Peper Trojan, affoundation.org/ind.html

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sgt_Pepper, Sep 15, 2004.

  1. Sgt_Pepper

    Sgt_Pepper Private E-2

    I recently noticed some adware running on my computer, ran my Ad Aware to get rid of it and then thought I was done. But the same programs were on my computer a few hours later (clocksync, searchbar, among others.) I ran spysweep and found a couple trojans and a lot of adware programs and removed them all. Since then they keep reapearing, most of all WildMedia, eZula, and the Peper Trojan. Also, when I start up my computer Internet Explorer connects to www.affoundation.org/ind.html, even right after I run Spy Sweeper. Any help in diagnosing and remedying this problem would be greatly apprciated.

    -Jacob Schutz
     
    Sgt_Pepper, Sep 15, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Major Attitude, Sep 15, 2004
    #2
  3. Sgt_Pepper

    Sgt_Pepper Private E-2

    Alright, I followed the turtorial and thought I had everything, but now things are starting to go wrong again. I ran a spyware sweep today and again found the eZula iLookup and WildMedia, and Avast told me it had found a trojan. My computer is also still running that website when I start up. Your help would be greatly appreciated.
     
    Sgt_Pepper, Sep 22, 2004
    #3
  4. Sgt_Pepper

    Sgt_Pepper Private E-2

    I'm giving my thread a bump because it has fallen off the front page without a response. Again, any help would be greatly appreciated.
     
    Sgt_Pepper, Sep 23, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have run all the items in the READ ME FIRST, you should read the tutorial in this Sticky thread < Hijack This Tutorial And How To Post Your Log File >

    Post a HijackThis log as a .txt file attachment to your message. All running programs must be closed, including your web browser, e-mail, items in the tray, anything you can close... Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder or choose to run from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Sep 23, 2004
    #5
  6. Sgt_Pepper

    Sgt_Pepper Private E-2

    Alright here it is. Thanks for the help.
     

    Attached Files:

    Sgt_Pepper, Sep 23, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not run the Symantec online scan. Did you run Stinger? You should also give these a run:
    http://www.bitdefender.com/scan/licence.php
    http://www.ravantivirus.com/scan/
    http://www.memorywatcher.com/uninst.exe
    http://tools.zerosrealm.com/PeperFix.exe

    There are a load of trojans in your log we need to fix.

    You should locate the aimsgr.exe file ( in C:\WINDOWS\system32\aimsgr.exe) and right click on it and get Properties info to see who it belongs to. I really question whether it is part of AIM.

    I would use Add/Remove programs to uninstall:
    Viewpoint Manager (unless you know you need it. AOL sneaks this in)
    WildTangent (unless you really need to play their online game stuff)

    Make sure you have system restore disabled and that you have viewing of hidden files enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them(if found):
    active.exe
    t?skmgr.exe
    Nwp9t0X.exe
    DiiCc.exe
    RWDIqJZF.exe
    ea59c.exe
    Ezg1p5.exe
    JSpRZY.exe
    O.exe
    gv.exe
    Fr.exe
    aMeCVb.exe
    txfce.exe
    3om.exe
    t.exe
    icDpIA.exe
    nA.exe
    xcoacct.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {6BA9300A-EA13-2EE3-8722-63550EAC291E} - C:\WINDOWS\System32\leiihfj.dll
    O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
    O4 - HKLM\..\Run: [RWDIqJZF] C:\documents and settings\windows user\local settings\temp\RWDIqJZF.exe
    O4 - HKLM\..\Run: [ea59c] C:\documents and settings\windows user\local settings\temp\ea59c.exe
    O4 - HKLM\..\Run: [37F@K@Y3F4HG3S] C:\WINDOWS\System32\Ezg1p5.exe
    O4 - HKLM\..\Run: [JSpRZY] c:\documents and settings\windows user\local settings\temp\JSpRZY.exe
    O4 - HKLM\..\Run: [O] C:\documents and settings\windows user\local settings\temp\O.exe
    O4 - HKLM\..\Run: [gv] C:\documents and settings\windows user\local settings\temp\gv.exe
    O4 - HKLM\..\Run: [Fr] C:\documents and settings\windows user\local settings\temp\Fr.exe
    O4 - HKLM\..\Run: [aMeCVb] C:\documents and settings\windows user\local settings\temp\aMeCVb.exe
    O4 - HKLM\..\Run: [t98S36P] txfce.exe
    O4 - HKLM\..\Run: [3om] C:\documents and settings\windows user\local settings\temp\3om.exe
    O4 - HKLM\..\Run: [t] C:\documents and settings\windows user\local settings\temp\t.exe
    O4 - HKLM\..\Run: [icDpIA] C:\documents and settings\windows user\local settings\temp\icDpIA.exe
    O4 - HKLM\..\Run: [nA] C:\documents and settings\windows user\local settings\temp\nA.exe
    O4 - HKCU\..\Run: [cyr2RWjnP] xcoacct.exe
    O4 - HKCU\..\Run: [Xjcw] C:\WINDOWS\System32\t?skmgr.exe
    O16 - DPF: Win32 Classes -
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll

