Got an odd one...second time I've seen this in the last week. Task Manager is showing an oddball process running. First showed up as MzmXHF9.exe. I clicked the "End Process" button and it disappeared only to have a new one popup: JuaBLqs.exe. Do the "End Process" again and QYu1D4.exe pops up in the process manager. This thing, whatever it is, is 'morphing' as I try to kill it. I believe it's hiding in the Windows/System32 folder. I'm running Norton right now with the definitions updated (is there a setting for adware in there?) and the online virus scan from RAV antivirus shows nothing (always thought they were the best). I ran SpyBot (twice) and it cleaned everything out after rebooting, then ran it again right afterwards and it's showing some spyware from eGroup. Jeez, could this stuff be getting reinstalled from a dropper file of some kind. Grrrr....

Spyware Scanner: Try this. http://www.javacoolsoftware.com/spywareblaster.html If you don't want to use the above free program try booting your computer into safemode, and deleting the program their. Hopefully this helps. David

Can you go here: http://www.merijn.org/ click on the hijack this link in the page, download hijack this, unzip it, double click on hijackthis.exe, click scan, the "scan" button changes to "save log" button. Save the log, copy/paste the whole log in reply. Most of what you see in the scan is safe or even essential so dont fix anything yet, someone here will analyse the log and tell you what is needed to do.

Logfile of HijackThis v1.97.7 Scan saved at 5:17:00 PM, on 12/11/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\taskswitch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\Fast.exe C:\WINDOWS\System32\MzmXhf9.exe C:\WINDOWS\System32\NvevGK.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Ed\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zoomtown.com/index.php?dst=DIST1 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.zoomtown.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.the-huns-yellow-pages.com/hp.html R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {0E7D7003-9E95-42F2-8F52-E6545AB3E27A} - C:\WINDOWS\System32\degvmgr.dll O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O3 - Toolbar: (no name) - {EC0930A0-5002-4621-BAD4-C03083904A2B} - (no file) O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [4SJ#8Y745N9X#@] C:\WINDOWS\System32\Elq0i.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.exe" O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Ed\LOCALS~1\Temp\DELDIR0.exe" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\" O8 - Extra context menu item: &Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: &Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: &Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Turbo Download (HKLM) O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Fill Forms (HKLM) O9 - Extra 'Tools' menuitem: &Fill Forms (HKLM) O9 - Extra button: Save (HKLM) O9 - Extra 'Tools' menuitem: &Save Forms (HKLM) O9 - Extra button: RoboForm (HKLM) O9 - Extra 'Tools' menuitem: RF &Toolbar (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {5507E5DD-D525-11D4-89D2-00105AA3C57F} (alaGrid.alaUpdList) - file://\\Athlon\c\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB O16 - DPF: {6D251D8B-FD68-4BA2-83D5-1A0A245830C3} (alaWeb.clsSolutionCenter) - file://C:\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {999D162F-1319-48F0-A7DB-886C582EE2C6} (alaWeb.clsGetStats) - file://M:\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37705.7170138889 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://C:\WIN2000\CONTENT\cabs\alaGrid.CAB O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialerXP.cab O16 - DPF: {B9D71543-E32B-4EAD-83C1-5B4001B0CE80} (alaWeb.clsSolutionCenter) - file://\\Athlon\c\WIN2000\CONTENT\cabs\alaWeb.CAB O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {ED29A481-CD46-43D9-85AA-E6E869DF2214} (MercStats.cStats) - file://C:\Program Files\Mercury\Content\cabs\MercStats.CAB O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab O16 - DPF: {F4303A82-D82B-11D4-89D5-00105AA3C57F} (alaGrid.SupportHistory) - file://\\Athlon\c\WIN2000\CONTENT\cabs\alaGrid.CAB This is the log file as requested. Here's the kicker though: msconfig is showing a file, Elq0i.exe (attrib HS) running on startup from the Windows/System32 folder. If I uncheck it and close, even without rebooting, I get a new file in there with a similar oddball name on startup. I'm running trojanscan.com right now, but it didn't turn up anything last week on my buddy's computer when he had the same problem. Think I'm going to reboot in Safe Mode Command Line and bag this svcker. Grrr...makin' me mean is what it's doin'. :(

A wee bit more... Trojanscan.com has me as clean. Tried TDS-3 last week on the other computer I mentioned. Just rebooted and Elq0i.exe is still there. Ran msconfig and unchecked it only to have a new file appear under the startup tab: Nzkx1Wc1.exe. And that was without rebooting. Task Manager's showing a series of .exe's running under the "processes" tab: WfmW2vVc.exe, JauBLqs.exe, MzmXHf9.exe, etc., etc. RAV's not picking this thing up. Norton's not picking this thing up (yes, I updated the def's). And I'm coming up clean on the trojan scans. Running SpyBot now (again) and it's got nothing.

You are infected with Trojan.Peper... Please follow these steps, in exactly that order: Run this uninstaller: http://home01.wxs.nl/~kleyn080/uninst.exe When done, use the following tool to delete the files themselves: Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\. Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it. http://www.mjc1.com/files/mo/drpepertobackup.exe On the first prompt, copy and paste: MzmXhf9.exe .... and hit ok. On the second, paste: NvevGK.exe and hit ok again. It will find all the files, delete them and will make backups in the same folder. Then reboot and run another Hijack scan and post the log.

These are peper trojan C:\WINDOWS\System32\MzmXhf9.exe C:\WINDOWS\System32\NvevGK.exe Follow these instructions for removal: Download and run this file to fix Peper Trojan: http://home01.wxs.nl/~kleyn080/uninst.exe double click on 'uninst.exe', let it run and terminate. To delete all the associated files download the following tool: http://www.mjc1.com/files/mo/drpeper.html It will self extract to C:. Find : C:\drpeper\Find backup and Delete Peper files.vbs file and double click. On the first prompt copy and paste: MzmXhf9.exe And hit ok. You will get a confirmation and proceed: On the second, paste: NvevGK.exe And hit ok. It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved. If need be you can post this file later along with a new HJT log You will probably find quite a list of peper files, you can postthem if you wish, but don't delete them yet. Repost you log when you're done. hth shep