Pop-Up help

[Brad Flee]

Total NewB here.....
Just found this forum after doing a google search on Satmat.exe.
Yes, I too am having a problem with pop-ups that nothing seems to fix....
Adaware, SpyBot, and the likes....

Please help me.
Background on this computer.
Work Computer that I received as a back up.
This PC has had many different users and I want to think that I have cleaned it fairly well but, can't seem to clean this problem with the Pop-Ups off.

I have down loaded HJT.
This is the log that it produced:


Logfile of HijackThis v1.98.2
Scan saved at 11:04:43 AM, on 11/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINNT\system32\irnkjy.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [snmltnvzfxn] C:\WINNT\system32\irnkjy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clie...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clie...nts/y/ot0_x.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...5271ab95b94951b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = netserv.sequoyah.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E570E883-FC9C-43DF-965C-2BE7494CA382}: Domain = netserv.sequoyah.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = netserv.sequoyah.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = entp.attws.com,wireless.attws.com,attws.com,netserv.sequoyah.com,sequoyah.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sequoyah.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = entp.attws.com,wireless.attws.com,attws.com,netserv.sequoyah.com,sequoyah.com

I would really love it if anybody could help me with this.


Thanks,
Brad

[guestolo]

Hi Brad, let's do some cleanup on your computer then get you some tools to keep it that way

But first:
Access your Add/Remove Programs via Control Panel

Look for and Remove if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

# Do not reboot until they have all been removed even if prompted.

# When you are uninstalling the last program you can then reboot when prompted

After your back in Windows
Go Back to Add/Remove Programs and Remove if found
Wind Updates
Again restart your computer if it was removed

Ad-Aware and Spybot should of taken care of a couple entries

Can you please open your version of Ad-Aware
The latest version of Ad-Aware is SE Personal 1.05
Click DETAILS
Latest reference number and Internal build as of now should be
Reference Number : SE1R20 25.11.2004
Internal build : 25

If your not using Ad-Aware Se Personal 1.05 please uninstall your version from Add/Remove programs
Download and Install the free version of Ad-Aware SE Personal 1.05
After Installation
CHECK FOR UPDATES
Allow to download updates
Do a Full system scan----Remove All Critical objects
RESTART your computer to finish the cleaning process

When back in Windows
Can you open up Spybot>>>Click on HELP>>ABOUT
The latest version is Spybot 1.3
with the latest Detection update being 2004-11-18

If your using 1.3 and not up to date Search for updates and Check For problems
Fix everything in RED
Restart your computer to finish the cleaning
If your not using 1.3 uninstall your version in Add/Remove Programs
Download and Install Spybot S&D 1.3
After installation--SEARCH FOR UPDATES
Check for Problems---FIX everything in RED
Remember to restart your computer to finish the cleaning process

Post back with a fresh hijackthis log afterwards and we'll take care of the leftovers

[Brad Flee]

Thanks for the reply guestolo.
I have the latest updaye for spybot and I have Adaware 6.0 which I check for updates before every use.

I have not found anything that you have told me to look for.
I do have a reacuring form of some type of rebate program. I can delete it from the program list and it will be there later.

Does someone have any other help for me.....

Thanks,
Brad

[guestolo]

Okay Brad, we can try it this way if you want  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

You may want to print this out

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>>Save as
Name the file as search.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet
This will restore your default search settings
Hijackthis has indicated they are missing

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Open Hijackthis>>>Config>>Misc Tools>>Open Process Manager
Kill this process if running
C:\WINNT\system32\irnkjy.exe

Do another scan with Hijackthis and put a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [snmltnvzfxn] C:\WINNT\system32\irnkjy.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...5271ab95b94951b

After you have ticked the above entries, close down All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
Yes to the prompt and exit hijackthis

Restart your computer preferrably into safe mode by tapping the F8 key on
Windows startup

Set window to Show Hidden Files and Folders
* Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Find and delete these files or folders if they exist
C:\WINNT\multimpp.dll <--file
C:\WINNT\wupdt.exe <--file
C:\WINNT\system32\irnkjy.exe <--file

===Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked

Double click on search.reg and allow it to merge to the registry

Restart back into Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

I would suggest that you do an online Virus scan, this is up to you
Go to this link
http://www.ravantivirus.com/scan/
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan
Then click the 'Scan my PC button'
Let it completely finish scanning
When it's complete, copy and paste the results back here

Also Post back a Fresh hijackthis log

Before you post back the hijackthis log, I know that the newer version of Ad-Aware should of taken care of a couple entries for you
Ad-Aware 6 is no longer being supported
I very much recommend that you install the newer version
Check for updates---Run a Full system scan
Remove all Critical objects
Restart your computer to finish the cleaning process
This is up to you, but you may find no more update with Ad-aware 6 now or shortly
Here's more info
http://www.lavasoftusa.com/
Click on    
Important notice for users of Ad-Aware 6 all versions!

[Brad Flee]

Thank you very much guestolo!
I did everything that you said and I am clean.
I really appreciate this very much!

Thanks again!
Brad


 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

I'll trust your log looks good Brad, good work

To put some preventive tools on your computer
You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With both,
 Check for updates every couple of weeks

Stay safe http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />