Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
OK, this is my mother's computer, she's gotten some spyware somewhere, I can't seem to get it all out myself. :( I used Ad-aware, rebooted, used spybot, reboot, still getting pop-ups. :x Almost everytime I reboot and run ad-ware I get new infected files and delete them, spybot is coming up clean. But I've seen eAccelerator, eUniverse, MemoryWatch, eZula, stop-sign, several things I've tried thru ad-aware to delete, but I still get more popups.
So I've ran hijack to print up a log, maybe someone here can walk me thru the steps to get rid of whatever it is that keeps poping back up.
Logfile of HijackThis v1.97.7
Scan saved at 2:10:37 PM, on 1/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\INCRED~1\bin\IMAPP.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\HuhTcA.exe
C:\WINDOWS\System32\NhayDF.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\AproposClient\Apropos.exe
C:\unzipped\hijackthis1977\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://middlegeorgia.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://middlegeorgia.cox.net/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {50A0C826-9E1D-4EAB-A86E-3AEF6CAB2654} - C:\WINDOWS\System32\hlisnk.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [38QMPCF32GE7G4] C:\WINDOWS\System32\LsxI52.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rpeo] C:\Documents and Settings\david\Application Data\sacs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4293/mcfscan.cab
Thanks in advance!Take care,
John
While looking up the information for your log I came across this for IMAPP.exe. http://www.answersthatwork.com/Tasklist_pages/tasklist_i.htm . The info is near the bottom. You might want to check that out sometime, though I don't think that is what's causing your problems now. Do you actually use windows mesenger? If not get rid of it. Go to start> run and type this in : RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove . Check out HuhTcA.exe . I can't find info for it.
Same with NhayDF.exe . Those look like randomly generated file names so it might be some spyware/adware. Same with LsxI52.exe . I went through kind of fast, but that's all I saw. I expect someone else will be analyzing your log so you'll get a second opinion. You say you've done all this stuff with Adaware. Maybe check Adaware's work with Spy Scanner and see what you come up with. Good luck.<><><>Tope<><><>
0 
Have HijackThis kill:
O1 - Hosts: 127.127.127.127 elite
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) Doesn't look right to me.
I'm sure I'm missing something here, I'm going through multiple IE windows to look everything up. I'll post back if I find something I missed the first time around.
0
Tope, I couldn't find LsxI52.exe in my lists, that is why I left it out. But since it isn't on the lists at all, I'd be suspicious.
Let me say again I don't know about that R3.
0
Tope, this is the peper trojan.
http://www.mjc1.com/files/peperpage/John,
please follow these steps, in exactly this order:Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.http://www.mjc1.com/files/mo/drpepertobackup.exe
A box will appear, copy and paste:HuhTcA.exe and hit ok.A second box will appear, copy and paste LsxI52.exe and hit ok.
It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.Post a new hijackthis log when your done, to get rid of the rest.
0
I knew I wasn't doing it right. Time to put a new chapter in my security school book :The Peper Trojan. Thanks Abnormal.
0 0
Thanks for the help! I think it's better now! I had been googling all the exe files to see what they did, and looking for what might be a problem. I had been messing with this thing for the past couple days trying to fix it. This site kept popping up in my searches whenever I'd search out a new file, that is why I decided to post here first ;) I used hijack to fix several of the suggested files above, I also deleted
Apropos.exe & msmsgs.exe and any folders I could find that was associated with any of this. I think I've got it all off. IMAP is part of incredimail (something my mom uses) which I think is safe, I left it.There's no more popups, and all my searches & scans are coming up clean. Assuming it's clean does that uninstaller above not work?
I thought I'd run it to see what happens just in case I'm overlooking something and it starts installing and then quickly closes itself on it's own. The window said "Memory Watcher: Installing files" Does that mean it needs some of these bad files to unload itself to do what it's got to do? I also checked out that site, and there isn't any 14 character folders in my registry. So I think I'm done! :)
0
Post a new log, not sure on the uninstaller,
should have given you this one;
http://home.iprimus.com.au/mbuchan/peperuninst.exe
0
I didn't notice any Anti-Virus in running processes. At least get free version of AVG.
http://www.grisoft.com/us/us_index.php
Copy and paste this link. Frank
0
I just found your comments here while researching Peper / Wowex32 / Quadro problems that I located on my nephew's computer yesterday. He and his wife were being deluged with hundreds of pop-ups, making their computer unusable. It took me from 9AM to 10:30PM to finally (hopefully) resolve everything. The only program I could find that recognized the Peper Trojan was -- believe it or not -- PestPatrol. Norton, AdAware, The Cleaner, Spybot -- all were of no help in my experience, although they've helped a lot in the past.
The "problems" in detecting this are that the EXE files generated do not come up a Google search because they are randomly-generated. If you delete one, another one appears and you won't find anything. Somewhere along the line, I was able to look at the properties or details within one of the scanners and it identified the new file as belonging to Wowex32, then another as Quadro, and then Pest Patrol discovered Peper (which I think is the real culprit).
The part that had me worried the most was after rebooting, Pest Patrol caught it, again, in the Memory area of Windows -- if I can believe the message I received in a DOS box.
You could watch this thing self-generate (along with Apropos) within MSCONFIG and the Registry time and again. In fact, Apropos would appear only after about every 5th or so reboot. It made you think you had removed it -- 30 minutes later, it was back. Whereas Wowex32 / Peper simply ignored you and self-generated with the very next reboot.
Guy
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
