Help! Can't remove Peper Trojan

Unless you are going to remain here to work the problems in the HijackThis log, do not request one to be posted. Also note: please follow our rules:

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


NOTE: You should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

Do not post a HijackThis log until we ask you to and when we do it must be text document attachment to your message.

Update! Due to Hijack This logs destroying search engine and web site searches, we now ask you do not post your Hijack This log file unless requested by us. It is for advanced users, so if you do not understand how to use it, you do not need it....yet. Instead, please tell us in your post what symptoms you are experiencing so we can try and resolve it that way. When, and if, we ask you to post your log file, please attach it as a file. To do this save the log file and select manage attachments in a new thread to upload it. All running programs should be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

 

Jimmy read my message below about what should have been done before posting an HJT log and how it is to be posted. Your HJT is out of date too.

Please run this peper trojan removal tool (may need to run it more than once):
http://www.memorywatcher.com/uninst.exe

 

You did not say anything about running the peper uninst.exe program so I repeat (and also add another program to run):

I think you may also have a peper trojan problem.

Please run the following:
http://www.memorywatcher.com/uninst.exe

if you have problems at the above link try this one: http://tools.zerosrealm.com/uninst.exe

Run it while online.
-------------------------
Then go into Control Panel/Add Remove Programs
Look for Delphin Media and remove it (if found)
If there is a Memory Watcher on the list, remove that too.

Now to uninstall the latest variant of peper aka sandboxer trojan run the below:
http://tools.zerosrealm.com/PeperFix.exe

 

Also have HijackThis fix these lines:
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O2 - BHO: (no name) - {1FF83655-B418-78B2-8650-61557FD47C4C} - C:\WINDOWS\System32\lozc.dll (file missing)
O2 - BHO: (no name) - {1FFF6E59-B21A-7FE1-8707-61557FDA2543} - C:\WINDOWS\System32\hukpux.dll
O2 - BHO: (no name) - {4DFA310D-B74E-2FE1-8050-61557FD47C4C} - C:\WINDOWS\System32\vnzkog.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\system32\mssaru.dll

And from safe mode delete:
C:\WINDOWS\System32\hukpux.dll
C:\active.exe
All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp

Do the stuff here and in my previous message before posting a new HJT log attachment.

 

I did not list both in my first reply.

Did you run this one (it is different):
http://tools.zerosrealm.com/PeperFix.exe

 

Also it does not look like you deleted the files in the folders I requested:

All files in these folders:
C:\documents and settings\karen\local settings\temp
C:\documents and settings\amanda\local settings\temp
C:\documents and settings\jim\local settings\temp

 

