Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTL - pcnovice


  • This topic is locked This topic is locked
9 replies to this topic

#1 pcnovice

pcnovice

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 02 November 2004 - 08:14 PM

Been trying to get rid of these pop ups for months. Norton has been blocking the content of 95% of them but I still get the empty windows continually. Thanks for looking at this.

pcnovice

Logfile of HijackThis v1.98.2
Scan saved at 4:47:27 PM, on 11/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\winnt\temp\Dc.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINNT\DHUpdt.exe
C:\WINNT\QuickBrowser.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe
C:\WINNT\system32\fc42um.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Navnt\navapw32.exe
C:\Palm\AlarmApp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\arratorn.exe
C:\WINNT\system32\VrvQa.exe
C:\WINNT\system32\LvcCN67i.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\MP60\ezgrp.exe
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINNT\system32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteBar\ELITEB~1.DLL
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\msfaol.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jack Dortignac\Local Settings\Temp\68s7dr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msnkmi.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteBar\ELITEB~1.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Dc] C:\winnt\temp\Dc.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\HotEkc.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [9eRh8A] C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winxij32.exe
O4 - HKLM\..\Run: [izczif] C:\WINNT\izczif.exe
O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe
O4 - HKLM\..\Run: [apicomc] C:\WINNT\system32\apicomc.exe
O4 - HKLM\..\Run: [vsgih] C:\WINNT\irwuftj.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [fc42um] C:\WINNT\system32\fc42um.exe
O4 - HKLM\..\Run: [arratorn] C:\WINNT\system32\arratorn.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msedpb.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe
O4 - HKCU\..\Run: [Rletvsxp] C:\WINNT\system32\?ttrib.exe
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/118e4119eb9834...ip/RdxIE601.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll

BC AdBot (Login to Remove)

 


m

#2 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 02 November 2004 - 09:26 PM

Hi pcnovice,
Welcome to BC! :flowers:


I'm looking over your log and will be back shortly. :thumbsup:

#3 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 02 November 2004 - 09:46 PM

Hi again :thumbsup:,

You are infected with the Peper Trojan. Download PeperFix from here: http://www.bleepingcomputer.com/files/virus/PeperFix.exe

Then go into Safe Mode, and run the program twice.

You may want to print out these instructions so that they are easier to follow.

Posted Image Be sure your system is configured to show hidden files.

Posted Image Run HijackThis and put a check in the boxes next to the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINNT\system32\mskceo.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINNT\system32\mskhhe.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINNT\system32\mseggo.gif
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteBar\ELITEB~1.DLL
O2 - BHO: CUrlCliObj Object - {94927A13-4AAA-476A-989D-392456427688} - C:\WINNT\system32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINNT\system32\msfaol.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jack Dortignac\Local Settings\Temp\68s7dr.dll
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINNT\system32\msnkmi.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteBar\ELITEB~1.DLL

O4 - HKLM\..\Run: [Dc] C:\winnt\temp\Dc.exe
O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\system32\HotEkc.exe
O4 - HKLM\..\Run: [9eRh8A] C:\documents and settings\jack dortignac\local settings\temp\9eRh8A.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINNT\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINNT\dhbrwsr.exe
O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winxij32.exe
O4 - HKLM\..\Run: [izczif] C:\WINNT\izczif.exe
O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe
O4 - HKLM\..\Run: [apicomc] C:\WINNT\system32\apicomc.exe
O4 - HKLM\..\Run: [vsgih] C:\WINNT\irwuftj.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [fc42um] C:\WINNT\system32\fc42um.exe
O4 - HKLM\..\Run: [arratorn] C:\WINNT\system32\arratorn.exe
O4 - HKCU\..\Run: [window.exe] C:\WINNT\system32\window.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msedpb.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe
O4 - HKCU\..\Run: [Rletvsxp] C:\WINNT\system32\?ttrib.exe

O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/118e4119eb9834...ip/RdxIE601.cab

O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - C:\WINNT\system32\msehek.dll


Close all browsers and windows (except for HijackThis) and click Fix checked

Posted Image Reboot into Safe Mode.

Posted Image Go to Add/Remove programs, find and remove the following:
BullsEye Network
Web_Rebates
Windows AdTools


Posted Image Find and delete the following files and folders in red (some may not be present):
C:\WINNT\system32\?ttrib.exe
C:\WINNT\system32\apicomc.exe
C:\WINNT\system32\arratorn.exe
C:\WINNT\system32\fc42um.exe
C:\WINNT\system32\HotEkc.exe
C:\WINNT\system32\msedpb.exe
C:\WINNT\system32\msfaol.dll
C:\WINNT\system32\msjfbl.dll
C:\WINNT\system32\mskceo.dll
C:\WINNT\system32\mskhhe.dll
C:\WINNT\system32\msnkmi.dll
C:\WINNT\system32\window.exe
C:\winnt\system32\winxij32.exe

C:\WINNT\system32\mseggo.gif

C:\WINNT\dhbrwsr.exe
C:\WINNT\DHUpdt.exe
C:\WINNT\EliteBar
C:\WINNT\irwuftj.exe
C:\WINNT\izczif.exe
C:\WINNT\QuickBrowser.exe

C:\ Documents and Settings\All Users\ Application Data\IEService
C:\Documents and Settings\Jack Dortignac\Application Data\oeet.exe

C:\Program Files\BullsEye Network
C:\Program Files\Web_Rebates
C:\Program Files\Windows AdTools

Posted Image Then, clean out your Temp folders:
Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Posted Image Reboot normally and post a new log here.

