View Full Version : Help! Can't remove Peper Trojan
I have been running Spybot S&D, AdAware and Spy Sweeper in safe mode but still keep having problems with Peper Trojan and a variety of adware. I am new to this. I have read other postings on your web but cannot find the same registry entries listed in your forum.
May I ask why you're convinced that you have a Peper Trojan infection? :confused:
As for the variety of adware, run HijackThis and post your log.
HJT here: http://www.majorgeeks.com/download3155.html
FAQ here: http://mvps.org/winhelp2002/unwanted.htm
Hope this helps.
Silj
Thanks for the reply. Here is the results of HijackThis.
Edit by chaslang: Old version of HJT and inline log deleted.
I forgot to add that SpySweeper keeps finding Peper Trojan. Also, Norton Corportate addition is finding adware trojans daily.
May I ask why you're convinced that you have a Peper Trojan infection? :confused:
As for the variety of adware, run HijackThis and post your log.
HJT here: http://www.majorgeeks.com/download3155.html
FAQ here: http://mvps.org/winhelp2002/unwanted.htm
Hope this helps.
SiljUnless you are going to remain here to work the problems in the HijackThis log, do not request one to be posted. Also note: please follow our rules:
Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal > (http://forums.majorgeeks.com/showthread.php?t=35407)
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.
NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.
NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File > (http://forums.majorgeeks.com/showthread.php?t=38752)
Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.
Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!
Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT
I forgot to add that SpySweeper keeps finding Peper Trojan. Also, Norton Corportate addition is finding adware trojans daily.Jimmy read my message below about what should have been done before posting an HJT log and how it is to be posted. Your HJT is out of date too.
Please run this peper trojan removal tool (may need to run it more than once):
http://www.memorywatcher.com/uninst.exe
Sorry for not running the scans first. Being new is no excuse. I have run the following is safe mode:
CCleaner
McAfee Stomger
Trend Micro Online Virus Scan
Norton Corporate Virus Scan
Ad-Aware SE win VX2 Cleaner Plug in
Spybot Search & Destroy
Spy Sweeper
CWShreader
HSRemove
Kill2mw
aboutBuster
Spyware Blaster
I am still having problems. I have attached current HijackThis scan.
You did not say anything about running the peper uninst.exe program so I repeat (and also add another program to run):
I think you may also have a peper trojan problem.
Please run the following:
http://www.memorywatcher.com/uninst.exe
if you have problems at the above link try this one: http://tools.zerosrealm.com/uninst.exe
Run it while online.
-------------------------
Then go into Control Panel/Add Remove Programs
Look for Delphin Media and remove it (if found)
If there is a Memory Watcher on the list, remove that too.
Now to uninstall the latest variant of peper aka sandboxer trojan run the below:
http://tools.zerosrealm.com/PeperFix.exe
Also have HijackThis fix these lines:
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O2 - BHO: (no name) - {1FF83655-B418-78B2-8650-61557FD47C4C} - C:\WINDOWS\System32\lozc.dll (file missing)
O2 - BHO: (no name) - {1FFF6E59-B21A-7FE1-8707-61557FDA2543} - C:\WINDOWS\System32\hukpux.dll
O2 - BHO: (no name) - {4DFA310D-B74E-2FE1-8050-61557FD47C4C} - C:\WINDOWS\System32\vnzkog.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\system32\mssaru.dll
And from safe mode delete:
C:\WINDOWS\System32\hukpux.dll
C:\active.exe
All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp
Do the stuff here and in my previous message before posting a new HJT log attachment.
I ran both applications in your first reply.
I did not have Belphin Media and Memory Watcher in Program files.
The peper unistall found no pepper files.
I deleted the Items you stated with HijackThis and also deleted Active.exe from safe mode.
I ran both applications in your first reply.
I did not have Belphin Media and Memory Watcher in Program files.
The peper unistall found no pepper files.
I deleted the Items you stated with HijackThis and also deleted Active.exe from safe mode.
I did not list both in my first reply.
