Help! Can't remove Peper Trojan

[jimmyp]

I have been running Spybot S&D, AdAware and Spy Sweeper in safe mode but still keep having problems with Peper Trojan and a variety of adware. I am new to this. I have read other postings on your web but cannot find the same registry entries listed in your forum.

[siljaline]

May I ask why you're convinced that you have a Peper Trojan infection? :
As for the variety of adware, run HijackThis and post your log.
HJT here: http://www.majorgeeks.com/download3155.html
FAQ here: http://mvps.org/winhelp2002/unwanted.htm

Hope this helps.
Silj

[jimmyp]

Thanks for the reply. Here is the results of HijackThis.


Edit by chaslang: Old version of HJT and inline log deleted.

[jimmyp]

I forgot to add that SpySweeper keeps finding Peper Trojan. Also, Norton Corportate addition is finding adware trojans daily.

[chaslang]

Quote:

Originally Posted by siljaline

May I ask why you're convinced that you have a Peper Trojan infection? :
As for the variety of adware, run HijackThis and post your log.
HJT here: http://www.majorgeeks.com/download3155.html
FAQ here: http://mvps.org/winhelp2002/unwanted.htm

Hope this helps.
Silj

Unless you are going to remain here to work the problems in the HijackThis log, do not request one to be posted. Also note: please follow our rules:

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.

Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

[chaslang]

Quote:

Originally Posted by jimmyp

I forgot to add that SpySweeper keeps finding Peper Trojan. Also, Norton Corportate addition is finding adware trojans daily.

Jimmy read my message below about what should have been done before posting an HJT log and how it is to be posted. Your HJT is out of date too.

Please run this peper trojan removal tool (may need to run it more than once):
http://www.memorywatcher.com/uninst.exe

[jimmyp]

Sorry for not running the scans first. Being new is no excuse. I have run the following is safe mode:

CCleaner
McAfee Stomger
Trend Micro Online Virus Scan
Norton Corporate Virus Scan
Ad-Aware SE win VX2 Cleaner Plug in
Spybot Search & Destroy
Spy Sweeper
CWShreader
HSRemove
Kill2mw
aboutBuster
Spyware Blaster

I am still having problems. I have attached current HijackThis scan.

[chaslang]

You did not say anything about running the peper uninst.exe program so I repeat (and also add another program to run):

I think you may also have a peper trojan problem.

Please run the following:
http://www.memorywatcher.com/uninst.exe

if you have problems at the above link try this one: http://tools.zerosrealm.com/uninst.exe

Run it while online.
-------------------------
Then go into Control Panel/Add Remove Programs
Look for Delphin Media and remove it (if found)
If there is a Memory Watcher on the list, remove that too.

Now to uninstall the latest variant of peper aka sandboxer trojan run the below:
http://tools.zerosrealm.com/PeperFix.exe

[chaslang]

Also have HijackThis fix these lines:
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O2 - BHO: (no name) - {1FF83655-B418-78B2-8650-61557FD47C4C} - C:\WINDOWS\System32\lozc.dll (file missing)
O2 - BHO: (no name) - {1FFF6E59-B21A-7FE1-8707-61557FDA2543} - C:\WINDOWS\System32\hukpux.dll
O2 - BHO: (no name) - {4DFA310D-B74E-2FE1-8050-61557FD47C4C} - C:\WINDOWS\System32\vnzkog.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\system32\mssaru.dll

And from safe mode delete:
C:\WINDOWS\System32\hukpux.dll
C:\active.exe
All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp

Do the stuff here and in my previous message before posting a new HJT log attachment.

[jimmyp]

I ran both applications in your first reply.

I did not have Belphin Media and Memory Watcher in Program files.
The peper unistall found no pepper files.
I deleted the Items you stated with HijackThis and also deleted Active.exe from safe mode.

[chaslang]

Quote:

Originally Posted by jimmyp

I ran both applications in your first reply.

I did not have Belphin Media and Memory Watcher in Program files.
The peper unistall found no pepper files.
I deleted the Items you stated with HijackThis and also deleted Active.exe from safe mode.

I did not list both in my first reply.

