~ IESPYAD ~ Kerio Personal Firewall ~ Spyware Blaster ~ Windows Update Tutorials: Safe Mode ~ Show all Files ~ System Restore ME ~ System Restore XP

~Ayeka~ View Member Profile	Nov 17 2004, 10:44 PM Post #10
Princess of Jurai Group: HJT Team Posts: 580 Joined: 4-August 04 Member No.: 1,884	Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic. --------------------