Okay you are going to have to do this by hand then.
Run HijackThis and select each of the following items and then click Fix. Afterwards reboot in save mode and delete all the files indicated on each of those O4 lines. The ones with no fullpath (like ersw400.exe) may be in C:\Windows\system32. If not, search for them and delete.
O4 - HKLM\..\Run: [s72i32U] ersw400.exe
O4 - HKLM\..\Run: [NzI] C:\documents and settings\karen\local settings\temp\NzI.exe
O4 - HKLM\..\Run: [JzQ7VtQ] C:\documents and settings\karen\local settings\temp\JzQ7VtQ.exe
O4 - HKLM\..\Run: [zybxepm] C:\WINDOWS\xvjol.exe
O4 - HKLM\..\Run: [zxdrwmx] C:\WINDOWS\ciyxl.exe
O4 - HKLM\..\Run: [zwkphmk] C:\WINDOWS\qqztwk.exe
O4 - HKLM\..\Run: [ztbmq] C:\WINDOWS\pjyeq.exe
O4 - HKLM\..\Run: [zqblmimx] C:\WINDOWS\tnqp.exe
O4 - HKLM\..\Run: [zlbjnndo] C:\WINDOWS\wjnyyjimt.exe
O4 - HKLM\..\Run: [zkwtiejd] C:\WINDOWS\lmqbglu.exe
O4 - HKLM\..\Run: [zdvt] C:\WINDOWS\jdjxlq.exe
O4 - HKLM\..\Run: [zbebbwad] C:\WINDOWS\faszz.exe
O4 - HKLM\..\Run: [yzatnawl] C:\WINDOWS\dxacm.exe
O4 - HKLM\..\Run: [ywyg] C:\WINDOWS\qtohm.exe
O4 - HKLM\..\Run: [ywaww] C:\WINDOWS\mefrlrqnq.exe
O4 - HKLM\..\Run: [yuqxun] C:\WINDOWS\ugvapurd.exe
O4 - HKLM\..\Run: [ypvkeqp] C:\WINDOWS\yfszqnvy.exe
O4 - HKLM\..\Run: [ypllc] C:\WINDOWS\qzaictnt.exe
O4 - HKLM\..\Run: [yjdmxt] C:\WINDOWS\thhztece.exe
O4 - HKLM\..\Run: [yigbce] C:\WINDOWS\tfngwuin.exe
O4 - HKLM\..\Run: [yhkrhq] C:\WINDOWS\udtoajow.exe
O4 - HKLM\..\Run: [yghacb] C:\WINDOWS\qqbhezo.exe
O4 - HKLM\..\Run: [ybpjdbj] C:\WINDOWS\rrid.exe
O4 - HKLM\..\Run: [yayuos] C:\WINDOWS\cczh.exe
O4 - HKLM\..\Run: [yauw] C:\WINDOWS\rfikp.exe
O4 - HKLM\..\Run: [XXu2qiDs1] C:\documents and settings\jim\local settings\temp\XXu2qiDs1.exe
O4 - HKLM\..\Run: [xvrglme] C:\WINDOWS\zkjraenw.exe
O4 - HKLM\..\Run: [xuiuarxl] C:\WINDOWS\wkladms.exe
O4 - HKLM\..\Run: [xrpbf] C:\WINDOWS\xiiecfub.exe
O4 - HKLM\..\Run: [xiri] C:\WINDOWS\yhldjx.exe
O4 - HKLM\..\Run: [xficvcz] C:\WINDOWS\lvpfltjri.exe
O4 - HKLM\..\Run: [xdqtw] C:\WINDOWS\yvcdr.exe
O4 - HKLM\..\Run: [xayaxa] C:\WINDOWS\yxrxppz.exe
O4 - HKLM\..\Run: [wzcju] C:\WINDOWS\krcvnyow.exe
O4 - HKLM\..\Run: [wymdlc] C:\WINDOWS\qfsanxq.exe
O4 - HKLM\..\Run: [wpcruklq] C:\WINDOWS\vveq.exe
O4 - HKLM\..\Run: [whdo] C:\WINDOWS\yfxavf.exe
O4 - HKLM\..\Run: [wgcs] C:\WINDOWS\fzwbz.exe