Did you run this one (it is different):
http://tools.zerosrealm.com/PeperFix.exe

[chaslang]

Also it does not look like you deleted the files in the folders I requested:

All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp

[jimmyp]

Yes. It ran and then stated no peper files found. :

[chaslang]

Okay you are going to have to do this by hand then.
Run HijackThis and select each of the following items and then click Fix. Afterwards reboot in save mode and delete all the files indicated on each of those O4 lines. The ones with no fullpath (like ersw400.exe) may be in C:\Windows\system32. If not, search for them and delete.
O4 - HKLM\..\Run: [s72i32U] ersw400.exe
O4 - HKLM\..\Run: [NzI] C:\documents and settings\karen\local settings\temp\NzI.exe
O4 - HKLM\..\Run: [JzQ7VtQ] C:\documents and settings\karen\local settings\temp\JzQ7VtQ.exe
O4 - HKLM\..\Run: [zybxepm] C:\WINDOWS\xvjol.exe
O4 - HKLM\..\Run: [zxdrwmx] C:\WINDOWS\ciyxl.exe
O4 - HKLM\..\Run: [zwkphmk] C:\WINDOWS\qqztwk.exe
O4 - HKLM\..\Run: [ztbmq] C:\WINDOWS\pjyeq.exe
O4 - HKLM\..\Run: [zqblmimx] C:\WINDOWS\tnqp.exe
O4 - HKLM\..\Run: [zlbjnndo] C:\WINDOWS\wjnyyjimt.exe
O4 - HKLM\..\Run: [zkwtiejd] C:\WINDOWS\lmqbglu.exe
O4 - HKLM\..\Run: [zdvt] C:\WINDOWS\jdjxlq.exe
O4 - HKLM\..\Run: [zbebbwad] C:\WINDOWS\faszz.exe
O4 - HKLM\..\Run: [yzatnawl] C:\WINDOWS\dxacm.exe
O4 - HKLM\..\Run: [ywyg] C:\WINDOWS\qtohm.exe
O4 - HKLM\..\Run: [ywaww] C:\WINDOWS\mefrlrqnq.exe
O4 - HKLM\..\Run: [yuqxun] C:\WINDOWS\ugvapurd.exe
O4 - HKLM\..\Run: [ypvkeqp] C:\WINDOWS\yfszqnvy.exe
O4 - HKLM\..\Run: [ypllc] C:\WINDOWS\qzaictnt.exe
O4 - HKLM\..\Run: [yjdmxt] C:\WINDOWS\thhztece.exe
O4 - HKLM\..\Run: [yigbce] C:\WINDOWS\tfngwuin.exe
O4 - HKLM\..\Run: [yhkrhq] C:\WINDOWS\udtoajow.exe
O4 - HKLM\..\Run: [yghacb] C:\WINDOWS\qqbhezo.exe
O4 - HKLM\..\Run: [ybpjdbj] C:\WINDOWS\rrid.exe
O4 - HKLM\..\Run: [yayuos] C:\WINDOWS\cczh.exe
O4 - HKLM\..\Run: [yauw] C:\WINDOWS\rfikp.exe
O4 - HKLM\..\Run: [XXu2qiDs1] C:\documents and settings\jim\local settings\temp\XXu2qiDs1.exe
O4 - HKLM\..\Run: [xvrglme] C:\WINDOWS\zkjraenw.exe
O4 - HKLM\..\Run: [xuiuarxl] C:\WINDOWS\wkladms.exe
O4 - HKLM\..\Run: [xrpbf] C:\WINDOWS\xiiecfub.exe
O4 - HKLM\..\Run: [xiri] C:\WINDOWS\yhldjx.exe
O4 - HKLM\..\Run: [xficvcz] C:\WINDOWS\lvpfltjri.exe
O4 - HKLM\..\Run: [xdqtw] C:\WINDOWS\yvcdr.exe
O4 - HKLM\..\Run: [xayaxa] C:\WINDOWS\yxrxppz.exe
O4 - HKLM\..\Run: [wzcju] C:\WINDOWS\krcvnyow.exe
O4 - HKLM\..\Run: [wymdlc] C:\WINDOWS\qfsanxq.exe
O4 - HKLM\..\Run: [wpcruklq] C:\WINDOWS\vveq.exe
O4 - HKLM\..\Run: [whdo] C:\WINDOWS\yfxavf.exe