Did you run this one (it is different):
http://tools.zerosrealm.com/PeperFix.exe
Also it does not look like you deleted the files in the folders I requested:
All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp
Yes. It ran and then stated no peper files found. :confused:
Okay you are going to have to do this by hand then.
Run HijackThis and select each of the following items and then click Fix. Afterwards reboot in save mode and delete all the files indicated on each of those O4 lines. The ones with no fullpath (like ersw400.exe) may be in C:\Windows\system32. If not, search for them and delete.
O4 - HKLM\..\Run: [s72i32U] ersw400.exe
O4 - HKLM\..\Run: [NzI] C:\documents and settings\karen\local settings\temp\NzI.exe
O4 - HKLM\..\Run: [JzQ7VtQ] C:\documents and settings\karen\local settings\temp\JzQ7VtQ.exe
O4 - HKLM\..\Run: [zybxepm] C:\WINDOWS\xvjol.exe
O4 - HKLM\..\Run: [zxdrwmx] C:\WINDOWS\ciyxl.exe
O4 - HKLM\..\Run: [zwkphmk] C:\WINDOWS\qqztwk.exe
O4 - HKLM\..\Run: [ztbmq] C:\WINDOWS\pjyeq.exe
O4 - HKLM\..\Run: [zqblmimx] C:\WINDOWS\tnqp.exe
O4 - HKLM\..\Run: [zlbjnndo] C:\WINDOWS\wjnyyjimt.exe
O4 - HKLM\..\Run: [zkwtiejd] C:\WINDOWS\lmqbglu.exe
O4 - HKLM\..\Run: [zdvt] C:\WINDOWS\jdjxlq.exe
O4 - HKLM\..\Run: [zbebbwad] C:\WINDOWS\faszz.exe
O4 - HKLM\..\Run: [yzatnawl] C:\WINDOWS\dxacm.exe
O4 - HKLM\..\Run: [ywyg] C:\WINDOWS\qtohm.exe
O4 - HKLM\..\Run: [ywaww] C:\WINDOWS\mefrlrqnq.exe
O4 - HKLM\..\Run: [yuqxun] C:\WINDOWS\ugvapurd.exe
O4 - HKLM\..\Run: [ypvkeqp] C:\WINDOWS\yfszqnvy.exe
O4 - HKLM\..\Run: [ypllc] C:\WINDOWS\qzaictnt.exe
O4 - HKLM\..\Run: [yjdmxt] C:\WINDOWS\thhztece.exe
O4 - HKLM\..\Run: [yigbce] C:\WINDOWS\tfngwuin.exe
O4 - HKLM\..\Run: [yhkrhq] C:\WINDOWS\udtoajow.exe
O4 - HKLM\..\Run: [yghacb] C:\WINDOWS\qqbhezo.exe
O4 - HKLM\..\Run: [ybpjdbj] C:\WINDOWS\rrid.exe
O4 - HKLM\..\Run: [yayuos] C:\WINDOWS\cczh.exe
O4 - HKLM\..\Run: [yauw] C:\WINDOWS\rfikp.exe
O4 - HKLM\..\Run: [XXu2qiDs1] C:\documents and settings\jim\local settings\temp\XXu2qiDs1.exe
O4 - HKLM\..\Run: [xvrglme] C:\WINDOWS\zkjraenw.exe
O4 - HKLM\..\Run: [xuiuarxl] C:\WINDOWS\wkladms.exe
O4 - HKLM\..\Run: [xrpbf] C:\WINDOWS\xiiecfub.exe
O4 - HKLM\..\Run: [xiri] C:\WINDOWS\yhldjx.exe
O4 - HKLM\..\Run: [xficvcz] C:\WINDOWS\lvpfltjri.exe
O4 - HKLM\..\Run: [xdqtw] C:\WINDOWS\yvcdr.exe
