• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
bbook

Files that will not go away

4 posts in this topic

I somehow got several spyware infections, Ad-Aware would remove them but in a couple minutes they would come right back. I installed Spybot, it found many other files that Ad-Aware did not. I started to go through the list of files in HighjackThis and fixing the ones listed in the FAQ, but there is one that is not in the list and everytime I try to delete it it is back on the next scan, but with a diferent name. The log follows;

 

Logfile of HijackThis v1.97.7

Scan saved at 6:09:07 PM, on 6/27/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Atguard\iamserv.exe

F:\Program Files\NortonSystemWorks\Norton AntiVirus\navapsvc.exe

F:\Program Files\NortonSystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Atguard\iamapp.exe

F:\program files\qttask.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

G:\Program Files\MouseWare\system\em_exec.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

C:\WINNT\system32\ctfmon.exe

F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\sharp\SL\SSPCLINK2\SNPLCEXE.EXE

C:\Program Files\DIRECWAY\BIN\dpcstart.exe

F:\Quickbooks\Components\QBAgent\QBDAgent.exe

F:\Program Files\Quicken 2003\bagent.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINNT\system32\mrtMngr.EXE

C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe

C:\WINNT\system32\Fia6v21X.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

F:\Download\HijackThis.exe

C:\WINNT\system32\Fia6v21X.exe

C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\program files\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Ezg1p5.exe

O4 - HKCU\..\Run: [sAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Global Startup: Billminder.lnk = F:\Program Files\Quicken 2003\billmind.exe

O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = F:\Quickbooks\Components\QBAgent\QBDAgent.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = F:\Program Files\Quicken 2003\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = F:\Program Files\Quicken 2003\QWDLLS.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7969.6873726852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: Domain = direcway.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: NameServer = 66.82.4.8

 

This is the one that will not go away;

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Ezg1p5.exe

When I try to fix it, it comes back as WmvDwc.exe.

 

Also, there is a file in my startup that I can't find any info on, it is Fia6v21X.exe. This file gets alot of CPU Time, if I stop it it comes right back.

 

Thanks for any help!!!!!!!

Share this post


Link to post
Share on other sites

You have the Peper Trojan. To get rid of it first can you please download and run this Peper Trojan Uninstaller from downloads.subratam.org. Once it's finished downloading, double click it and let it install & run until it's finished. Then run it again

REBOOT

Rerun HijackThis and post a new log back to this thread

Share this post


Link to post
Share on other sites

Thanks for the info on Peper and the link to the remover. There is still one line in HiJackThis that doesn't look right, it is this line;

 

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\WmvDwc.exe

 

Also, whatever went on has brought my internet explorer to a slow jog. This computer is the gateway for others on the network, but all the other computers surf much faster than this one. Downloading on this machine is about 5 times slower than the others on the network.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 7:18:49 PM, on 6/29/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Atguard\iamserv.exe

F:\Program Files\NortonSystemWorks\Norton AntiVirus\navapsvc.exe

F:\Program Files\NortonSystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

F:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SymTray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\Atguard\iamapp.exe

F:\program files\qttask.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

G:\Program Files\MouseWare\system\em_exec.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\sharp\SL\SSPCLINK2\SNPLCEXE.EXE

C:\Program Files\DIRECWAY\BIN\dpcstart.exe

F:\Quickbooks\Components\QBAgent\QBDAgent.exe

F:\Program Files\Quicken 2003\bagent.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\DIRECWAY\bin\dpcnav.exe

C:\WINNT\system32\mrtMngr.EXE

F:\Download\HijackThis.exe

C:\WINNT\System32\svchost.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\program files\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\WmvDwc.exe

O4 - HKCU\..\Run: [sAutoLaunchExe] C:\PROGRA~1\COMMON~1\Sharp\SL\SSPCLI~1\SAUTOL~1.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKLM\..\RunOnce: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

O4 - Global Startup: Billminder.lnk = F:\Program Files\Quicken 2003\billmind.exe

O4 - Global Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe

O4 - Global Startup: QuickBooks Delivery Agent.lnk = F:\Quickbooks\Components\QBAgent\QBDAgent.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = F:\Program Files\Quicken 2003\bagent.exe

O4 - Global Startup: Quicken Startup.lnk = F:\Program Files\Quicken 2003\QWDLLS.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Subscribe in Desktop Sidebar (HKLM)

O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7969.6873726852

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: Domain = direcway.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{67299470-ADE0-41C3-8926-724E2424B9B1}: NameServer = 66.82.4.8

Share this post


Link to post
Share on other sites

That one line is the indicator for the Peper Trojan..it may just be an empty entry now; see if you can but a check next to it and fix it with HijackThis. If the line mutates to another 16 digit character you'll need to run the Peper Uninstaller again..Won't hurt to run it twice in a row or in safe mode.....

 

Now download Ad-Aware at http://www.lavasoftusa.com/support/download/

After installing AAW, and before running the program, FIRST update the reference file following these instructions.

- On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

 

Now do the following:

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

 

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

 

Press "Scan Now"

 

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

 

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys. Click 'Next' again

Right-click in that pane and choose "select all"

 

If it finds "bad" files and registry keys, press "Next" again

It will ask you whether you'd like to remove all checked items. Click OK.

 

Finally, close Ad-Aware, and reboot.

 

post a new hijackthis log when done.

Edited by jwbirdsong

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0