O4 - HKLM\..\Run: [wgcs] C:\WINDOWS\fzwbz.exe
O4 - HKLM\..\Run: [wdzckmfr] C:\WINDOWS\nghipy.exe
O4 - HKLM\..\Run: [wcqecuu] C:\WINDOWS\qhzrjbf.exe
O4 - HKLM\..\Run: [waaqaplef] C:\WINDOWS\jsyhcfsi.exe
O4 - HKLM\..\Run: [vwctfrx] C:\WINDOWS\xkwlur.exe
O4 - HKLM\..\Run: [vplyeij] C:\WINDOWS\hlmpjv.exe
O4 - HKLM\..\Run: [vmxtlmxb] C:\WINDOWS\kuija.exe
O4 - HKLM\..\Run: [vizntu] C:\WINDOWS\uytj.exe
O4 - HKLM\..\Run: [vhkpxz] C:\WINDOWS\auuln.exe
O4 - HKLM\..\Run: [veeyjfa] C:\WINDOWS\rehv.exe
O4 - HKLM\..\Run: [vbuhanq] C:\WINDOWS\ivnmnwsl.exe
O4 - HKLM\..\Run: [vacy] C:\WINDOWS\wsituyft.exe
O4 - HKLM\..\Run: [uxjhsz] C:\WINDOWS\djzynqf.exe
O4 - HKLM\..\Run: [uwjqxiyl] C:\WINDOWS\vafwwgne.exe
O4 - HKLM\..\Run: [unwwvg] C:\WINDOWS\evzcxbg.exe
O4 - HKLM\..\Run: [ulaaqvft] C:\WINDOWS\pcsdeh.exe
O4 - HKLM\..\Run: [uermup] C:\WINDOWS\fcffds.exe
O4 - HKLM\..\Run: [tvswiwq] C:\WINDOWS\fyday.exe
O4 - HKLM\..\Run: [tteyukcm] C:\WINDOWS\upuyj.exe
O4 - HKLM\..\Run: [tqcm] C:\WINDOWS\hlidi.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tigd] C:\WINDOWS\jyjiupa.exe
O4 - HKLM\..\Run: [thedmd] C:\WINDOWS\ffluouzn.exe
O4 - HKLM\..\Run: [tfxz] C:\WINDOWS\bugonj.exe
O4 - HKLM\..\Run: [taovpaj] C:\WINDOWS\fxax.exe
O4 - HKLM\..\Run: [srzoy] C:\WINDOWS\ialij.exe
O4 - HKLM\..\Run: [sntpek] C:\WINDOWS\bwqodqx.exe
O4 - HKLM\..\Run: [smvm] C:\WINDOWS\bykgzar.exe
O4 - HKLM\..\Run: [sjaf] C:\WINDOWS\gpukwrzk.exe
O4 - HKLM\..\Run: [sfvdke] C:\WINDOWS\zaorcp.exe
O4 - HKLM\..\Run: [rywacwpqb] C:\WINDOWS\rbyxg.exe
O4 - HKLM\..\Run: [ruzb] C:\WINDOWS\ofjbiv.exe
O4 - HKLM\..\Run: [rjmijbjhe] C:\WINDOWS\cuzhubeu.exe
O4 - HKLM\..\Run: [rgzgfqbo] C:\WINDOWS\terp.exe
O4 - HKLM\..\Run: [rfman] C:\WINDOWS\asaopywt.exe
O4 - HKLM\..\Run: [rekvvqo] C:\WINDOWS\wbiwcuelf.exe
O4 - HKLM\..\Run: [rdqncgubn] C:\WINDOWS\bqjplkmw.exe
O4 - HKLM\..\Run: [qzuzb] C:\WINDOWS\dltam.exe
O4 - HKLM\..\Run: [qlimp] C:\WINDOWS\gxcr.exe
O4 - HKLM\..\Run: [qjzkja] C:\WINDOWS\jszyono.exe
O4 - HKLM\..\Run: [qfoib] C:\WINDOWS\jlrks.exe
O4 - HKLM\..\Run: [qdbluetc] C:\WINDOWS\aysmyp.exe
O4 - HKLM\..\Run: [qbhef] C:\WINDOWS\yizi.exe
O4 - HKLM\..\Run: [pzwrs] C:\WINDOWS\sdjvckp.exe
O4 - HKLM\..\Run: [pvkclf] C:\WINDOWS\hpntbd.exe
O4 - HKLM\..\Run: [ptrsfl] C:\WINDOWS\nibb.exe
O4 - HKLM\..\Run: [prpahyc] C:\WINDOWS\svcbauu.exe
O4 - HKLM\..\Run: [pnjfveikb] C:\WINDOWS\amtpwtlej.exe
O4 - HKLM\..\Run: [pbsx] C:\WINDOWS\ysrph.exe
O4 - HKLM\..\Run: [ozsm] C:\WINDOWS\kchp.exe
O4 - HKLM\..\Run: [oxgbeo] C:\WINDOWS\lnns.exe
O4 - HKLM\..\Run: [oqtrxhydp] C:\WINDOWS\sprymx.exe