O4 - HKLM\..\Run: [wdzckmfr] C:\WINDOWS\nghipy.exe
O4 - HKLM\..\Run: [wcqecuu] C:\WINDOWS\qhzrjbf.exe
O4 - HKLM\..\Run: [waaqaplef] C:\WINDOWS\jsyhcfsi.exe
O4 - HKLM\..\Run: [vwctfrx] C:\WINDOWS\xkwlur.exe
O4 - HKLM\..\Run: [vplyeij] C:\WINDOWS\hlmpjv.exe
O4 - HKLM\..\Run: [vmxtlmxb] C:\WINDOWS\kuija.exe
O4 - HKLM\..\Run: [vizntu] C:\WINDOWS\uytj.exe
O4 - HKLM\..\Run: [vhkpxz] C:\WINDOWS\auuln.exe
O4 - HKLM\..\Run: [veeyjfa] C:\WINDOWS\rehv.exe
O4 - HKLM\..\Run: [vbuhanq] C:\WINDOWS\ivnmnwsl.exe
O4 - HKLM\..\Run: [vacy] C:\WINDOWS\wsituyft.exe
O4 - HKLM\..\Run: [uxjhsz] C:\WINDOWS\djzynqf.exe
O4 - HKLM\..\Run: [uwjqxiyl] C:\WINDOWS\vafwwgne.exe
O4 - HKLM\..\Run: [unwwvg] C:\WINDOWS\evzcxbg.exe
O4 - HKLM\..\Run: [ulaaqvft] C:\WINDOWS\pcsdeh.exe
O4 - HKLM\..\Run: [uermup] C:\WINDOWS\fcffds.exe
O4 - HKLM\..\Run: [tvswiwq] C:\WINDOWS\fyday.exe
O4 - HKLM\..\Run: [tteyukcm] C:\WINDOWS\upuyj.exe
O4 - HKLM\..\Run: [tqcm] C:\WINDOWS\hlidi.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tigd] C:\WINDOWS\jyjiupa.exe
O4 - HKLM\..\Run: [thedmd] C:\WINDOWS\ffluouzn.exe
O4 - HKLM\..\Run: [tfxz] C:\WINDOWS\bugonj.exe
O4 - HKLM\..\Run: [taovpaj] C:\WINDOWS\fxax.exe
O4 - HKLM\..\Run: [srzoy] C:\WINDOWS\ialij.exe
O4 - HKLM\..\Run: [sntpek] C:\WINDOWS\bwqodqx.exe
O4 - HKLM\..\Run: [smvm] C:\WINDOWS\bykgzar.exe
O4 - HKLM\..\Run: [sjaf] C:\WINDOWS\gpukwrzk.exe
O4 - HKLM\..\Run: [sfvdke] C:\WINDOWS\zaorcp.exe
O4 - HKLM\..\Run: [rywacwpqb] C:\WINDOWS\rbyxg.exe
O4 - HKLM\..\Run: [ruzb] C:\WINDOWS\ofjbiv.exe
O4 - HKLM\..\Run: [rjmijbjhe] C:\WINDOWS\cuzhubeu.exe
O4 - HKLM\..\Run: [rgzgfqbo] C:\WINDOWS\terp.exe
O4 - HKLM\..\Run: [rfman] C:\WINDOWS\asaopywt.exe
O4 - HKLM\..\Run: [rekvvqo] C:\WINDOWS\wbiwcuelf.exe
O4 - HKLM\..\Run: [rdqncgubn] C:\WINDOWS\bqjplkmw.exe
O4 - HKLM\..\Run: [qzuzb] C:\WINDOWS\dltam.exe
O4 - HKLM\..\Run: [qlimp] C:\WINDOWS\gxcr.exe
O4 - HKLM\..\Run: [qjzkja] C:\WINDOWS\jszyono.exe
O4 - HKLM\..\Run: [qfoib] C:\WINDOWS\jlrks.exe
O4 - HKLM\..\Run: [qdbluetc] C:\WINDOWS\aysmyp.exe
O4 - HKLM\..\Run: [qbhef] C:\WINDOWS\yizi.exe
O4 - HKLM\..\Run: [pzwrs] C:\WINDOWS\sdjvckp.exe
O4 - HKLM\..\Run: [pvkclf] C:\WINDOWS\hpntbd.exe
O4 - HKLM\..\Run: [ptrsfl] C:\WINDOWS\nibb.exe
O4 - HKLM\..\Run: [prpahyc] C:\WINDOWS\svcbauu.exe
O4 - HKLM\..\Run: [pnjfveikb] C:\WINDOWS\amtpwtlej.exe
