download.abetterinternet.com Log file: Logfile of HijackThis v1.96.0 Scan saved at 9:22:53 PM, on 8/13/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\logonui.exe C:\WINNT\Explorer.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\igfxtray.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\System32\SK9910DM.exe C:\WINNT\GWMDMMSG.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\Canon\MultiPASS\monitr32.exe C:\Program Files\Canon\MultiPASS\MPTBox.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Optimum Online\Netsurf.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\WINNT\MSMGT.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Iomega\AutoDisk\AD2KClient.exe C:\Program Files\AIM95\aim.exe C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.exe C:\WINNT\System32\FxRedir.exe C:\PROGRA~1\Iomega\System32\ActivityDisk.exe C:\Program Files\Canon\MultiPASS\mpservic.exe C:\Program Files\D-Link AirPlus\AIRPLUS.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\System32\svchost.exe C:\WINNT\wanmpsvc.exe C:\WINNT\System32\RUNDLL32.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\Documents and Settings\catherine cropper\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optonline.net R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O1 - Hosts: 12.33.155.51 mbimail O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: D-Link AirPlus Utility.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37643.4557638889 O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I will suggest a few programs(all free) that will help keep your machine ad/spyware free, and a free popup stopper as well. One of the methods to quickly shut off the popup is by hitting the Alt F4 key that will back them off but the software helps stop them in their tracks. See sites below. http://www.panicware.com/popupstopperisp.html http://security.kolla.de/ http://www.wilderssecurity.net/mrublaster.html http://lavasoft.element5.com/support/download/

Hi catherine cropper, No your HijackThis logfile is CLEAN!!! I don’t see any sign of the popup problem. Do yourself a favor and update WinXP and IE immediately BEFORE you get the MSBlast worm. Platform: Windows XP is currently at SP1 MSIE: Internet Explorer v6.00 is currently at SP1 At a minimum make sure the Microsoft Q823980 patch from http://support.microsoft.com/?kbid=823980 is insatlled. --------------- Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. O1 - Hosts: 12.33.155.51 mbimail If this host was of your doing then don’t fix it. -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

Hi catherine cropper, Um, Sorry fix this one also using HijackThis. O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

HI, POP-UP STOPPER IS EXCELLENT... go to www.panicware.com and download the free edition of pop up stopper, stu.