O4 - HKLM\..\Run: [opcsqug] C:\WINDOWS\poab.exe
O4 - HKLM\..\Run: [opazkto] C:\WINDOWS\lakq.exe
O4 - HKLM\..\Run: [olxkpvvuh] C:\WINDOWS\osisykwuy.exe
O4 - HKLM\..\Run: [olqsel] C:\WINDOWS\bzinf.exe
O4 - HKLM\..\Run: [okkv] C:\WINDOWS\imqfelsd.exe
O4 - HKLM\..\Run: [okkavml] C:\WINDOWS\noqnfk.exe
O4 - HKLM\..\Run: [okjzxc] C:\WINDOWS\imollpij.exe
O4 - HKLM\..\Run: [ojncguar] C:\WINDOWS\qdax.exe
O4 - HKLM\..\Run: [odzdhw] C:\WINDOWS\nibamj.exe
O4 - HKLM\..\Run: [occsmi] C:\WINDOWS\tpfqrs.exe
O4 - HKLM\..\Run: [NzC] C:\documents and settings\jim\local settings\temp\NzC.exe
O4 - HKLM\..\Run: [ntmlkmggy] C:\WINDOWS\usiyrydee.exe
O4 - HKLM\..\Run: [nraiqrnxz] C:\WINDOWS\iuwczuke.exe
O4 - HKLM\..\Run: [nntrpg] C:\WINDOWS\bdaufxmhf.exe
O4 - HKLM\..\Run: [nknzrw] C:\WINDOWS\jkvnt.exe
O4 - HKLM\..\Run: [nettaxbqd] C:\WINDOWS\nxovz.exe
O4 - HKLM\..\Run: [neqh] C:\WINDOWS\jqnpe.exe
O4 - HKLM\..\Run: [neiknjd] C:\WINDOWS\jwahgcyg.exe
O4 - HKLM\..\Run: [mwgfgw] C:\WINDOWS\acallsqf.exe
O4 - HKLM\..\Run: [mvushth] C:\WINDOWS\werpkmf.exe
O4 - HKLM\..\Run: [mvqnbimaq] C:\WINDOWS\gadfoase.exe
O4 - HKLM\..\Run: [mtzl] C:\WINDOWS\vftvlh.exe
O4 - HKLM\..\Run: [mtpdjpu] C:\WINDOWS\rfab.exe
O4 - HKLM\..\Run: [mtauwuh] C:\WINDOWS\nyhzshud.exe
O4 - HKLM\..\Run: [mrgdwwbr] C:\WINDOWS\ovrugpva.exe
O4 - HKLM\..\Run: [mmsdmvyv] C:\WINDOWS\dcwfajo.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio VSA] varpc32.exe <---- not from MS
O4 - HKLM\..\Run: [lyax] C:\WINDOWS\yfpqwkpi.exe
O4 - HKLM\..\Run: [lwpj] C:\WINDOWS\qldibayop.exe
O4 - HKLM\..\Run: [lkyjiolf] C:\WINDOWS\newoh.exe
O4 - HKLM\..\Run: [kyeeqr] C:\WINDOWS\jukngbdaz.exe
O4 - HKLM\..\Run: [kqcnddnpe] C:\WINDOWS\jfbzt.exe
O4 - HKLM\..\Run: [klkrz] C:\WINDOWS\fqamxj.exe
O4 - HKLM\..\Run: [klekszi] C:\WINDOWS\tepa.exe
O4 - HKLM\..\Run: [kjmdklph] C:\WINDOWS\kcjj.exe
O4 - HKLM\..\Run: [kfveg] C:\WINDOWS\ycikzz.exe
O4 - HKLM\..\Run: [jrgdv] C:\WINDOWS\qnsle.exe
O4 - HKLM\..\Run: [jntqb] C:\WINDOWS\cwsivmi.exe
O4 - HKLM\..\Run: [jdfw] C:\WINDOWS\dfbt.exe
O4 - HKLM\..\Run: [ixiradbm] C:\WINDOWS\mvkjjbfp.exe
O4 - HKLM\..\Run: [itydxhvib] C:\WINDOWS\pqiqq.exe
O4 - HKLM\..\Run: [iqsllh] C:\WINDOWS\mwzm.exe
O4 - HKLM\..\Run: [iplohch] C:\WINDOWS\ghjiuqw.exe
O4 - HKLM\..\Run: [imxz] C:\WINDOWS\kvawyelf.exe
O4 - HKLM\..\Run: [ijzlg] C:\WINDOWS\jrcshky.exe
O4 - HKLM\..\Run: [ijaiqfgol] C:\WINDOWS\jtvkdus.exe
O4 - HKLM\..\Run: [igwxjrjj] C:\WINDOWS\livn.exe
O4 - HKLM\..\Run: [hugms] C:\WINDOWS\ltxzyr.exe
O4 - HKLM\..\Run: [htkg] C:\WINDOWS\xmjq.exe
O4 - HKLM\..\Run: [hoeraqf] C:\WINDOWS\coclngq.exe
