popups just wont quit

Computing.Net > Forums > Security and Virus > popups just wont quit

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

popups just wont quit

Name: rcm907
Date: November 11, 2003 at 13:56:15 Pacific
OS: win 2k
CPU/Ram: p3/64MB

Comment:

Ran adaware and spybot w/latest definitions yet popups persist. here is a hijack this file. Help please.Logfile of HijackThis v1.97.5
Scan saved at 1:43:53 PM, on 11/11/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\hotkey.exe
C:\WINNT\system32\S3trayhp.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\ESSD.exe
C:\Program Files\Common Files\slmss\slmss.exe
C:\Program Files\POP\PopSrv205.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Ypygzf5.exe
C:\WINNT\System32\Jirq39Q.exe
C:\Program Files\POP\sysmono.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Predictive Networks\ATTRefSvc\ATTRefSvc.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://download.att.net/finish
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = AT&T Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hotkey] hotkey.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINNT\ESSD.exe
O4 - HKLM\..\Run: [ATTRefSvc] "C:\Program Files\Predictive Networks\ATTRefSvc\ATTRefSvc.exe"
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [print sharing] C:\winnt\web\printers\images\start.bat
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [messnger] C:\WINNT\system32\Dvldr32.exe
O4 - HKLM\..\Run: [WinApp32] msapp.exe
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Explkw] C:\WINNT\system32\expup.exe
O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\System32\Tep1.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.exe -k
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.exe /Startup
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [DelDirTree] C:\WINNT\UnInst32.exe C:\WINNT\DelDir.BEN
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://download.att.net/finish
O16 - DPF: {02607DF4-D40B-4FFB-B054-1CAC03468E28} (DNLCertificate Control) - http://www.fmn-media.com/campaigns/winpl/sites/pops/A001/DNLCertificate.ocx
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003011601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37930.560625
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/activex/HMAtchmt.ocx
Thanks in advance.

Sponsored Link

Ads by Google

Response Number 1

Name: Kevin The Tech Dude
Date: November 11, 2003 at 14:47:11 Pacific

Reply:

Remove this junk.....

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.we1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.attbb.net
This stuff looks like viruses
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [Explkw] C:\WINNT\system32\expup.exe
O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\System32\Tep1.exe
I would remove them as well but if you want someone to confirm they are viruses you may. They look very suspect though but I could be wrong :)
KTTD

Response Number 2

Name: smithdk
Date: November 11, 2003 at 15:25:55 Pacific

Reply:

O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dvldr.html

Response Number 3

Name: Kevin The Tech Dude
Date: November 11, 2003 at 15:41:34 Pacific

Reply:

Thanks for the assist smithdk :)
KTTD
P.S Time for another beer :)

Response Number 4

Name: smithdk
Date: November 11, 2003 at 15:57:32 Pacific

Reply:

Kevin,
Glad to assist.
rcm907:
Perhaps its best to run an online virus scan:
http://housecall.trendmicro.com/
http://www.trojanscan.com/

Response Number 5

Name: Tom41
Date: November 11, 2003 at 16:35:34 Pacific

Reply:

This entry is Trojan.Peper.A...Removal is a pain...
O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\System32\Tep1.exe
Copy and follow the instructions below to remove it..

1. Download the following drpepertobackup.exe file and double click on it to extract. (It will extract to C:\drpeper)
drpepertobackup.exe
2. Go offline and terminate all net activity.
3. Click Start > Run > type
regedit and click OK.
Click the + next to the following keys.
HKEY_LOCAL_MACHINE
Software
Under Software there will be a list of sub keys, Up at the top will be 1 or 2 that are 14 %random% characters long starting with a number. (Like 4AAT8EM425DZH3) Right click on those folders and choose delete.
Close regedit.
4. Open the task manager and end process on
C:\WINNT\System32\Ypygzf5.exe
C:\WINNT\System32\Jirq39Q.exe
5. Run HT and check this entry and click 'fix checked'.
O4 - HKLM\..\Run: [4AAT8EM425DZH3] C:\WINNT\System32\Tep1.exe
6. Double click on the Find backup and Delete Peper files.vbs that was extracted in step 1.
At the first prompt copy and paste in Ypygzf5.exe and click OK.
At the second prompt copy and paste Jirq39Q.exe and click OK.
When it is finished running, reboot.
7. Run Hijack again and post a new log in a reply.

messnger application popup just-in-time debugging an exception 'runtime error' has o if my computer has power but just wont turn on what do i do	myweb just wont go winxp ftp server just wont work how to get rid of popups which wont go away
See More

Response Number 6

Name: Kevin The Tech Dude
Date: November 11, 2003 at 17:52:39 Pacific

Reply:

Tom41,
Thank you very much. I could not find any information on that file but it just did not look right to me.
Again, thanks for the information.
KTTD

Response Number 7

Name: sxshep
Date: November 11, 2003 at 18:07:18 Pacific

Reply:

For those in need of a more visual representation, it is offered here:
http://www.mjc1.com/files/peperpage/
Same stuff as Tom's post above, but with cool pictures.
Late as Always
shep

Response Number 8

Name: DRD1
Date: November 24, 2003 at 12:49:23 Pacific

Reply:

You may want to remove the file & directory
C:\Program Files\Common Files\slmss\slmss.exe.
This is a Trojan downloader that Trend Micro identifies as ADW_SCANPORTAL.A
Use this procedure to terminate the running malware process from memory:
1. Open Windows Task Manager (press CTRL+SHIFT+ESC) and click the Processes tab.
2. In the list of running programs, locate the process SLMSS.EXE.
3. Select the process, then press the End Process button.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
Removing autostart entries from the registry prevents the malware from executing during startup:
1. Open Registry Editor. To do this, click Start>Run, type regedit, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
"slmss" = "C:\Program Files\Common Files\slmss.exe"
4.Close Registry Editor.
Information obtained from:
http://fr.trendmicro-europe.com/consumer/security_info/ve_detail.php?VName=ADW_SCANPORTAL.A
This is only a small link in the popup chain but worth eliminating.
Best of Luck!
DRD

Sponsored Link

Ads by Google

What is going on with my ...

Connectivity problems aft...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: popups just wont quit

bridge.dll error

Summary

www.computing.net/answers/security/bridgedll-error/10227.html

porn popups wont go away!

Summary

www.computing.net/answers/security/porn-popups-wont-go-away/6481.html

random Web sites on startup popup

Summary

www.computing.net/answers/security/random-web-sites-on-startup-popup/11506.html

From the Geek Dictionary
l337 - A word used by physically mature but mentally adolescent gamer boys to lord...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Switch to router connection!?

Need to bind windows users in linux ldap

Certificate Server Revocation

enuff juice?

passwords mixes

All Awaiting Reply

Tom's News
Microsoft Fires Back at Xbox Live Lawsuit

Xbox 360 is Now Four Years Old

Star Trek Online Goes Open Beta in January

AOL Getting New Logos Made From Random Stuff

AT&T Sets the Coverage Map Record Straight

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE