I inadvertantly posted this over in the Windows XP forum. I was told to post it over here in the security forum. Thanks in advance for any help. ****** I'm trying to help my father clean up his pc. He was getting bombarded with pop-ups. I had him run HiJackThis and the following is the log file. There are a few suspicious items in the log, but I want to make sure I get them all. I'm helping him over the phone, so it's all the more difficult. Also, any recommendations after we clean up the log for keeping these bad programs from getting onto his machine again? He has downloaded SpyBot, Spyware Guard, and Ad-Aware. He uses Norton Anti-virus. Logfile of HijackThis v1.97.7 Scan saved at 10:40:34 AM, on 2/13/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\PROGRA~1\WHENUS~1\Search.exe C:\WINDOWS\system32\pgtools\tatss.exe C:\Program Files\Common Files\Dpi\dpi.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Save\Save.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\CLOCKS~1\Sync.exe C:\Program Files\Precpop2\precpop2.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\MbhRo.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\System32\Emud.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe C:\Program Files\AproposClient\Apropos.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saabnetwork.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.saabnet.com/ R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Bernard\Application Data\Mozilla\Profiles\default\8sgaqkrd.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Bernard\Application Data\Mozilla\Profiles\default\8sgaqkrd.slt\prefs.js) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {6ACDFBEC-ABD6-499C-B933-ABE069E6677D} - C:\WINDOWS\System32\dpcudll.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\MtyJ63F.exe O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe O4 - HKLM\..\Run: [precpop2] "C:\Program Files\Precpop2\starter.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1075347412531 O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{935622A1-0C6B-4D4C-88EB-AED5BD493AE5}: NameServer = 207.69.188.187 207.69.188.186

G'day Chris, Regarding AdAware, could you please make sure your Dad clicks the Globe icon at the top of the start screen, to get the latest reference file. Also, that the various 'tweaks' for a 'Full scan" are set. Full AAw Scan Settings Thanks

Hi Chris Quite a bit of work to do but lets start with removing peper. Download this uninstaller, double click it to run, let it run...the window will close when it is done. http://home01.wxs.nl/~kleyn080/uninst.exe You will need to be connected to the internet to run the tool. From add/remove programs I recommend removing the following since they are all adware infested and produce tons of popups. WhenUSearch bar ClockSync Save (whenUsave) Apropros Client You will be taken to a website to complete the uninstall. Reboot the computer, start hijackthis, click scan again and place a check beside the following entries: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {6ACDFBEC-ABD6-499C-B933-ABE069E6677D} - C:\WINDOWS\System32\dpcudll.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\MtyJ63F.exe O4 - HKLM\..\Run: [Tat] C:\WINDOWS\system32\pgtools\tatss.exe O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab Reboot the computer and delete the following files/folders: c:\program files\apropros client <-folder c:\program files\incredifind <-folder c:\program files\ClockSync <-folder C:\program files\save <-folder c:\windows\system32\pgtools <-folder c:\windows\system32\iefeatures.exe <-file c:\windows\system32\internetfeatures.exe <-file A few of the entries listed above may not be present in the hijack scan if you were able to remove the programs with add/remove. Reboot again and have him make sure both ad-aware and spybot are updated. I would run a scan with both programs again rebooting after each scan if anything was found and removed. Please post fresh hijack log when done there may be a few more things to remove. It may be easier to give him the link to this post...as I would think it is going to be really difficult to walk him through this on the phone. I will check back tomorrow....off to work I go. ____________________ I never give up!

Chris, Everyone here gives great advice on removing threats, but you're not going to be there to clean up the garbage in his machine every other day. Many of the products you name are good for most threats. Hijackthis is good but you have to clean the mess up yourself. For your Dad, make sure Norton's running, get Spy Sweeper, it removes a whole lot more than the other products, and for $30 you get updates for a year. You might want to install Codestuff Starter and tune up his start menu. Finally, download Firefox - POOOF!!! No more pop ups (Well almost). Finally, you might consider PC anywhere so you can work on his machine anytime, anywhere. gilhouli on my reef.

Spy Sweeper is a good program, but your dad might be able to save $30 by getting SpywareBlaster instead. It protects from a lot of spyware/adware and hijackings that are installed by ActiveX controls. Spybot Search & Destroy has an "immunize' feature which he should use also. You should also have him check his security settings for IE. Here's some good info "How did I get infected in the first place?" http://netrn.net/phpBB2/viewtopic.php?p=586&highlight=#586