O4 - HKLM\..\Run: [pbsx] C:\WINDOWS\ysrph.exe
O4 - HKLM\..\Run: [ozsm] C:\WINDOWS\kchp.exe
O4 - HKLM\..\Run: [oxgbeo] C:\WINDOWS\lnns.exe
O4 - HKLM\..\Run: [oqtrxhydp] C:\WINDOWS\sprymx.exe
O4 - HKLM\..\Run: [opcsqug] C:\WINDOWS\poab.exe
O4 - HKLM\..\Run: [opazkto] C:\WINDOWS\lakq.exe
O4 - HKLM\..\Run: [olxkpvvuh] C:\WINDOWS\osisykwuy.exe
O4 - HKLM\..\Run: [olqsel] C:\WINDOWS\bzinf.exe
O4 - HKLM\..\Run: [okkv] C:\WINDOWS\imqfelsd.exe
O4 - HKLM\..\Run: [okkavml] C:\WINDOWS\noqnfk.exe
O4 - HKLM\..\Run: [okjzxc] C:\WINDOWS\imollpij.exe
O4 - HKLM\..\Run: [ojncguar] C:\WINDOWS\qdax.exe
O4 - HKLM\..\Run: [odzdhw] C:\WINDOWS\nibamj.exe
O4 - HKLM\..\Run: [occsmi] C:\WINDOWS\tpfqrs.exe
O4 - HKLM\..\Run: [NzC] C:\documents and settings\jim\local settings\temp\NzC.exe
O4 - HKLM\..\Run: [ntmlkmggy] C:\WINDOWS\usiyrydee.exe
O4 - HKLM\..\Run: [nraiqrnxz] C:\WINDOWS\iuwczuke.exe
O4 - HKLM\..\Run: [nntrpg] C:\WINDOWS\bdaufxmhf.exe
O4 - HKLM\..\Run: [nknzrw] C:\WINDOWS\jkvnt.exe
O4 - HKLM\..\Run: [nettaxbqd] C:\WINDOWS\nxovz.exe
O4 - HKLM\..\Run: [neqh] C:\WINDOWS\jqnpe.exe
O4 - HKLM\..\Run: [neiknjd] C:\WINDOWS\jwahgcyg.exe
O4 - HKLM\..\Run: [mwgfgw] C:\WINDOWS\acallsqf.exe
O4 - HKLM\..\Run: [mvushth] C:\WINDOWS\werpkmf.exe
O4 - HKLM\..\Run: [mvqnbimaq] C:\WINDOWS\gadfoase.exe
O4 - HKLM\..\Run: [mtzl] C:\WINDOWS\vftvlh.exe
O4 - HKLM\..\Run: [mtpdjpu] C:\WINDOWS\rfab.exe
O4 - HKLM\..\Run: [mtauwuh] C:\WINDOWS\nyhzshud.exe
O4 - HKLM\..\Run: [mrgdwwbr] C:\WINDOWS\ovrugpva.exe
O4 - HKLM\..\Run: [mmsdmvyv] C:\WINDOWS\dcwfajo.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio VSA] varpc32.exe <---- not from MS
O4 - HKLM\..\Run: [lyax] C:\WINDOWS\yfpqwkpi.exe
O4 - HKLM\..\Run: [lwpj] C:\WINDOWS\qldibayop.exe
O4 - HKLM\..\Run: [lkyjiolf] C:\WINDOWS\newoh.exe
O4 - HKLM\..\Run: [kyeeqr] C:\WINDOWS\jukngbdaz.exe
O4 - HKLM\..\Run: [kqcnddnpe] C:\WINDOWS\jfbzt.exe
O4 - HKLM\..\Run: [klkrz] C:\WINDOWS\fqamxj.exe
O4 - HKLM\..\Run: [klekszi] C:\WINDOWS\tepa.exe
O4 - HKLM\..\Run: [kjmdklph] C:\WINDOWS\kcjj.exe
O4 - HKLM\..\Run: [kfveg] C:\WINDOWS\ycikzz.exe
O4 - HKLM\..\Run: [jrgdv] C:\WINDOWS\qnsle.exe
O4 - HKLM\..\Run: [jntqb] C:\WINDOWS\cwsivmi.exe
O4 - HKLM\..\Run: [jdfw] C:\WINDOWS\dfbt.exe
O4 - HKLM\..\Run: [ixiradbm] C:\WINDOWS\mvkjjbfp.exe
O4 - HKLM\..\Run: [itydxhvib] C:\WINDOWS\pqiqq.exe