O4 - HKLM\..\Run: [hjywpwlnm] C:\WINDOWS\lodixdyqe.exe
O4 - HKLM\..\Run: [hemlv] C:\WINDOWS\nzajxtg.exe
O4 - HKLM\..\Run: [hctk] C:\WINDOWS\jeklcvym.exe
O4 - HKLM\..\Run: [hblges] C:\WINDOWS\vnes.exe
O4 - HKLM\..\Run: [gzvwfz] C:\WINDOWS\tbrwywg.exe
O4 - HKLM\..\Run: [gyvdjn] C:\WINDOWS\jgwu.exe
O4 - HKLM\..\Run: [gvlaskzrc] C:\WINDOWS\ilziii.exe
O4 - HKLM\..\Run: [goznnexv] C:\WINDOWS\dfdn.exe
O4 - HKLM\..\Run: [gmmjb] C:\WINDOWS\bbtf.exe
O4 - HKLM\..\Run: [gjds] C:\WINDOWS\seasxnlcx.exe
O4 - HKLM\..\Run: [gbyjj] C:\WINDOWS\mgpgd.exe
O4 - HKLM\..\Run: [gbcu] C:\WINDOWS\pdllngpr.exe
O4 - HKLM\..\Run: [fyasfkk] C:\WINDOWS\nghi.exe
O4 - HKLM\..\Run: [ftgxa] C:\WINDOWS\cqrhhz.exe
O4 - HKLM\..\Run: [fsownhpt] C:\WINDOWS\bkpe.exe
O4 - HKLM\..\Run: [fmtx] C:\WINDOWS\tcgzbdqlx.exe
O4 - HKLM\..\Run: [fkznITEr] C:\documents and settings\amanda\local settings\temp\fkznITEr.exe
O4 - HKLM\..\Run: [fcxesv] C:\WINDOWS\sigue.exe
O4 - HKLM\..\Run: [fcpg] C:\WINDOWS\rgdfuub.exe
O4 - HKLM\..\Run: [fcaaockcs] C:\WINDOWS\oeopto.exe
O4 - HKLM\..\Run: [faozx] C:\WINDOWS\dwyo.exe
O4 - HKLM\..\Run: [exsmjhw] C:\WINDOWS\jwccxe.exe
O4 - HKLM\..\Run: [evuted] C:\WINDOWS\wdtjcjq.exe
O4 - HKLM\..\Run: [eufvpb] C:\WINDOWS\fzup.exe
O4 - HKLM\..\Run: [erazyjfpn] C:\WINDOWS\vcrjwv.exe
O4 - HKLM\..\Run: [enph] C:\WINDOWS\ipevl.exe
O4 - HKLM\..\Run: [eiid] C:\WINDOWS\vgmxkynat.exe
O4 - HKLM\..\Run: [efuu] C:\WINDOWS\svfkvxaf.exe
O4 - HKLM\..\Run: [efpd] C:\WINDOWS\rlwzp.exe
O4 - HKLM\..\Run: [eclnli] C:\WINDOWS\hjvdba.exe
O4 - HKLM\..\Run: [dugffxe] C:\WINDOWS\dhrozqf.exe
O4 - HKLM\..\Run: [domq] C:\WINDOWS\dneskjv.exe
O4 - HKLM\..\Run: [dkignzmg] C:\WINDOWS\pdjazknq.exe
O4 - HKLM\..\Run: [djkz] C:\WINDOWS\qbnnkdif.exe
O4 - HKLM\..\Run: [dIV4cFvy] C:\documents and settings\karen\local settings\temp\dIV4cFvy.exe
O4 - HKLM\..\Run: [dimdkkv] C:\WINDOWS\cwjfrqdcr.exe
O4 - HKLM\..\Run: [delbn] C:\WINDOWS\horhmw.exe
O4 - HKLM\..\Run: [ddgozda] C:\WINDOWS\wnnm.exe
O4 - HKLM\..\Run: [dcvcju] C:\WINDOWS\fbfksnhvp.exe
O4 - HKLM\..\Run: [csklfvvfh] C:\WINDOWS\pgrv.exe
O4 - HKLM\..\Run: [cnrc] C:\WINDOWS\wdxszgoxb.exe
O4 - HKLM\..\Run: [cnpuodau] C:\WINDOWS\kmcgvd.exe
O4 - HKLM\..\Run: [cmyfzug] C:\WINDOWS\lnnrmi.exe
O4 - HKLM\..\Run: [clisuc] C:\WINDOWS\uhuxsxyp.exe
O4 - HKLM\..\Run: [cjvtifmdi] C:\WINDOWS\queeqxpvf.exe
O4 - HKLM\..\Run: [cjffixw] C:\WINDOWS\kxnwfiv.exe
O4 - HKLM\..\Run: [chhrqa] C:\WINDOWS\gyolozyyg.exe
O4 - HKLM\..\Run: [ceoxax] C:\WINDOWS\gakydgdky.exe
O4 - HKLM\..\Run: [cbvijwxsm] C:\WINDOWS\potoxuy.exe
