I have read all your information prior to posting this log. I have ran Ad-Aware build 6.181 with all current updates and Spybot Search & Destroy with all current updates and am still having problems. I work in a bank, and we are on high-speed wireless behind a firewall, so we should not be having any problems with pop-ups and I cannot figure out what the problem is. My HiJack This log is as follows:

Logfile of HijackThis v1.97.7
Scan saved at 3:02:25 PM, on 12/15/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINNT\System32\JyaX9.exe
C:\WINNT\System32\BrvxMFLv.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINNT\system32\ntvdm.exe
F:\Spyware\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peoplesbankcoldwater.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.peoplesbankcoldwater.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [38Z3MSR3DDD##A] C:\WINNT\System32\NauZjgH.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (11.0)) - http://65.68.96.193/docmgrnew/ltocx11n.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {335BC499-AEA9-4E25-9A41-D304C8079497} (PolicyTypeComp.uctlPolicyTypeComparison) - https://www.cifyi.com/HailQuoting/PolicyTypeComparison.CAB
O16 - DPF: {51C18C91-2F7F-11D5-8CA2-00B0D019D3C6} (IQXViewer Class) - https://www.cifyi.com/Viewers/Eureka/rptxviewer.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37965.2406481481
O16 - DPF: {B11561AA-B19B-45EC-806D-385395761063} (HailWeb.uctlHailWeb) - https://www.cifyi.com/HailQuoting/HailWeb.CAB
O16 - DPF: {B28EEA0F-4F1E-11D3-8CC5-0004AC3230DC} (CimaxUpdates.uctlCimaxUpd) - https://www.cifyi.com/CimaxUpdates/CimaxUpdates.CAB
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

Please let me know what I need to remove to help my computer. Thanks for your time,
Matt

Hi littlem2211, welcome.

You have the Peper *Trojan* Pl0per.

Please do the following, in this order.

Download and run:
http://home01.wxs.nl/~kleyn080/uninst.exe , double click on 'uninst.exe', let it run and terminate. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall squwaks.

Here is a script made by Mosaic1 that will remove all these bad files.

Download Drpepertobackup.exe (direct link here: http://www.mjc1.com/files/mo/drpepertobackup.exe ) , save to disk, and doubleclick the file; it will self extract to c:\. and create a C:\drpeper\   <--- folder
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.

In the first prompt box copy and paste:
BrvxMFLv.exe
And hit ok.
Wait for the popup box to confirm results.

In the second box prompt, copy and paste:
NauZjgH.exe

It will find all the files, delete them and will make backups in the same folder     ( C:\drpeper\ ).

It'll open a text file (Peper.txt) with the list of all files deleted, copy and paste/post the content here.

..................

Now could you please locate this file:
C:\Program Files\AproposClient\AproposPlugin.dll
and mail it as an attachment to: (you can actually mail the whole AproposClient folder if you don't mind)
>>THIS MAIL ADDRESS<<
It would be appreciated.
Thanks.
This needs to be done prior to fixing with HJT below.
( make sure that in Folder Options > View hidden and operating system files are set to show: ) 
How to Show Hidden/System Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html 

Next, Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O16 - DPF: {00110000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (11.0)) - http://65.68.96.193/docmgrnew/ltocx11n.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
O16 - DPF: {335BC499-AEA9-4E25-9A41-D304C8079497} (PolicyTypeComp.uctlPolicyTypeComparison) - https://www.cifyi.com/HailQuoting/PolicyTypeComparison.CAB
O16 - DPF: {51C18C91-2F7F-11D5-8CA2-00B0D019D3C6} (IQXViewer Class) - https://www.cifyi.com/Viewers/Eureka/rptxviewer.ocx
O16 - DPF: {B11561AA-B19B-45EC-806D-385395761063} (HailWeb.uctlHailWeb) - https://www.cifyi.com/HailQuoting/HailWeb.CAB
O16 - DPF: {B28EEA0F-4F1E-11D3-8CC5-0004AC3230DC} (CimaxUpdates.uctlCimaxUpd) - https://www.cifyi.com/CimaxUpdates/CimaxUpdates.CAB
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab

Reboot

Please post a fresh HJT log and the contents of the Peper.txt file.

/

I did all things that were asked in your reply. Thanks for the help. However, after I rebooted, I received another pop-up. The Peper.txt file is as follows:

12/16/2003 1:05:26 PM
C:\WINNT\system32\AisI.exe
C:\WINNT\system32\BrvxMFLv.exe
C:\WINNT\system32\Tpb9P.exe
C:\WINNT\system32\JyaX9.exe
C:\WINNT\system32\Sgr88mf.exe
C:\WINNT\system32\LutB.exe
12/16/2003 1:05:43 PM
C:\WINNT\system32\Rydo84km.exe
C:\WINNT\system32\NauZjgH.exe
C:\WINNT\system32\Now4O.exe

After I restarted, I ran HJT, and the following is my new log:

Logfile of HijackThis v1.97.7
Scan saved at 1:30:21 PM, on 12/16/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINNT\system32\wuauclt.exe
F:\Spyware\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peoplesbankcoldwater.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.peoplesbankcoldwater.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37965.2406481481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

Please let me know what I need to do next. Thanks for your time and help.
Matt

After I posted the last log, I had the young lady monitor any pop ups that she received during the afternoon, and then at 4:00pm (closing time), she reported that she hadn't had any pop ups at all. Thanks a ton for your help guys. I appreciate all of your time and concern.

Matt

Good stuff.
You killed all the correct Peper files. You can now delete the entire
C:\drpeper\   <--- folder

Thanks for the file. It is indeed new.

The remainder of the log looks clean.
/