O4 - HKLM\..\Run: [iqsllh] C:\WINDOWS\mwzm.exe
O4 - HKLM\..\Run: [iplohch] C:\WINDOWS\ghjiuqw.exe
O4 - HKLM\..\Run: [imxz] C:\WINDOWS\kvawyelf.exe
O4 - HKLM\..\Run: [ijzlg] C:\WINDOWS\jrcshky.exe
O4 - HKLM\..\Run: [ijaiqfgol] C:\WINDOWS\jtvkdus.exe
O4 - HKLM\..\Run: [igwxjrjj] C:\WINDOWS\livn.exe
O4 - HKLM\..\Run: [hugms] C:\WINDOWS\ltxzyr.exe
O4 - HKLM\..\Run: [htkg] C:\WINDOWS\xmjq.exe
O4 - HKLM\..\Run: [hoeraqf] C:\WINDOWS\coclngq.exe
O4 - HKLM\..\Run: [hjywpwlnm] C:\WINDOWS\lodixdyqe.exe
O4 - HKLM\..\Run: [hemlv] C:\WINDOWS\nzajxtg.exe
O4 - HKLM\..\Run: [hctk] C:\WINDOWS\jeklcvym.exe
O4 - HKLM\..\Run: [hblges] C:\WINDOWS\vnes.exe
O4 - HKLM\..\Run: [gzvwfz] C:\WINDOWS\tbrwywg.exe
O4 - HKLM\..\Run: [gyvdjn] C:\WINDOWS\jgwu.exe
O4 - HKLM\..\Run: [gvlaskzrc] C:\WINDOWS\ilziii.exe
O4 - HKLM\..\Run: [goznnexv] C:\WINDOWS\dfdn.exe
O4 - HKLM\..\Run: [gmmjb] C:\WINDOWS\bbtf.exe
O4 - HKLM\..\Run: [gjds] C:\WINDOWS\seasxnlcx.exe
O4 - HKLM\..\Run: [gbyjj] C:\WINDOWS\mgpgd.exe
O4 - HKLM\..\Run: [gbcu] C:\WINDOWS\pdllngpr.exe
O4 - HKLM\..\Run: [fyasfkk] C:\WINDOWS\nghi.exe
O4 - HKLM\..\Run: [ftgxa] C:\WINDOWS\cqrhhz.exe
O4 - HKLM\..\Run: [fsownhpt] C:\WINDOWS\bkpe.exe
O4 - HKLM\..\Run: [fmtx] C:\WINDOWS\tcgzbdqlx.exe
O4 - HKLM\..\Run: [fkznITEr] C:\documents and settings\amanda\local settings\temp\fkznITEr.exe
O4 - HKLM\..\Run: [fcxesv] C:\WINDOWS\sigue.exe
O4 - HKLM\..\Run: [fcpg] C:\WINDOWS\rgdfuub.exe
O4 - HKLM\..\Run: [fcaaockcs] C:\WINDOWS\oeopto.exe
O4 - HKLM\..\Run: [faozx] C:\WINDOWS\dwyo.exe
O4 - HKLM\..\Run: [exsmjhw] C:\WINDOWS\jwccxe.exe
O4 - HKLM\..\Run: [evuted] C:\WINDOWS\wdtjcjq.exe
O4 - HKLM\..\Run: [eufvpb] C:\WINDOWS\fzup.exe
O4 - HKLM\..\Run: [erazyjfpn] C:\WINDOWS\vcrjwv.exe
O4 - HKLM\..\Run: [enph] C:\WINDOWS\ipevl.exe
O4 - HKLM\..\Run: [eiid] C:\WINDOWS\vgmxkynat.exe
O4 - HKLM\..\Run: [efuu] C:\WINDOWS\svfkvxaf.exe
O4 - HKLM\..\Run: [efpd] C:\WINDOWS\rlwzp.exe
O4 - HKLM\..\Run: [eclnli] C:\WINDOWS\hjvdba.exe
O4 - HKLM\..\Run: [dugffxe] C:\WINDOWS\dhrozqf.exe
O4 - HKLM\..\Run: [domq] C:\WINDOWS\dneskjv.exe
O4 - HKLM\..\Run: [dkignzmg] C:\WINDOWS\pdjazknq.exe
O4 - HKLM\..\Run: [djkz] C:\WINDOWS\qbnnkdif.exe
O4 - HKLM\..\Run: [dIV4cFvy] C:\documents and settings\karen\local settings\temp\dIV4cFvy.exe
O4 - HKLM\..\Run: [dimdkkv] C:\WINDOWS\cwjfrqdcr.exe