Edited by ~Ayeka~, 02 November 2004 - 09:49 PM.


#4 pcnovice

pcnovice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 03 November 2004 - 08:05 PM

Thanks for the help.

Logfile of HijackThis v1.98.2
Scan saved at 5:07:48 PM, on 11/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\temp\msbb.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\atsrvutc.exe
C:\WINNT\system32\PDAEM35I.exe
C:\Palm\AlarmApp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
F1 - win.ini: run=C:\MP60\ezgrp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [atsrvutc] C:\WINNT\system32\atsrvutc.exe
O4 - HKLM\..\Run: [PDAEM35I] C:\WINNT\system32\PDAEM35I.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

#5 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 03 November 2004 - 08:25 PM

Hi again pcnovice,

Posted Image Run HijackThis and put a check in the boxes next to the following:
O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
O4 - HKLM\..\Run: [atsrvutc] C:\WINNT\system32\atsrvutc.exe
O4 - HKLM\..\Run: [PDAEM35I] C:\WINNT\system32\PDAEM35I.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm


Close all browsers and windows (except for HijackThis) and click Fix checked

Posted Image Reboot into Safe Mode.

Posted Image Go to Add/Remove programs, find and remove the following:
Web_Rebates

Posted Image Find and delete the file in red:
C:\WINNT\system32\atsrvutc.exe
C:\WINNT\system32\PDAEM35I.exe
C:\Program Files\Web_Rebates

Posted Image Navigate to c:\temp and delete the contents of that folder. (Note: Do not delete the 'temp' folder.)

Posted Image Reboot normally and post a new log here.

Edited by ~Ayeka~, 03 November 2004 - 08:28 PM.


#6 pcnovice

pcnovice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 04 November 2004 - 02:18 AM

Hi Ayeka,

I've done my best to do all you've said, however I couldn't find all the files that I was to remove. Sometimes I found the files minus the .exe . In each case they were applications and I deleted them anyway. Everything seems to be working and I haven't seen a pop up since the last time I posted. Here is my scan.

Thanks again,

pcnovice

Logfile of HijackThis v1.98.2
Scan saved at 11:13:30 PM, on 11/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Navnt\navapw32.exe
C:\Palm\AlarmApp.exe
C:\WINNT\system32\OLDERF.exe
C:\WINNT\system32\ERFNETP.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\Documents and Settings\Jack Dortignac\Desktop\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
F1 - win.ini: run=C:\MP60\ezgrp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ERFNETP] C:\WINNT\system32\ERFNETP.exe
O4 - HKLM\..\Run: [OLDERF] C:\WINNT\system32\OLDERF.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: CCAPP.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

#7 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 04 November 2004 - 06:08 PM

Almost clean, just a few more to fix.

Posted Image Run HijackThis and put a check in the boxes next to the following:
O4 - HKLM\..\Run: [ERFNETP] C:\WINNT\system32\ERFNETP.exe
O4 - HKLM\..\Run: [OLDERF] C:\WINNT\system32\OLDERF.exe


Close all browsers and windows (except for HijackThis) and click Fix checked

Posted Image Reboot into Safe Mode.

Posted Image Find and delete the following files and folders in red (some may not be present):
C:\WINNT\system32\ERFNETP.exe
C:\WINNT\system32\OLDERF.exe

Posted Image Reboot normally and post a new log here.

#8 pcnovice

pcnovice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 04 November 2004 - 08:57 PM

I ran the scan, but I couldn't find either of the files that you said to check. I also couldn't find them following the file addresses in safe mode. I hope I'm not doing something wrong.

I have'nt had a single pop up add all day! You did good! Thanks so much ~Ayeka~.

pcnovice

#9 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 05 November 2004 - 06:00 PM

No problem, glad we could help you out. :D

Follow these steps to ensure that your system is protected from future attacks:
Download & install these programs:
IE-SPYAD <--adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer
Spyware Blaster <--Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests; blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox; restricts the actions of potentially dangerous sites in Internet Explorer.

These recommendations are based on veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place? Check it out for even more information and other helpful programs to prevent future attacks.

I also highly recommend the information in Bleepingcomputer's own Simple steps to keep your computer secure!, which includes helpful hints and programs.

Visit Windows Update regularly. Make sure that you always have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defense against infection is a properly patched OS.
http://www.microsoft.com/windowsxp/sp2/topten.mspx

#10 ~Ayeka~

~Ayeka~

    Princess of Jurai


  • Members
  • 580 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 17 November 2004 - 10:44 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users