O4 - HKLM\..\Run: [xayaxa] C:\WINDOWS\yxrxppz.exe
O4 - HKLM\..\Run: [wzcju] C:\WINDOWS\krcvnyow.exe
O4 - HKLM\..\Run: [wymdlc] C:\WINDOWS\qfsanxq.exe
O4 - HKLM\..\Run: [wpcruklq] C:\WINDOWS\vveq.exe
O4 - HKLM\..\Run: [whdo] C:\WINDOWS\yfxavf.exe
O4 - HKLM\..\Run: [wgcs] C:\WINDOWS\fzwbz.exe
O4 - HKLM\..\Run: [wdzckmfr] C:\WINDOWS\nghipy.exe
O4 - HKLM\..\Run: [wcqecuu] C:\WINDOWS\qhzrjbf.exe
O4 - HKLM\..\Run: [waaqaplef] C:\WINDOWS\jsyhcfsi.exe
O4 - HKLM\..\Run: [vwctfrx] C:\WINDOWS\xkwlur.exe
O4 - HKLM\..\Run: [vplyeij] C:\WINDOWS\hlmpjv.exe
O4 - HKLM\..\Run: [vmxtlmxb] C:\WINDOWS\kuija.exe
O4 - HKLM\..\Run: [vizntu] C:\WINDOWS\uytj.exe
O4 - HKLM\..\Run: [vhkpxz] C:\WINDOWS\auuln.exe
O4 - HKLM\..\Run: [veeyjfa] C:\WINDOWS\rehv.exe
O4 - HKLM\..\Run: [vbuhanq] C:\WINDOWS\ivnmnwsl.exe
O4 - HKLM\..\Run: [vacy] C:\WINDOWS\wsituyft.exe
O4 - HKLM\..\Run: [uxjhsz] C:\WINDOWS\djzynqf.exe
O4 - HKLM\..\Run: [uwjqxiyl] C:\WINDOWS\vafwwgne.exe
O4 - HKLM\..\Run: [unwwvg] C:\WINDOWS\evzcxbg.exe
O4 - HKLM\..\Run: [ulaaqvft] C:\WINDOWS\pcsdeh.exe
O4 - HKLM\..\Run: [uermup] C:\WINDOWS\fcffds.exe
O4 - HKLM\..\Run: [tvswiwq] C:\WINDOWS\fyday.exe
O4 - HKLM\..\Run: [tteyukcm] C:\WINDOWS\upuyj.exe
O4 - HKLM\..\Run: [tqcm] C:\WINDOWS\hlidi.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tigd] C:\WINDOWS\jyjiupa.exe
O4 - HKLM\..\Run: [thedmd] C:\WINDOWS\ffluouzn.exe
O4 - HKLM\..\Run: [tfxz] C:\WINDOWS\bugonj.exe
O4 - HKLM\..\Run: [taovpaj] C:\WINDOWS\fxax.exe
O4 - HKLM\..\Run: [srzoy] C:\WINDOWS\ialij.exe
O4 - HKLM\..\Run: [sntpek] C:\WINDOWS\bwqodqx.exe
O4 - HKLM\..\Run: [smvm] C:\WINDOWS\bykgzar.exe
O4 - HKLM\..\Run: [sjaf] C:\WINDOWS\gpukwrzk.exe
O4 - HKLM\..\Run: [sfvdke] C:\WINDOWS\zaorcp.exe
O4 - HKLM\..\Run: [rywacwpqb] C:\WINDOWS\rbyxg.exe
O4 - HKLM\..\Run: [ruzb] C:\WINDOWS\ofjbiv.exe
O4 - HKLM\..\Run: [rjmijbjhe] C:\WINDOWS\cuzhubeu.exe
O4 - HKLM\..\Run: [rgzgfqbo] C:\WINDOWS\terp.exe
O4 - HKLM\..\Run: [rfman] C:\WINDOWS\asaopywt.exe
O4 - HKLM\..\Run: [rekvvqo] C:\WINDOWS\wbiwcuelf.exe
O4 - HKLM\..\Run: [rdqncgubn] C:\WINDOWS\bqjplkmw.exe
O4 - HKLM\..\Run: [qzuzb] C:\WINDOWS\dltam.exe
O4 - HKLM\..\Run: [qlimp] C:\WINDOWS\gxcr.exe
O4 - HKLM\..\Run: [qjzkja] C:\WINDOWS\jszyono.exe
O4 - HKLM\..\Run: [qfoib] C:\WINDOWS\jlrks.exe
O4 - HKLM\..\Run: [qdbluetc] C:\WINDOWS\aysmyp.exe