O4 - HKLM\..\Run: [delbn] C:\WINDOWS\horhmw.exe
O4 - HKLM\..\Run: [ddgozda] C:\WINDOWS\wnnm.exe
O4 - HKLM\..\Run: [dcvcju] C:\WINDOWS\fbfksnhvp.exe
O4 - HKLM\..\Run: [csklfvvfh] C:\WINDOWS\pgrv.exe
O4 - HKLM\..\Run: [cnrc] C:\WINDOWS\wdxszgoxb.exe
O4 - HKLM\..\Run: [cnpuodau] C:\WINDOWS\kmcgvd.exe
O4 - HKLM\..\Run: [cmyfzug] C:\WINDOWS\lnnrmi.exe
O4 - HKLM\..\Run: [clisuc] C:\WINDOWS\uhuxsxyp.exe
O4 - HKLM\..\Run: [cjvtifmdi] C:\WINDOWS\queeqxpvf.exe
O4 - HKLM\..\Run: [cjffixw] C:\WINDOWS\kxnwfiv.exe
O4 - HKLM\..\Run: [chhrqa] C:\WINDOWS\gyolozyyg.exe
O4 - HKLM\..\Run: [ceoxax] C:\WINDOWS\gakydgdky.exe
O4 - HKLM\..\Run: [cbvijwxsm] C:\WINDOWS\potoxuy.exe
O4 - HKLM\..\Run: [CAO] C:\documents and settings\karen\local settings\temp\CAO.exe
O4 - HKLM\..\Run: [c] C:\documents and settings\karen\local settings\temp\c.exe
O4 - HKLM\..\Run: [bsammi] C:\WINDOWS\pyufao.exe
O4 - HKLM\..\Run: [boucmel] C:\WINDOWS\dttafyeza.exe
O4 - HKLM\..\Run: [bkxwcs] C:\WINDOWS\hwutrpehg.exe
O4 - HKLM\..\Run: [bfheyry] C:\WINDOWS\nuzefli.exe
O4 - HKLM\..\Run: [beqmdu] C:\WINDOWS\pbycdwp.exe
O4 - HKLM\..\Run: [bekcdgcd] C:\WINDOWS\imsrshuek.exe
O4 - HKLM\..\Run: [bazatx] C:\WINDOWS\ufjiaj.exe
O4 - HKLM\..\Run: [awzueyndn] C:\WINDOWS\nldn.exe
O4 - HKLM\..\Run: [autiyyrv] C:\WINDOWS\rqqrpu.exe
O4 - HKLM\..\Run: [aqoxchc] C:\WINDOWS\eryoqrzoi.exe
O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
O4 - HKLM\..\Run: [antsxeahe] C:\WINDOWS\cvucojs.exe
O4 - HKLM\..\Run: [ahtzci] C:\WINDOWS\qrtxdj.exe
O4 - HKLM\..\Run: [acdan] C:\WINDOWS\ktiljbdz.exe
O4 - HKLM\..\Run: [61yepo] C:\documents and settings\karen\local settings\temp\61yepo.exe
O4 - HKLM\..\Run: [j] C:\documents and settings\jim\local settings\temp\j.exe
O4 - HKLM\..\Run: [D] C:\documents and settings\karen\local settings\temp\D.exe
O4 - HKLM\..\Run: [2o] C:\documents and settings\jim\local settings\temp\2o.exe
O4 - HKLM\..\Run: [nd] C:\documents and settings\amanda\local settings\temp\nd.exe
O4 - HKLM\..\Run: [Gubjdra] C:\documents and settings\jim\local settings\temp\Gubjdra.exe
O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe <---- this is not AOL's AIM
O4 - HKLM\..\RunServices: [Microsoft Visual Studio VSA] varpc32.exe <---- this is not from MS
O4 - HKCU\..\Run: [Fzp] C:\WINDOWS\System32\vnec.exe
O4 - HKCU\..\Run: [Btulka] C:\WINDOWS\System32\rtmbq.exe

