Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I posted this same message in the windows 2000 forum, but it should really go in this one
On Monday, I picked up something on the web, I saw it do the DOS install but I didn't think much of it. Shortly after, my machine started to really slow down, Then, about 8-10 new shortcuts were added to my desktop for Internet gambling, air tickets, solitare etc. and a wierd search bar was also added the bar was XP style with a blue background and no name as to who's it was. Also, I began to get popups regardless of wether IE was open or not. We also noted that there were several unidentified processes running in the task manager(More Later)
My IT folks ran Spybot and cleaned off 287 trojans/adwares, but the search bar wouldn't go away. After all morning of running Spybot, AdAware, Hijackthis, We always had something that needed cleaning. We managed to get rid of everything, but my task manager is still showing several unidentified processes that, these files have no executables on the hard drive but do show registry entries, The names change each time, but they are usually the same size, common names for these files are
Demc1Bu0.exe
Ndh39.exe
CylHzx2.exe
the only other problem I am having is that I am getting a lot of popups while on the web, despite using the Google toolbar popup blocker
Does Anyone have any Ideas as to what is going on and how to Squash this bug?
Can you post your hijack log please?
The scan button will change to "save log" button, copy/paste the entire log in reply.
Thanks!
0 
Here is the log from HijackThis note the processes
CylHzX2.exe
Lrohe94f.exe
there are always at least 2 programs named like this running, the second name changes, but I seem to always get the CylHzX2.exeLogfile of HijackThis v1.97.7
Scan saved at 11:59:31 AM, on 1/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\AproposClient\Apropos.exe
C:\WINNT\system32\CylHzX2.exe
C:\WINNT\system32\Lrohe94f.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Documents and Settings\eric.houg\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idmcontrols.com/
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [5SMLEDM2A@NQLX] C:\WINNT\system32\Dkp0h.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
0
You have the peper trojan
http://www.mjc1.com/files/peperpage/
1. Use the uninstall tool - download from:
http://home01.wxs.nl/~kleyn080/uninst.exe
Double click on uninst.exe, let it run and
terminate.
2. Delete all the associated files with drpeper - download fromhttp://www.mjc1.com/files/mo/drpeper.html
Double click drpepertobackup, it will self extract to C:. With the text in the box highlighted, click start.
3. Go to the file C:\drpeper\Find backup and Delete Peper files.vbs and double click.
4. A box will appear, copy and paste: Dkp0h.exe and hit ok.
5. A second box will appear, copy and paste CylHzX2.exe and hit ok.
6. It will find all the files,(there will be several) delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved.
If you get a vbs script error then try pasting the CylHzX2.exe first then Dpk0h.exe next.
Reboot and repost fresh hijack log and the contents of peper.txt.
0
Looks like it's gone, here is the new HjT log file
Logfile of HijackThis v1.97.7
Scan saved at 3:58:18 PM, on 1/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\AproposClient\Apropos.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.exe
C:\WINNT\msagent\AgentSvr.exe
C:\Documents and Settings\eric.houg\Desktop\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.idmcontrols.com/
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
0
Looks good..Just one thing to clean up.
It has nothing to do with peper but is known spyware.Close all browser windows and check the following in hijack to fix:
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
Delete the apropos client folder from:
C:\program files\apropos client <-this folder
0
Eric
Glad all is well!
Abnormal
Thanks!...only took 20 or so peper infected logs studied before I felt comfy enough to post fix...lol. Until I had to do removal on a few computers on my own (no not mine!) I didn't understand instructions well enough to reply.
0
I hope no one minds that I'm adding a few comments that are duplicated here-or-there within Computing.Net concerning this darned ol' Peper Trojan. It was a real bear wrestling with this thing yesterday. I wish I had come here first!
I just found your comments here while researching Peper / Wowex32 / Quadro problems that I located on my nephew's computer yesterday. He and his wife were being deluged with hundreds of pop-ups, making their computer unusable. It took me from 9AM to 10:30PM to finally (hopefully) resolve everything. The only program I could find that recognized the Peper Trojan was -- believe it or not -- PestPatrol. Norton, AdAware, The Cleaner, Spybot -- all were of no help in my experience, although they've helped a lot in the past. For whatever reason, scanning with them turned up nothing related to this regenerating nasty bit of code.
The "problems" in detecting this are that the EXE files generated -- which you can spot in the MSCONFIG file (in my case, within Windows 98) -- do NOT come up in a Google search because they are randomly-generated. If you delete one, another one appears and you won't find anything. Somewhere along the line, I was able to look at the properties or details within one of the scanners and it identified the new file as belonging to Wowex32, then another as Quadro, and then Pest Patrol discovered Peper (which I think is the real culprit).
The part that had me worried the most was after rebooting, Pest Patrol caught it, again, in the Memory area of Windows -- if I can believe the message I received in a DOS box.
You could watch this thing self-generate (along with Apropos) within MSCONFIG and the Registry time and again. In fact, Apropos would appear only after about every 5th or so reboot. It made you think you had removed it -- 30 minutes later, it was back. Whereas Wowex32 / Peper simply ignored you and self-generated with the very next reboot. It was always the now-identified 14-character file name. Searches within the Registry that were recommended at other sites did locate those files -- but deleting the Keys did nothing in getting rid of it. I even found its own tally file that listed 30 or so randomly-generated numbers listed that I think it used as a scratchpad -- even what appeared to be the code that creates them. But deleting THAT file did nothing toward removing it. It simply came back after you rebooted. So the idea that it infects the Memory region makes me wonder if that's not where it can also hide.
PestPatrol seemed to clear it out, but we were forced to pay $39.95 to find out. After 13 hours of trying, it was worth it. I guess. The fixes posted here were free, of course -- so I hope they work each time., and I'll check back here the next time I'm in such a pickle!
Guy
0
peper is one of those infections where a unknowing user can actually make the problem worse by attempting to delete the files or by making registry changes while the files are active.
The files can monitor each other and monitor the registry - and prevent you from killing them by stopping you making effective changes to the registry. On deletion of one file it will spawn a whole new set quite happily.
You can't kill one process in Task Manager because the other is watching and will create a new set on every reboot.
0
Help me please, this is what I have on my laptop. I am running windows ME, but probably not computer literate enough to figure out this cure. I've tried to follow the links and suggestions listed, but to no avail.
Any and ALL help would be appreciated with this.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