O4 - HKLM\..\Run: [qbhef] C:\WINDOWS\yizi.exe
O4 - HKLM\..\Run: [pzwrs] C:\WINDOWS\sdjvckp.exe
O4 - HKLM\..\Run: [pvkclf] C:\WINDOWS\hpntbd.exe
O4 - HKLM\..\Run: [ptrsfl] C:\WINDOWS\nibb.exe
O4 - HKLM\..\Run: [prpahyc] C:\WINDOWS\svcbauu.exe
O4 - HKLM\..\Run: [pnjfveikb] C:\WINDOWS\amtpwtlej.exe
O4 - HKLM\..\Run: [pbsx] C:\WINDOWS\ysrph.exe
O4 - HKLM\..\Run: [ozsm] C:\WINDOWS\kchp.exe
O4 - HKLM\..\Run: [oxgbeo] C:\WINDOWS\lnns.exe
O4 - HKLM\..\Run: [oqtrxhydp] C:\WINDOWS\sprymx.exe
O4 - HKLM\..\Run: [opcsqug] C:\WINDOWS\poab.exe
O4 - HKLM\..\Run: [opazkto] C:\WINDOWS\lakq.exe
O4 - HKLM\..\Run: [olxkpvvuh] C:\WINDOWS\osisykwuy.exe
O4 - HKLM\..\Run: [olqsel] C:\WINDOWS\bzinf.exe
O4 - HKLM\..\Run: [okkv] C:\WINDOWS\imqfelsd.exe
O4 - HKLM\..\Run: [okkavml] C:\WINDOWS\noqnfk.exe
O4 - HKLM\..\Run: [okjzxc] C:\WINDOWS\imollpij.exe
O4 - HKLM\..\Run: [ojncguar] C:\WINDOWS\qdax.exe
O4 - HKLM\..\Run: [odzdhw] C:\WINDOWS\nibamj.exe
O4 - HKLM\..\Run: [occsmi] C:\WINDOWS\tpfqrs.exe
O4 - HKLM\..\Run: [NzC] C:\documents and settings\jim\local settings\temp\NzC.exe
O4 - HKLM\..\Run: [ntmlkmggy] C:\WINDOWS\usiyrydee.exe
O4 - HKLM\..\Run: [nraiqrnxz] C:\WINDOWS\iuwczuke.exe
O4 - HKLM\..\Run: [nntrpg] C:\WINDOWS\bdaufxmhf.exe
O4 - HKLM\..\Run: [nknzrw] C:\WINDOWS\jkvnt.exe
O4 - HKLM\..\Run: [nettaxbqd] C:\WINDOWS\nxovz.exe
O4 - HKLM\..\Run: [neqh] C:\WINDOWS\jqnpe.exe
O4 - HKLM\..\Run: [neiknjd] C:\WINDOWS\jwahgcyg.exe
O4 - HKLM\..\Run: [mwgfgw] C:\WINDOWS\acallsqf.exe
O4 - HKLM\..\Run: [mvushth] C:\WINDOWS\werpkmf.exe
O4 - HKLM\..\Run: [mvqnbimaq] C:\WINDOWS\gadfoase.exe
O4 - HKLM\..\Run: [mtzl] C:\WINDOWS\vftvlh.exe
O4 - HKLM\..\Run: [mtpdjpu] C:\WINDOWS\rfab.exe
O4 - HKLM\..\Run: [mtauwuh] C:\WINDOWS\nyhzshud.exe
O4 - HKLM\..\Run: [mrgdwwbr] C:\WINDOWS\ovrugpva.exe
O4 - HKLM\..\Run: [mmsdmvyv] C:\WINDOWS\dcwfajo.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio VSA] varpc32.exe <---- not from MS
O4 - HKLM\..\Run: [lyax] C:\WINDOWS\yfpqwkpi.exe
O4 - HKLM\..\Run: [lwpj] C:\WINDOWS\qldibayop.exe
O4 - HKLM\..\Run: [lkyjiolf] C:\WINDOWS\newoh.exe
O4 - HKLM\..\Run: [kyeeqr] C:\WINDOWS\jukngbdaz.exe
O4 - HKLM\..\Run: [kqcnddnpe] C:\WINDOWS\jfbzt.exe
O4 - HKLM\..\Run: [klkrz] C:\WINDOWS\fqamxj.exe
O4 - HKLM\..\Run: [klekszi] C:\WINDOWS\tepa.exe
O4 - HKLM\..\Run: [kjmdklph] C:\WINDOWS\kcjj.exe
O4 - HKLM\..\Run: [kfveg] C:\WINDOWS\ycikzz.exe
O4 - HKLM\..\Run: [jrgdv] C:\WINDOWS\qnsle.exe
O4 - HKLM\..\Run: [jntqb] C:\WINDOWS\cwsivmi.exe
O4 - HKLM\..\Run: [jdfw] C:\WINDOWS\dfbt.exe
O4 - HKLM\..\Run: [ixiradbm] C:\WINDOWS\mvkjjbfp.exe
O4 - HKLM\..\Run: [itydxhvib] C:\WINDOWS\pqiqq.exe
O4 - HKLM\..\Run: [iqsllh] C:\WINDOWS\mwzm.exe
O4 - HKLM\..\Run: [iplohch] C:\WINDOWS\ghjiuqw.exe
O4 - HKLM\..\Run: [imxz] C:\WINDOWS\kvawyelf.exe
O4 - HKLM\..\Run: [ijzlg] C:\WINDOWS\jrcshky.exe
O4 - HKLM\..\Run: [ijaiqfgol] C:\WINDOWS\jtvkdus.exe
O4 - HKLM\..\Run: [igwxjrjj] C:\WINDOWS\livn.exe
O4 - HKLM\..\Run: [hugms] C:\WINDOWS\ltxzyr.exe
O4 - HKLM\..\Run: [htkg] C:\WINDOWS\xmjq.exe
O4 - HKLM\..\Run: [hoeraqf] C:\WINDOWS\coclngq.exe
O4 - HKLM\..\Run: [hjywpwlnm] C:\WINDOWS\lodixdyqe.exe
O4 - HKLM\..\Run: [hemlv] C:\WINDOWS\nzajxtg.exe
O4 - HKLM\..\Run: [hctk] C:\WINDOWS\jeklcvym.exe
O4 - HKLM\..\Run: [hblges] C:\WINDOWS\vnes.exe
O4 - HKLM\..\Run: [gzvwfz] C:\WINDOWS\tbrwywg.exe
O4 - HKLM\..\Run: [gyvdjn] C:\WINDOWS\jgwu.exe
O4 - HKLM\..\Run: [gvlaskzrc] C:\WINDOWS\ilziii.exe
O4 - HKLM\..\Run: [goznnexv] C:\WINDOWS\dfdn.exe
O4 - HKLM\..\Run: [gmmjb] C:\WINDOWS\bbtf.exe
O4 - HKLM\..\Run: [gjds] C:\WINDOWS\seasxnlcx.exe
O4 - HKLM\..\Run: [gbyjj] C:\WINDOWS\mgpgd.exe
O4 - HKLM\..\Run: [gbcu] C:\WINDOWS\pdllngpr.exe
O4 - HKLM\..\Run: [fyasfkk] C:\WINDOWS\nghi.exe
O4 - HKLM\..\Run: [ftgxa] C:\WINDOWS\cqrhhz.exe
O4 - HKLM\..\Run: [fsownhpt] C:\WINDOWS\bkpe.exe
O4 - HKLM\..\Run: [fmtx] C:\WINDOWS\tcgzbdqlx.exe
O4 - HKLM\..\Run: [fkznITEr] C:\documents and settings\amanda\local settings\temp\fkznITEr.exe
O4 - HKLM\..\Run: [fcxesv] C:\WINDOWS\sigue.exe
O4 - HKLM\..\Run: [fcpg] C:\WINDOWS\rgdfuub.exe
O4 - HKLM\..\Run: [fcaaockcs] C:\WINDOWS\oeopto.exe
O4 - HKLM\..\Run: [faozx] C:\WINDOWS\dwyo.exe
O4 - HKLM\..\Run: [exsmjhw] C:\WINDOWS\jwccxe.exe
O4 - HKLM\..\Run: [evuted] C:\WINDOWS\wdtjcjq.exe
O4 - HKLM\..\Run: [eufvpb] C:\WINDOWS\fzup.exe
O4 - HKLM\..\Run: [erazyjfpn] C:\WINDOWS\vcrjwv.exe
O4 - HKLM\..\Run: [enph] C:\WINDOWS\ipevl.exe
O4 - HKLM\..\Run: [eiid] C:\WINDOWS\vgmxkynat.exe
O4 - HKLM\..\Run: [efuu] C:\WINDOWS\svfkvxaf.exe
O4 - HKLM\..\Run: [efpd] C:\WINDOWS\rlwzp.exe
O4 - HKLM\..\Run: [eclnli] C:\WINDOWS\hjvdba.exe
O4 - HKLM\..\Run: [dugffxe] C:\WINDOWS\dhrozqf.exe
