Unable to remove browser pop-ups

Posted on 2005-04-29
Last Modified: 2013-12-04
Hi All

I have a laptop running Windows XP SP2 which is plagued by spyware.  Every time you open IE6 I get pop-ups offering everything from sex contacts to screensavers.  As this box is used for business I worry that one of these pop-ups will appear whilst I'm doing a presentation.  

I've run hijackthis and the log file is contained below:

Logfile of HijackThis v1.99.1
Scan saved at 14:17:10, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\powerpanel\Program\PcfMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [inetcpl] inetcpl.exe
O4 - HKLM\..\Run: [F5Um] C:\documents and settings\fredmcdonald\local settings\temp\F5Um.exe
O4 - HKLM\..\Run: [NV] C:\documents and settings\fredmcdonald\local settings\temp\NV.exe
O4 - HKLM\..\Run: [4#T9EKK5J6T66M] C:\WINDOWS\System32\Hyh5.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [a2a34fa27d22] C:\WINDOWS\System32\browsewm.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [7982491b1e62] C:\WINDOWS\system32\cdmodem1.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fw27Rje9P] defadu.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *
O15 - Trusted Zone: *
O15 - Trusted Zone: *
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://eye2detailmain/connectcomputer/nshelp.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://eye2detailmain/tsweb/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eye2detaillimited.local
O17 - HKLM\Software\..\Telephony: DomainName = eye2detaillimited.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F42ACCE0-9FBE-4ED9-98CC-AC66F4E3A6BB}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eye2detaillimited.local
O21 - SSODL: replr - {92FDFE60-0EF0-4933-8950-64C0533A5208} - C:\WINDOWS\System32\inetapi.dll
O23 - Service: hpdj - HP - C:\DOCUME~1\fredMC~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Question by:kwalker25
    LVL 29

    Assisted Solution


    Next time, please don't post the log. Get an analysis here:

    Just paste the log, click "Analyze" and then scroll down to the "Save analysys" link, click it and you will see a website with your saved analysis. Post the LINK to that site.

    Meanwhile, please note my comments:

    We have detected that you MAY have the Peper Trojan (more information).
    Before you do ANYTHING else, download and run this program:

    to remove the trojan from your system.

    1) You probably have the Peper Trojan. In HijackThis, place a check mark next to this line:
    O4 - HKLM\..\Run: [4#T9EKK5J6T66M] C:\WINDOWS\System32\Hyh5.exe

    These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

    O4 - HKLM\..\Run: [F5Um] C:\documents and settings\fredmcdonald\local settings\temp\F5Um.exe
    (Description: Registry key running programs on start-up from user's temporary folder.)

    O4 - HKLM\..\Run: [NV] C:\documents and settings\fredmcdonald\local settings\temp\NV.exe
    (Description: Registry key running programs on start-up from user's temporary folder.)

    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
    (Description: BrowserAid/Startium parasite related )

    O4 - HKLM\..\Run: [a2a34fa27d22] C:\WINDOWS\System32\browsewm.exe
    (Description: Unknown trojan/virus.)

    O4 - HKLM\..\Run: [7982491b1e62] C:\WINDOWS\system32\cdmodem1.exe
    (Description: Unknown trojan/virus.)

    The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    (Description: Microsoft Works portfolio tool. If you're not using this, remove it. Removing this entry will free up a small amount of system resources.)

    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    (Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

    Now, follow these instructions:

    1) Press the "Fix checked" button. Then close HijackThis.

    2) Then reboot your computer into safe mode. (instructions)

    3) Remove all files from your C:\WINDOWS\TEMP folder and your C:\DOCUMENTS AND SETTINGS\(your username)\LOCAL SETTINGS\Temp\ folder. (Do NOT delete the folders themselves). PLEASE NOTE: The local settings folder is a hidden folder.

    4) Delete the file C:\WINDOWS\System32\browsewm.exe

    5) Delete the file C:\WINDOWS\system32\cdmodem1.exe

    6) Empty your recycle bin.

    7) Run Windows Update and install all critical updates.

    8) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

    9) Reboot one last time.

    10) Some suspicious entries have been found in your log. The next step is to run HijackThis again and create another log file.

    Good luck,

    LVL 29

    Accepted Solution


    Include this one to fix with HJT:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm

    And delete this file:


    Just as an example, your HJT log saved analysis is here:

    After the above cleanup, post a LINK to the analysis of your new HJT log (after fixes).


    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
    Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now