    Now boot in safe mode and use Windows Explorer to delete:
    C:\active.exe
    C:\WINDOWS\System32\t?skmgr.exe
    C:\WINDOWS\System32\Nwp9t0X.exe
    C:\WINDOWS\System32\DiiCc.exe
    C:\WINDOWS\System32\leiihfj.dll
    C:\documents and settings\windows user\local settings\temp\RWDIqJZF.exe
    C:\documents and settings\windows user\local settings\temp\ea59c.exe
    C:\WINDOWS\System32\Ezg1p5.exe
    c:\documents and settings\windows user\local settings\temp\JSpRZY.exe
    C:\documents and settings\windows user\local settings\temp\O.exe
    C:\documents and settings\windows user\local settings\temp\gv.exe
    C:\documents and settings\windows user\local settings\temp\Fr.exe
    C:\documents and settings\windows user\local settings\temp\aMeCVb.exe
    txfce.exe <--- use search to find
    C:\documents and settings\windows user\local settings\temp\3om.exe
    C:\documents and settings\windows user\local settings\temp\t.exe
    C:\documents and settings\windows user\local settings\temp\icDpIA.exe
    C:\documents and settings\windows user\local settings\temp\nA.exe
    xcoacct.exe <--- use search to find
    C:\WINDOWS\System32\mssaru.dll

    If cannot find any of those using Windows Explorer try using and Advanced Windows Search to find them.
    Here is how you do that.
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders
    Then click the Search button.
    Now reboot in normal mode and come back and tell me how all those steps went and how things are working.
    Post a new HJT log.
     
    Last edited: Sep 24, 2004
    chaslang, Sep 24, 2004
    #7
  8. Sgt_Pepper

    Sgt_Pepper Private E-2

    Yea, when I read the readme thread it had a bad link to the Symantec online Scan, and it said I could do one or the other. I see it has now been updated, sorry for any inconvienience. I did what you said and found some of the processes running, fixed all the lines in HJT that you said to. When I went to delete the files to I couldn't find most of them (yes I was in safe mode with hidden files shown.) The most missing were in c:documents and settings\windows user\local setting\temp. The file was mostly empty except for about 3 files and 1 folder. The good news is that when I started up the popup to that website didn't open, so I'm very heartened. Here is my new HJT log, and thank you again for the help. Also, I noticed in my new HJT that aimsgr is still running. I looked it up like you said and it wasn't legitimate so I deleted it. Looks like it's back.
     

    Attached Files:

    Sgt_Pepper, Sep 24, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you still have System Restore disable as directed in the READ ME FIRST tutorial.

    Did you run this stuff (especially the last two)? If not, run them now. I still see a peper trojan problem:
    http://www.bitdefender.com/scan/licence.php
    http://www.ravantivirus.com/scan/
    http://www.memorywatcher.com/uninst.exe
    http://tools.zerosrealm.com/PeperFix.exe

    I guess you decided to keep WildTangent?

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below process and End it:
    CfdS1.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [AOL Instant Messenger] aimsgr.exe
    O4 - HKLM\..\Run: [37F@K@Y3F4HG3S] C:\WINDOWS\System32\JqwG5f.exe
    O4 - HKLM\..\RunServices: [AOL Instant Messenger] aimsgr.exe
    O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\System32\mssaru.dll (file missing)

    Boot in safe mode and delete (if still there):
    C:\WINDOWS\System32\CfdS1.exe
    C:\WINDOWS\System32\JqwG5f.exe
    C:\WINDOWS\system32\aimsgr.exe (search to see if it is anywhere else too).

    Still in Safe Mode go to C:\Windows\Temp folder.
    Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the Temp folder.

    Next, go to C:\documents and settings\windows user\local settings\temp\ folder.
    Open the Temp folder and go to Edit>Select All, then Edit>Delete to remove the entire contents of the that Temp folder.

    Now go to c:\windows\Prefetch and delete everything in the folder.

    Finally, go to Control Panel>Internet Options.
    On the General tab under: Temporary Internet Files, click: Delete Files
    Place a check by: Delete Offline Content when the prompt appears, and click OK.
    Next, click on the Programs tab, then click: Reset Web Settings button.
    Click Apply, then OK.

    Also, empty the Recycle Bin.

    Reboot, then post a fresh HijackThis log and let us know how things are running.
     
    chaslang, Sep 24, 2004
    #9
  10. Sgt_Pepper

    Sgt_Pepper Private E-2

    It seems like I got it all, I don't notice any problems. Here's my latest HJT log.
     

    Attached Files:

    • log.txt
      File size:
      3.3 KB
      Views:
      3
    Sgt_Pepper, Sep 26, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks clean now!
     
    Last edited: Sep 26, 2004
    chaslang, Sep 26, 2004
    #11
  12. Sgt_Pepper

    Sgt_Pepper Private E-2

    Excellent, thank you so much for your help.
     
    Sgt_Pepper, Sep 26, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Sep 26, 2004
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds