I have been trying to clean up/fix my bosses "new" computer. meny other people have been using this computer over the past couple of years and very few of them are "computer smart", i.e. they will download just about anything. I have been able to remove about 20-30 spyware and ad-pop up programs with ad-aware 6.0 and have now found wupdater and a couple other things I'm not to sure about, after reading other posts I feel the best thing for me to do is post the log file of Hi Jack This. Please advise me on what needs to be done from this point as i have never used Hi Jack This before and would really like to not screw up the bosses comp. Thank you in anvance Logfile of HijackThis v1.97.7 Scan saved at 10:21:59 AM, on 12/17/2003 Platform: Windows 2000 SP1 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINNT\System32\3Com_DMI\3CDMINIC.exe C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\WINNT\System32\DRIVERS\dcfssvc.exe C:\DMI\WIN32\bin\DellDmi.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\PROGRA~1\Navnt\navapsvc.exe C:\PROGRA~1\Navnt\npssvc.exe C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\dmi\win32\bin\Win32sl.exe C:\WINNT\explorer.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Navnt\POProxy.exe C:\Program Files\KODAK\Multi-Card Reader\shwicon.exe C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe C:\WINNT\System32\mslaugh.exe C:\WINNT\System32\mshta.exe C:\WINNT\System32\rundll32.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\WINNT\System32\IEDriver\IEDriver.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\WINNT\mwsvm.exe C:\Program Files\Common files\updater\wupdater.exe C:\Program Files\Navnt\navapw32.exe C:\Program Files\AdDestroyer\AdDestroyer.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\PROGRA~1\Navnt\alertsvc.exe C:\WINNT\System32\Fbnj0A3Z.exe C:\WINNT\System32\VxqFLv.exe C:\Program Files\Common Files\Slmss\slmss.exe C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bridgepros.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.rsandh.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=1DCAE7E2-54C4-4474-8D57-5EDFD3867301&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com R3 - URLSearchHook: (no name) - - (no file) F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe O1 - Hosts: 209.132.200.78 auto.search.msn.com O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINNT\System32\n3tpa1.dll O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINNT\System32\expext.dll O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {951644AF-A077-49C0-AA90-C1CE060A4D0D} - C:\WINNT\System32\dssbasce.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe O4 - HKLM\..\Run: [ShowIcon_KODAK_KODAK Multi-Card Reader v1.13e21] "C:\Program Files\KODAK\Multi-Card Reader\shwicon.exe" -t"KODAK\KODAK Multi-Card Reader v1.13e21" O4 - HKLM\..\Run: [winmain] winmain.exe O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [Explkw] C:\WINNT\System32\expup.exe O4 - HKLM\..\Run: [36F4SAZ3QJAFKE] C:\WINNT\System32\MsyI62.exe O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain O4 - HKLM\..\Run: [IEDriver] C:\WINNT\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINNT\mwsvm.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.exe O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe O9 - Extra button: Sidesearch (HKLM) O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O13 - DefaultPrefix: http://193.125.201.50/?trk= O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab

Haha - Mslaugh.exe!!! Honestly, do you really think they have a sense of humour at MS? Anyhoo - If you're not sure about any of the processesees's then run them through Google, its been said before and Ill say it again, Google is your best friend! And get stinger too!

Thank you Col, I think that I will make that my next step, and MS is VERY funny, what other soft ware company requires you to turn off your motherboard virus protection to be able to load their product, windows :) (no offence Mr. Gates sir) anyhow i still need to know which items i can have HJT fix/remove to get rid of wupdater and any known spy-ware...please keep in mind i've never used HJT before and only learned of the program from other posts, and seems to work quite well

Not sure if you found anything out about this or not, but we are actually seeing this on one of our systems here. I'm able to partially clean it off the system by using ad-aware or spybot, but it has found a way to replicate itself reinstalling on reboots. It will place an entry in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run named 36F4SAZ3QJAFKE. It then generates random executables processes to fireup the pop-ups. Don't think anyone has found a fix for this yet and if they don't then I may end up reinstalling the OS. Any info would be appreciated. Thanks.

Hi Tim, you have the peper trojan, and also need to update windows. Peper Removal Please follow these steps, in exactly that order: Run this uninstaller: http://home01.wxs.nl/~kleyn080/uninst.exe When done, use the following tool to delete the files themselves: Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\. Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it. http://www.mjc1.com/files/mo/drpepertobackup.exe A box will appear, copy and paste:Fbnj0A3Z.exe and hit ok. A second box will appear, copy and paste MsyI62.exe and hit ok. It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Some help sites to read your log here; http://forums.tomcoyote.org/ http://www.wilderssecurity.com/archive/ http://www.spywareinfo.com/forums/ http://forums.net-integration.net/

Will, some info for you. http://www.mjc1.com/files/peperpage/ This is the generic removal instructions, what to look for in a log. Download and run this file to fix Peper Trojan: http://home01.wxs.nl/~kleyn080/uninst.exe double click on 'uninst.exe', let it run and terminate. To delete all the associated files download the following tool: http://www.mjc1.com/files/mo/drpeper.html It will self extract to C:. Find the file: C:\drpeper\Find backup and Delete Peper files.vbs file and double click. On the first prompt copy and paste: Select one of the filenames in the running processes. example:C:\WINDOWS\System32\Rcjj.exe C:\WINDOWS\System32\JvfMa7R.exe (your files will look like those) And hit ok. You will get a confirmation and proceed: On the second, paste: Type in the filename where the startup entry points to. And hit ok example:O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\FmrCj.exe (The 14 letters and numbers give it away) It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Check that .txt file to see if no legitimate files were removed. Hope that gives you a clue to what to do. Better help is found at the above forums.

Tim_B, I think you're better off re-installing the whole Windows O/S (but remember to Backup All Data first)! Trying to clean Trojans, Spywares and Adwares is an uphill task, especially when you are not familiar with Processes. And often there maybe trojans, spywares and adware that may not be detectable by removal programs like ad-aware. Also, Windows registry and often messed up. Some system file may also have been replaced, or modified. In some instances, 'cleaning' up of these 'junks' may corrupt your system files. You probably be much faster doing Fresh Windows installation than 'cleaning'. You'll also get a fresh Windows running faster and more efficiently, with less security risks. And in you know hoe to clone your new Windows installation after that like using 'Norton Ghost', you can retore a fresh clean O/S as often as you like with a breeze. Shadow