more spyware related probs

  christor 12:19 28 Sep 04
Locked

Ok, I seem to have removed some spyware from my pc. In the end, I did it by a running a variety of removal tools in safe-mode, the problem is that my efforts seem to have messed up my internet connection. The internet seems to be connected (the flag in the top right hand corner id fluttering), but the page can never be displayed. Anyone have any suggestions?

  ChrisRLG 12:41 28 Sep 04

Use these to remove Malware (Virus, Spyware and Adware).

First :-
Spybot S&D and Ad-aware using the settings and links provided click here

Failing those solving your problems a post of a hijackthis log for the experts to advise.
click here , click here or mjc1.com/mirror/hjt/

Important:
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Unzip HijackThis into this folder. russelltexas.com/spywareinfo/createhjtfolder.htm(See this link for graphical instructions)
Then run, scan, save log, then in notepad copy the FULL log by copy and paste as a reply to this post and an expert with HijackThis Knowldge, will have a go at giving advice. A lot of posters make mistakes here in copying and pasting so reread the left info sidebar called Copy and Paste from click here

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE, most of what it finds you need for normal MS Windows tasks.

proud member of asap (2004) click here

  christor 13:18 28 Sep 04

hey,

i followed these instructions, but the problem is that I still dont have a net connection. While this may or may not have killed the spywarre, my pc still wont open any web pages. I have noticed though that a connection must be present as msn messenger starts to sign in, but then aborts for some reason or another. I can't download hijack this as altho I can access the net on this pc, I can't transfer it on to the other one with the problem. So as you can appreciate, I'm a bit stuck. I'm worried that I've done something to the registry as I have been using reg-crawler to attempt to resolve my prob. Any other ideas?

  VoG II 13:38 28 Sep 04
  christor 16:25 28 Sep 04

ok, i have ran hijack this, here is the log:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\documents and settings\chris\local settings\temp\gc7Eojmo.exe
C:\documents and settings\chris\local settings\temp\gc7Eojmo.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\documents and settings\chris\local settings\temp\4uk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\Bjl79H.exe
C:\WINDOWS\System32\BdqGOk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Chris\Local Settings\Temp\njsyK.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [5M#HTYL4#EQ299] C:\WINDOWS\System32\SzfpW5ln.exe
O4 - HKLM\..\Run: [us7X36S] dmu2cenu.exe
O4 - HKLM\..\Run: [mswspl] C:\documents and settings\chris\local settings\temp\gc7Eojmo.exe
O4 - HKLM\..\Run: [gc7Eojmo] C:\documents and settings\chris\local settings\temp\gc7Eojmo.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [4uk] C:\documents and settings\chris\local settings\temp\4uk.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fBo7RWe3h] sxsand.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - click here
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - click here
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - click here
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - click here
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - click here
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - click here
now what?

  christor 16:30 28 Sep 04

whoops, scratch that last post, i had not enabled everything in msconfig. Real log to follow in a minute.

  christor 16:30 28 Sep 04

whoops, scratch that last post, i had not enabled everything in msconfig. Real log to follow in a minute.

  ChrisRLG 13:00 29 Sep 04

Your log is a little garbled but I can see a peper infection in that at first glance.

Please when you post a HJT log - try not to format it in any way. With this boards software that may not be easy :)
========================
You have the Peper Trojan. It is a very stubborn infection which requires a apecific tool to remove. There are two tools available. Please follow these instructions in order:

1. Download Newuninst.exe from click here

2. Run it with an active internet connection.

3. Reboot to finish removing the entries it found.

4. Run the tool a second time (with an active internet connection).

5. Reboot to finish removing the entries it found.

Another Tool which does not require internet access to run is:

1. Please Download PeperFix.exe, click here

2. Start the tool and click Find and Fix.

3. Reboot to finish removing what it found.

4. Run the tool a second time to make certain it has completed removed Peper.

5. Reboot to finish removing the entries.

Please reboot and post a fresh HJT log for me please.

  christor 16:51 29 Sep 04

Hi again,

I've actaully managed to get it all sorted. I went to a hijackthis forum, they told me the same thing as you about the trojan. It's now gone, thankfully, and they analysed my log for me and told me what to get rid of - everything seems to be running very smoothly now. Thanks for all your help in the first place though - it is very much appreciated.

Cheers again.

  ChrisRLG 11:31 30 Sep 04

Your welcome. :)

BTW I help at several of the hijackthis log forums, and teach how to do it at two of them.

A good list for the future is at click here which is the association that most of them belong to.

ChrisRLG
Proud member of a-sap click here since 2004

This thread is now locked and can not be replied to.

Best phone camera 2016/2017: Galaxy S7 vs iPhone 7 vs Google Pixel vs HTC 10 Evo vs OnePlus 3T vs…

1995-2015: How technology has changed the world in 20 years

Best Christmas Agency Projects of 2016

Super Mario Run preview | Hands-on first impressions of Super Mario Run: Mario's iPhone & iPad…