Unable to remove browser pop-ups

Hi All

I have a laptop running Windows XP SP2 which is plagued by spyware.  Every time you open IE6 I get pop-ups offering everything from sex contacts to screensavers.  As this box is used for business I worry that one of these pop-ups will appear whilst I'm doing a presentation.  

I've run hijackthis and the log file is contained below:

Logfile of HijackThis v1.99.1
Scan saved at 14:17:10, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\powerpanel\Program\PcfMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [inetcpl] inetcpl.exe
O4 - HKLM\..\Run: [F5Um] C:\documents and settings\fredmcdonald\local settings\temp\F5Um.exe
O4 - HKLM\..\Run: [NV] C:\documents and settings\fredmcdonald\local settings\temp\NV.exe
O4 - HKLM\..\Run: [4#T9EKK5J6T66M] C:\WINDOWS\System32\Hyh5.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [a2a34fa27d22] C:\WINDOWS\System32\browsewm.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [7982491b1e62] C:\WINDOWS\system32\cdmodem1.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fw27Rje9P] defadu.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://eye2detailmain/connectcomputer/nshelp.dll
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://eye2detailmain/tsweb/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eye2detaillimited.local
O17 - HKLM\Software\..\Telephony: DomainName = eye2detaillimited.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F42ACCE0-9FBE-4ED9-98CC-AC66F4E3A6BB}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eye2detaillimited.local
O21 - SSODL: replr - {92FDFE60-0EF0-4933-8950-64C0533A5208} - C:\WINDOWS\System32\inetapi.dll
O23 - Service: hpdj - HP - C:\DOCUME~1\fredMC~1\LOCALS~1\Temp\hpdj.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Who is Participating?

Include this one to fix with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm

And delete this file:


Just as an example, your HJT log saved analysis is here:


After the above cleanup, post a LINK to the analysis of your new HJT log (after fixes).


Next time, please don't post the log. Get an analysis here:


Just paste the log, click "Analyze" and then scroll down to the "Save analysys" link, click it and you will see a website with your saved analysis. Post the LINK to that site.

Meanwhile, please note my comments:

We have detected that you MAY have the Peper Trojan (more information).
Before you do ANYTHING else, download and run this program:


to remove the trojan from your system.

1) You probably have the Peper Trojan. In HijackThis, place a check mark next to this line:
O4 - HKLM\..\Run: [4#T9EKK5J6T66M] C:\WINDOWS\System32\Hyh5.exe

These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

O4 - HKLM\..\Run: [F5Um] C:\documents and settings\fredmcdonald\local settings\temp\F5Um.exe
(Description: Registry key running programs on start-up from user's temporary folder.)

O4 - HKLM\..\Run: [NV] C:\documents and settings\fredmcdonald\local settings\temp\NV.exe
(Description: Registry key running programs on start-up from user's temporary folder.)

O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
(Description: BrowserAid/Startium parasite related )

O4 - HKLM\..\Run: [a2a34fa27d22] C:\WINDOWS\System32\browsewm.exe
(Description: Unknown trojan/virus.)

O4 - HKLM\..\Run: [7982491b1e62] C:\WINDOWS\system32\cdmodem1.exe
(Description: Unknown trojan/virus.)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
(Description: Microsoft Works portfolio tool. If you're not using this, remove it. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

Now, follow these instructions:

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer into safe mode. (instructions)

3) Remove all files from your C:\WINDOWS\TEMP folder and your C:\DOCUMENTS AND SETTINGS\(your username)\LOCAL SETTINGS\Temp\ folder. (Do NOT delete the folders themselves). PLEASE NOTE: The local settings folder is a hidden folder.

4) Delete the file C:\WINDOWS\System32\browsewm.exe

5) Delete the file C:\WINDOWS\system32\cdmodem1.exe

6) Empty your recycle bin.

7) Run Windows Update and install all critical updates.

8) Make sure your anti-virus program is up to date with the latest patches. If you do not have an anti-virus program, download and install AVG Personal Edition Anti-Virus, which is free.

9) Reboot one last time.

10) Some suspicious entries have been found in your log. The next step is to run HijackThis again and create another log file.

Good luck,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.