Bah... I've tried everything, been given countless tips, but I can't remove the peper trojan from my computer. Probably has something to do with the new CWS variants out there...I'm fairly sure I'm infected with one. Either way, it keeps coming back. If you have any suggestions on how to remove this, please help :/

Go to this website for removal instructions http://www.kephyr.com/spywarescanner/library/pepertrojan/index.phtml Have you installed Memory Watcher? Peper comes bundled with it, if you have. Since you have XP, make sure you turn system restore off, then restart your computer and enter the safe mode, then finish using the instructions.

Post a Hijack This log at: Download HJT here: http://www.spywareinfo.com/~merijn/downloads.html post it here: http://forums.spywareinfo.com/

After I delete it, it just seems to disappear. No trace of the virus. Peperfix won't find it, HijackThis won't find it, it's not even in the registry. But then it comes back. Logfile of HijackThis v1.97.7 Scan saved at 9:30:42 AM, on 7/5/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\PROGRA~1\NORTON~2\NORTON~3\navapsvc.exe C:\PROGRA~1\NORTON~2\NORTON~3\npssvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\NORTON~2\NORTON~3\alertsvc.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\carpserv.exe C:\Program Files\HPQ\One-Touch\OneTouch.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.exe C:\tkc-release1-5\KeyCount.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\mIRC\mirc.exe C:\Hijack This\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.comcast.net/comcast.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {B0D47310-A62A-405B-851E-9F0DFEE06A55} - C:\WINDOWS\System32\jkphfc.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~2\NORTON~3\npscheck.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks" O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe O4 - Startup: Shortcut to KeyCount.lnk = C:\tkc-release1-5\KeyCount.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/166dfb59b81bacd4b520/netzip/RdxIE601.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab