Jump to content


Photo

Files that will not go away


  • Please log in to reply
3 replies to this topic

#1 bbook

bbook

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 06:26 PM

I somehow got several spyware infections, Ad-Aware would remove them but in a couple minutes they would come right back. I installed Spybot, it found many other files that Ad-Aware did not. I started to go through the list of files in HighjackThis and fixing the ones listed in the FAQ, but there is one that is not in the list and everytime I try to delete it it is back on the next scan, but with a diferent name. The log follows;

Logfile of HijackThis v1.97.7
Scan saved at 6:09:07 PM, on 6/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Atguard\iamserv.exe
F:\Program Files\NortonSystemWorks\Norton AntiVirus\navapsvc.exe
F:\Program Files\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Atguard\iamapp.exe
F:\program files\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
G:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE
C:\WINNT\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\sharp\SL\SSPCLINK2\SNPLCEXE.EXE
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
F:\Quickbooks\Components\QBAgent\QBDAgent.exe
F:\Program Files\Quicken 2003\bagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\WINNT\system32\Fia6v21X.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Download\HijackThis.exe
C:\WINNT\system32\Fia6v21X.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Ezg1p5.exe
O4 - HKCU\..\Run: [SAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Billminder.lnk = F:\Program Files\Quicken 2003\billmind.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = F:\Quickbooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = F:\Program Files\Quicken 2003\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = F:\Program Files\Quicken 2003\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7969.6873726852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: NameServer = 66.82.4.8

This is the one that will not go away;
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Ezg1p5.exe
When I try to fix it, it comes back as WmvDwc.exe.

Also, there is a file in my startup that I can't find any info on, it is Fia6v21X.exe. This file gets alot of CPU Time, if I stop it it comes right back.

Thanks for any help!!!!!!!

#2 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 28 June 2004 - 08:52 AM

You have the Peper Trojan. To get rid of it first can you please download and run this Peper Trojan Uninstaller from downloads.subratam.org. Once it's finished downloading, double click it and let it install & run until it's finished. Then run it again
REBOOT
Rerun HijackThis and post a new log back to this thread
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#3 bbook

bbook

    Member

  • New Member
  • Pip
  • 2 posts

Posted 29 June 2004 - 07:23 PM

Thanks for the info on Peper and the link to the remover. There is still one line in HiJackThis that doesn't look right, it is this line;

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\WmvDwc.exe

Also, whatever went on has brought my internet explorer to a slow jog. This computer is the gateway for others on the network, but all the other computers surf much faster than this one. Downloading on this machine is about 5 times slower than the others on the network.


Logfile of HijackThis v1.97.7
Scan saved at 7:18:49 PM, on 6/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Atguard\iamserv.exe
F:\Program Files\NortonSystemWorks\Norton AntiVirus\navapsvc.exe
F:\Program Files\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Atguard\iamapp.exe
F:\program files\qttask.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
G:\Program Files\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\sharp\SL\SSPCLINK2\SNPLCEXE.EXE
C:\Program Files\DIRECWAY\BIN\dpcstart.exe
F:\Quickbooks\Components\QBAgent\QBDAgent.exe
F:\Program Files\Quicken 2003\bagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe
C:\WINNT\system32\mrtMngr.EXE
F:\Download\HijackThis.exe
C:\WINNT\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\WmvDwc.exe
O4 - HKCU\..\Run: [SAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Billminder.lnk = F:\Program Files\Quicken 2003\billmind.exe
O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = F:\Quickbooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = F:\Program Files\Quicken 2003\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = F:\Program Files\Quicken 2003\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7969.6873726852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: Domain = direcway.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: NameServer = 66.82.4.8

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 29 June 2004 - 11:52 PM

That one line is the indicator for the Peper Trojan..it may just be an empty entry now; see if you can but a check next to it and fix it with HijackThis. If the line mutates to another 16 digit character you'll need to run the Peper Uninstaller again..Won't hurt to run it twice in a row or in safe mode.....

Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions.
- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

post a new hijackthis log when done.

Edited by jwbirdsong, 29 June 2004 - 11:53 PM.

Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button