O4 - HKLM\..\Run: [domq] C:\WINDOWS\dneskjv.exe
O4 - HKLM\..\Run: [dkignzmg] C:\WINDOWS\pdjazknq.exe
O4 - HKLM\..\Run: [djkz] C:\WINDOWS\qbnnkdif.exe
O4 - HKLM\..\Run: [dIV4cFvy] C:\documents and settings\karen\local settings\temp\dIV4cFvy.exe
O4 - HKLM\..\Run: [dimdkkv] C:\WINDOWS\cwjfrqdcr.exe
O4 - HKLM\..\Run: [delbn] C:\WINDOWS\horhmw.exe
O4 - HKLM\..\Run: [ddgozda] C:\WINDOWS\wnnm.exe
O4 - HKLM\..\Run: [dcvcju] C:\WINDOWS\fbfksnhvp.exe
O4 - HKLM\..\Run: [csklfvvfh] C:\WINDOWS\pgrv.exe
O4 - HKLM\..\Run: [cnrc] C:\WINDOWS\wdxszgoxb.exe
O4 - HKLM\..\Run: [cnpuodau] C:\WINDOWS\kmcgvd.exe
O4 - HKLM\..\Run: [cmyfzug] C:\WINDOWS\lnnrmi.exe
O4 - HKLM\..\Run: [clisuc] C:\WINDOWS\uhuxsxyp.exe
O4 - HKLM\..\Run: [cjvtifmdi] C:\WINDOWS\queeqxpvf.exe
O4 - HKLM\..\Run: [cjffixw] C:\WINDOWS\kxnwfiv.exe
O4 - HKLM\..\Run: [chhrqa] C:\WINDOWS\gyolozyyg.exe
O4 - HKLM\..\Run: [ceoxax] C:\WINDOWS\gakydgdky.exe
O4 - HKLM\..\Run: [cbvijwxsm] C:\WINDOWS\potoxuy.exe
O4 - HKLM\..\Run: [CAO] C:\documents and settings\karen\local settings\temp\CAO.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\karen\local settings\temp\c.exe
O4 - HKLM\..\Run: [bsammi] C:\WINDOWS\pyufao.exe
O4 - HKLM\..\Run: [boucmel] C:\WINDOWS\dttafyeza.exe
O4 - HKLM\..\Run: [bkxwcs] C:\WINDOWS\hwutrpehg.exe
O4 - HKLM\..\Run: [bfheyry] C:\WINDOWS\nuzefli.exe
O4 - HKLM\..\Run: [beqmdu] C:\WINDOWS\pbycdwp.exe
O4 - HKLM\..\Run: [bekcdgcd] C:\WINDOWS\imsrshuek.exe
O4 - HKLM\..\Run: [bazatx] C:\WINDOWS\ufjiaj.exe
O4 - HKLM\..\Run: [awzueyndn] C:\WINDOWS\nldn.exe
O4 - HKLM\..\Run: [autiyyrv] C:\WINDOWS\rqqrpu.exe
O4 - HKLM\..\Run: [aqoxchc] C:\WINDOWS\eryoqrzoi.exe
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [antsxeahe] C:\WINDOWS\cvucojs.exe
O4 - HKLM\..\Run: [ahtzci] C:\WINDOWS\qrtxdj.exe
O4 - HKLM\..\Run: [acdan] C:\WINDOWS\ktiljbdz.exe
O4 - HKLM\..\Run: [61yepo] C:\documents and settings\karen\local settings\temp\61yepo.exe
O4 - HKLM\..\Run: [j] C:\documents and settings\jim\local settings\temp\j.exe
O4 - HKLM\..\Run: [D] C:\documents and settings\karen\local settings\temp\D.exe
O4 - HKLM\..\Run: [2o] C:\documents and settings\jim\local settings\temp\2o.exe
O4 - HKLM\..\Run: [nd] C:\documents and settings\amanda\local settings\temp\nd.exe
