Help Request

Discussion in 'adware, spyware & hijack cleaning' started by jand, May 14, 2004.

Thread Status:
Not open for further replies.
  1. jand

    jand Registered Member

    Joined:
    May 10, 2004
    Posts:
    7
    Was wondering if I can get some advice on what to remove on this computer to prevent adware and spyware from coming back. I removed spykiller, and ran the adaware and spybot utilities to remove what those programs could.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:44:56 PM, on 5/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
    C:\WINDOWS\myCIO\VScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\myCIO\Agent\myagttry.exe
    C:\documents and settings\evah\local settings\temp\nTpRw.exe
    C:\documents and settings\evah\local settings\temp\nTpRw.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\System32\XpggP.exe
    C:\WINDOWS\System32\Xqsye.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\downloads\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
    O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
    O4 - HKLM\..\Run: [nTpRw.exe] C:\documents and settings\evah\local settings\temp\nTpRw.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\GnsDj.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [nTpRw] C:\documents and settings\evah\local settings\temp\nTpRw.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://nai.vscan.merisel.com/VS2/bin/myCioAgt.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3554282407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jand,

    Please download the uninstall tool to remove the pepertrojan: http://www.memorywatcher.com/uninst.exe (direct download link)
    Doubleclick the exe file to run, and say 'yes' to let it connect to the internet.
    It may take a few minutes before it finishes.

    Then open the TaskManager (ctrl-alt-del keys) and end task on 'sysupd.exe' and 'nTpRw.exe'.

    Next, open HijackThis and rescan. Place a check in the box beside each of the following items.
    Close ALL browsers/windows (except HijackThis) and click *Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [nTpRw.exe] C:\documents and settings\evah\local settings\temp\nTpRw.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [nTpRw] C:\documents and settings\evah\local settings\temp\nTpRw.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe


    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Find and delete the following highlighted in bold:
    C:\Program Files\TV Media <--folder
    C:\WINDOWS\sysupd.exe <--file

    C:\documents and settings\evah\local settings\temp\ <---Delete ALL the contents of the temp folder (but do not delete the temp folder itself.)

    In case the above files are hidden, then enable all files and folders to be viewable:
    Open Windows Explorer, click on Tools, then Folder Options.
    Click on the View tab and make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types".
    Cick "Apply to all folders" button.
    Click "Apply" button, then "OK"

    Reboot your computer normally, and post a new log here in this thread to be checked.

    Regards,

    snap
     
  3. jand

    jand Registered Member

    Joined:
    May 10, 2004
    Posts:
    7
    Sincerely, thanks again for your assistance with this. Here's my latest log after applying the fixes...

    Logfile of HijackThis v1.97.7
    Scan saved at 2:24:26 PM, on 5/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
    C:\WINDOWS\myCIO\VScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\myCIO\Agent\myagttry.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    C:\downloads\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\Ychb.exe
    C:\WINDOWS\System32\Xqsye.exe
    C:\WINDOWS\System32\wuauclt.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
    O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\GnsDj.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://nai.vscan.merisel.com/VS2/bin/myCioAgt.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3554282407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jand,

    I'm afraid you still have the pepertrojan running there.
    Close as many programs as you can, and run the uninst.exe tool again to try and remove peper. Make sure you say "yes" when it asks to connect to the internet. It will not work if you do not give it access to connect to the internet.

    Reboot your computer if prompted.

    Then with only HijackThis open, and all other browsers and any other open windows closed, place a check beside the following, and click *Fixed checked:

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

    Reboot your computer again, preferably into Safe Mode, and delete the sysupd.exe file in the C:\Windows folder.

    Do another scan and post a new log here in this thread so we can see if peper is gone.

    Regards,

    snap
     
  5. jand

    jand Registered Member

    Joined:
    May 10, 2004
    Posts:
    7
    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:40 PM, on 5/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
    C:\WINDOWS\myCIO\VScan\McShield.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    C:\WINDOWS\System32\Xqsye.exe
    C:\WINDOWS\System32\Dfynt10V.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\myCIO\Agent\myAgttry.exe
    C:\downloads\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqwire.com/searchpage.php?aid=3222
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
    O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Splash.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\ElskZ.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://nai.vscan.merisel.com/VS2/bin/myCioAgt.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38002.3554282407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi jand,

    It looks like you still have the pepertrojan running there. I'm not sure why it is still active since you ran the uninstaller (uninst.exe) twice now.
    Are you allowing it to connect to the internet? Can you tell me what happens after you run the uninstaller; how long it takes before it finishes.

    You've also brought along some new nasties since your last log.

    First, download CWShredder.
    Put it in a location you will be able to find it easily as you'll be using it in a later step.

    Then while connected to the internet, run the uninst.exe again to try and remove the PeperTrojan.
    (Make sure you shut down any antivirus programs, McAfee in this case, as they may be interferring with uninstaller's ability to remove peper)


    Next, open HijackThis and rescan. Place a check in the box beside each of the following items.
    Close ALL browsers/windows (except HijackThis) and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sqwire.com/searchpage.php?aid=3222

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\ElskZ.exe

    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe


    Without rebooting yet, unzip CWShredder.exe, and run the program by clicking the "Fix" button (not "scan only").
    Make sure ALL browsers are closed, and follow the instructions in the prompts you receive when the program runs.

    Then boot your computer, find and delete the following highlighted in bold:
    C:\Program Files\AdDestroyer <--entire folder
    C:\Program Files\VBouncer <--entire folder

    Post a new hijackthis log here to be checked. Hopefully we won't see the peper files running this time.

    Regards,

    snap
     
Thread Status:
Not open for further replies.