Hey everyone.
I've been spyware free for a while now but just a few days ago I started getting all sorts of pop-ups. I ran just about every spyware scanner and got rid of most of the popups. However, I still get some every once in a while. The ones I get always seem to relate to what I'm looking at on the internet. For example, as I was searching for help on my spyware issue, I would get pop-ups about anti-spyware programs.
Anyways, the only supicious program running I see is rpen.exe. The file is located at C:\Windows\Program Files\etea\rpen.exe. I can't delete it as it always comes back and I can't end the process in the task manager as it's a System process.
Here's my Hijack This Analyzer log if it helps:
Code:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs
***Security Programs Detected***
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Spy Sweeper\SpySweeper.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Logfile of HijackThis v1.99.1
Scan saved at 10:02:38 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\ATIPTAXX.EXE
C:\Program Files\etea\rpen.exe
C:\Program Files\Aim\Aim 2\aim.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = *
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [ATIPTA] C:\WINDOWS\ATIPTAXX.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim\Aim 2\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6FDB0065-2787-11D6-B1D8-0001023916FC} (CLOActiveXInstaller Control) - http://www.igl.net/clo/install/CLOAc...allerProj1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{35F91578-BDC6-41A0-8579-ABAEAB23C935}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{70F15DCE-E3B3-44C6-8422-379F565289C8}: NameServer = 63.240.76.4,204.127.198.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{02A7B09D-F4BA-4473-AEF6-4CDDBB9090E9}: NameServer = 192.168.10.1
O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\dmiman32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
End of KRC HijackThis Analyzer Log.
====================================================================