O4 - HKLM\..\Run: [Gubjdra] C:\documents and settings\jim\local settings\temp\Gubjdra.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe <---- this is not AOL's AIM
O4 - HKLM\..\RunServices: [Microsoft Visual Studio VSA] varpc32.exe <---- this is not from MS
O4 - HKCU\..\Run: [Fzp] C:\WINDOWS\System32\vnec.exe
O4 - HKCU\..\Run: [Btulka] C:\WINDOWS\System32\rtmbq.exe
I deleted all temp files for each user.
I deleted all temp files for each user.Good continue with the long list from my previous post. After delete all of them from safe mode. Reboot normal and post a new HJT log attachment.
Any idea where the heck these all came from?
I have deleted all the items you stated with HijackThis. New scan is attached.
I have deleted all the items you stated with HijackThis. New scan is attached.Looks a load better!! Doesn't it?
Were you able to find and delete all those files?
How's everything running now?
I rebooted and everything looks much better. Quicker too! Should I do anything else? I really appreciate your help!
I ran new scans. AdAware and Spybot S&D are clean. Spy Sweeper found the following:
Atwola Cookie
Purity Scan
WildMedia
WebSearch Toolbar
Post a new HJT log. I did not see signs of PurityScan, WildMedia, or WebSearch Toolbar before. And cookies like Atwola are always going to be found after some surfing unless you install some programs like SpywareBlaster and SpywareGuard to block them.
Here is the new scan. Must go to work so I'll be back later.
I don't see anything related to those items in your log. Run SpySweeper again and see where it found them (i.e., in the file system or registry keys, give me complete info).
And unless you wanted your defaulut search page to be blank, I would have HJT fix the following lines:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.yahoo.com (http://www.yahoo.com) (assuming that is what you wanted). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
I think everything is mostly clean now. AdAware and Spybot S&D are clean. Spy Sweeper only finds WebSearch Toolbar. It cannot clean it and tells me to manually delete C:\ProgramFiles\Toolbar\Temp. Even though I change file attributes to not read only I cannot delete. Also, despite deleting the O14 items in HijackThis they keep coming back.
Please stop SpySweeper from running by right clicking on the system tray icon and select close.