O4 - HKLM\..\Run: [CAO] C:\documents and settings\karen\local settings\temp\CAO.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\karen\local settings\temp\c.exe
O4 - HKLM\..\Run: [bsammi] C:\WINDOWS\pyufao.exe
O4 - HKLM\..\Run: [boucmel] C:\WINDOWS\dttafyeza.exe
O4 - HKLM\..\Run: [bkxwcs] C:\WINDOWS\hwutrpehg.exe
O4 - HKLM\..\Run: [bfheyry] C:\WINDOWS\nuzefli.exe
O4 - HKLM\..\Run: [beqmdu] C:\WINDOWS\pbycdwp.exe
O4 - HKLM\..\Run: [bekcdgcd] C:\WINDOWS\imsrshuek.exe
O4 - HKLM\..\Run: [bazatx] C:\WINDOWS\ufjiaj.exe
O4 - HKLM\..\Run: [awzueyndn] C:\WINDOWS\nldn.exe
O4 - HKLM\..\Run: [autiyyrv] C:\WINDOWS\rqqrpu.exe
O4 - HKLM\..\Run: [aqoxchc] C:\WINDOWS\eryoqrzoi.exe
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [antsxeahe] C:\WINDOWS\cvucojs.exe
O4 - HKLM\..\Run: [ahtzci] C:\WINDOWS\qrtxdj.exe
O4 - HKLM\..\Run: [acdan] C:\WINDOWS\ktiljbdz.exe
O4 - HKLM\..\Run: [61yepo] C:\documents and settings\karen\local settings\temp\61yepo.exe
O4 - HKLM\..\Run: [j] C:\documents and settings\jim\local settings\temp\j.exe
O4 - HKLM\..\Run: [D] C:\documents and settings\karen\local settings\temp\D.exe
O4 - HKLM\..\Run: [2o] C:\documents and settings\jim\local settings\temp\2o.exe
O4 - HKLM\..\Run: [nd] C:\documents and settings\amanda\local settings\temp\nd.exe
O4 - HKLM\..\Run: [Gubjdra] C:\documents and settings\jim\local settings\temp\Gubjdra.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe <---- this is not AOL's AIM
O4 - HKLM\..\RunServices: [Microsoft Visual Studio VSA] varpc32.exe <---- this is not from MS
O4 - HKCU\..\Run: [Fzp] C:\WINDOWS\System32\vnec.exe
O4 - HKCU\..\Run: [Btulka] C:\WINDOWS\System32\rtmbq.exe

[jimmyp]

I deleted all temp files for each user.

[chaslang]

Quote:

Originally Posted by jimmyp

I deleted all temp files for each user.

Good continue with the long list from my previous post. After delete all of them from safe mode. Reboot normal and post a new HJT log attachment.


Any idea where the heck these all came from?

[jimmyp]

I have deleted all the items you stated with HijackThis. New scan is attached.

[chaslang]

Quote:

Originally Posted by jimmyp

I have deleted all the items you stated with HijackThis. New scan is attached.

Looks a load better!! Doesn't it?

Were you able to find and delete all those files?
How's everything running now?

[jimmyp]

I rebooted and everything looks much better. Quicker too! Should I do anything else? I really appreciate your help!

[jimmyp]

I ran new scans. AdAware and Spybot S&D are clean. Spy Sweeper found the following:
Atwola Cookie
Purity Scan
WildMedia
WebSearch Toolbar