 

Good continue with the long list from my previous post. After delete all of them from safe mode. Reboot normal and post a new HJT log attachment.


Any idea where the heck these all came from?

 

Looks a load better!! Doesn't it?

Were you able to find and delete all those files?
How's everything running now?

 

Post a new HJT log. I did not see signs of PurityScan, WildMedia, or WebSearch Toolbar before. And cookies like Atwola are always going to be found after some surfing unless you install some programs like SpywareBlaster and SpywareGuard to block them.

 

I don't see anything related to those items in your log. Run SpySweeper again and see where it found them (i.e., in the file system or registry keys, give me complete info).

And unless you wanted your defaulut search page to be blank, I would have HJT fix the following lines:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.yahoo.com (assuming that is what you wanted). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

Please stop SpySweeper from running by right clicking on the system tray icon and select close.
Then try this again:

And unless you wanted your defaulut search page to be blank, I would have HJT fix the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (I know you may want yahoo but just use this for now. We can change it later. I want to see the results with a different start page). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Try the below for WebSearch Toolbar:
http://www.kephyr.com/spywarescanner/library/websearchtoolbar/index.phtml

 

You must have Internet Explorer closed when running HijackThis. See this process running in your log:
C:\Program Files\Internet Explorer\iexplore.exe

Exit all IE sessions before doing scans but more importantly before Fixing items with HJT. Try again with all IE sessions, any other browsers, and SpySweeper not running.

 

Okay, the R0 & R1 lines are gone but did you forget to do this:

And then right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (I know you may want yahoo but just use this for now. We can change it later. I want to see the results with a different start page). Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
wscntfy.exe

Now run HJT and put checks on the below line and click fix (make sure no IE sessions are running including the one you are reading in right now):
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=

Then try to do the Reset Web Settings procedure again and post a new log.


I have to run out for an hour or so. I'll be back later.

 

You did not end the wscntfy.exe process. I still see it in your log. But this time the R0 line with majorgeeks.com shows up. Have you been having any problems whatsoever running any steps? You have to provide me with details of what goes on.

Just saying, "still trying!" and posting a log does not tell me what you just did and what may have happened.

Why is that the www.majorgeeks.com line shows now but did not the last time I asked you to do this? What is different?

 

Perhaps wscntfy.exe cannot be ended using Task Manager but you could have mention if you got an error or saw that it did not end.

 

Okay! But so was the log from message #30 and it showed no R0 lines. ????

Do you still have the WebSearch Toolbar issue?

 

I don't need a log! I need you to search the registry for WebSearch!

 

1) go here and download Registrar lite and install it:
http://www.majorgeeks.com/download469.html

2) Run it, click on the search icon (the magnifier glass). Enter the below into the text to search for box:
WebSearch

Post back here all matches found.

 

Do what I said below! But have you tried to delete that folder after booting in safe mode and with no browsers running?

 

Are there any file in the c:\ProgramFiles\Toolbar\Temp folder?

 

Run Ad-aware SE and click Scan Now, the choose the Scan volume for ADS. The click the underlined word 'Select'. Choose you harddisk drive (C) and then click Proceed. The click Next. If it finds anything tell me what it finds.

 

You're welcome!