Then try this again:
And unless you wanted your defaulut search page to be blank, I would have HJT fix the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://www.yahoo.com/)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com (http://www.yahoo.com/)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (http://www.majorgeeks.com/) (I know you may want yahoo but just use this for now. We can change it later. I want to see the results with a different start page). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
Try the below for WebSearch Toolbar:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar/index.phtml
completed all items. It appears that HJT did not delete everything.
You must have Internet Explorer closed when running HijackThis. See this process running in your log:
C:\Program Files\Internet Explorer\iexplore.exe
Exit all IE sessions before doing scans but more importantly before Fixing items with HJT. Try again with all IE sessions, any other browsers, and SpySweeper not running.
I think I have done everything correct.
I think I have done everything correct.
Okay, the R0 & R1 lines are gone but did you forget to do this:
And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (http://www.majorgeeks.com/) (I know you may want yahoo but just use this for now. We can change it later. I want to see the results with a different start page). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
I have done this. Home page changes to blank on its own.
Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
wscntfy.exe
Now run HJT and put checks on the below line and click fix (make sure no IE sessions are running including the one you are reading in right now):
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
Then try to do the Reset Web Settings procedure again and post a new log.
I have to run out for an hour or so. I'll be back later.
still trying!You did not end the wscntfy.exe process. I still see it in your log. But this time the R0 line with majorgeeks.com shows up. Have you been having any problems whatsoever running any steps? You have to provide me with details of what goes on.
Just saying, "still trying!" and posting a log does not tell me what you just did and what may have happened.
Why is that the www.majorgeeks.com (http://www.majorgeeks.com) line shows now but did not the last time I asked you to do this? What is different?
Perhaps wscntfy.exe cannot be ended using Task Manager but you could have mention if you got an error or saw that it did not end.
when I run task manager wscntfy.exe does not delete. Instead when I end process it just moves further down the list of running processes. Also, last HJT run was done immediately after I fixed files (selected items you mentioned to fix).
when I run task manager wscntfy.exe does not delete. Instead when I end process it just moves further down the list of running processes. Also, last HJT run was done immediately after I fixed files (selected items you mentioned to fix).
Okay! But so was the log from message #30 and it showed no R0 lines. ????
Do you still have the WebSearch Toolbar issue?
I will run spy sweeper and post a new HJT log. It will take a few minutes.
I will run spy sweeper and post a new HJT log. It will take a few minutes.
I don't need a log! I need you to search the registry for WebSearch!
1) go here and download Registrar lite and install it:
http://www.majorgeeks.com/download469.html
2) Run it, click on the search icon (the magnifier glass). Enter the below into the text to search for box:
WebSearch
Post back here all matches found.
SpySweeper still finds web search toolbar. It cannot clean it but tells me to manually delete c:\ProgramFiles\Toolbar\Temp. When I right click on this file and check properties it has a read-only attribute. I change it to eliminate this and select apply. I still cannot delete this file. I get an access denied either file is write protected or in use.
Do what I said below! But have you tried to delete that folder after booting in safe mode and with no browsers running?
I ran register lite searching for WebSearch. No items were found. Also, tried to delete C:\ProgramFiles\Toolbar\Temp from safe mode. Despite changing file attributes I could not delete it. Same error message as below.
Are there any file in the c:\ProgramFiles\Toolbar\Temp folder?
When I try to access it through MyComputer I get an error message stating access denied.
Must go to sleep. Have to go to work tomorrow. I'll check postings in the morning.
Run Ad-aware SE and click Scan Now, the choose the Scan volume for ADS. The click the underlined word 'Select'. Choose you harddisk drive (C) and then click Proceed. The click Next. If it finds anything tell me what it finds.
AdAware in ADS scan found a number of MRU Lists. I deleted them all. AdAwareSE, SpyBot S&D and Spy Sweeper are all clean on scans now. Only thing that remains in the HJT log is the two O14 items. I think the clean sweeps show I'm done and the computer is running great. Thanks for all your help!!!
vBulletin® v3.7.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.