CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

multiple problems

 
Post new topic   This topic is locked you cannot edit posts or make replies       All -> FavForums -> Trend Micro HijackThis Logs [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
jaws99

Cadet
Cadet


Joined: Nov 29, 2003
Posts: 1
Location: USA
PostPosted: Sat Nov 29, 2003 11:56 pm    Post subject: multiple problems
Reply with quote

first I want to thank all of you for this site and the help
I am getting unbelievable amounts of pop-ups and my homepage is constantly being changed to various search sites. I am running XP.

Logfile of HijackThis v1.97.7
Scan saved at 6:54:48 PM, on 11/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSN\System32\smss.exe
C:\WINDOWSN\system32\csrss.exe
C:\WINDOWSN\system32\winlogon.exe
C:\WINDOWSN\system32\services.exe
C:\WINDOWSN\system32\lsass.exe
C:\WINDOWSN\system32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\system32\spoolsv.exe
C:\WINDOWSN\Explorer.EXE
C:\WINDOWSN\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWSN\System32\alg.exe
C:\WINDOWSN\system32\crypserv.exe
C:\WINDOWSN\System32\nvsvc32.exe
C:\WINDOWSN\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWSN\System32\Kgk2PMg8.exe
C:\WINDOWSN\System32\Jximo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jeff d\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.foxnews.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [3W8G5L829ALT@J] C:\WINDOWSN\System32\Gcj2s6.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.9109722222
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.forextips.com/chat/mschatocx.cab
Back to top
View users profile Send private message
Bulldog

General
General
Premium Member

Joined: Nov 16, 2003
Posts: 4375
Location: Canada
MVP Premium

PostPosted: Sun Nov 30, 2003 8:03 am    Post subject:
Reply with quote

Please do the following, in this order.

Download and run:
http://home01.wxs.nl/~kleyn080/uninst.exe, double click on 'uninst.exe', let it run and terminate. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall squwaks.

Here is a script made by Mosaic1 that will remove all these bad files.
http://www.mjc1.com/files/mo/drpeper.html.
Download Drpepertobackup.exe (direct link here: http://www.mjc1.com/files/mo/drpepertobackup.exe ) , save to disk, and doubleclick the file; it will self extract to c:\. and create a C:\drpeper\ <--- folder
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.

In the first prompt box copy and paste:
Jximo.exe
And hit ok.
Wait for the popup box to confirm results.

In the second box prompt, copy and paste:
Gcj2s6.exe

It will find all the files, delete them and will make backups in the same folder ( C:\drpeper\ ).
It'll open a text file (Peper.txt) with the list of all files deleted, copy and paste/post the content here in your next post.

Reboot and post a new HJT log and the Perper.txt file.
.
Back to top
View users profile Send private message
jaws99

Guest
IP: 68.193.*.*
PostPosted: Mon Dec 01, 2003 3:55 am    Post subject: logs
Reply with quote

11/30/2003 10:58:28 PM
C:\WINDOWSN\system32\AxrMO.exe
C:\WINDOWSN\system32\Jximo.exe
C:\WINDOWSN\system32\Kgk2PMg8.exe
C:\WINDOWSN\system32\OpzX4n.exe
C:\WINDOWSN\system32\Qdqc4j1R.exe
C:\WINDOWSN\system32\Xzgw9V5.exe
11/30/2003 10:58:53 PM
C:\WINDOWSN\system32\Gcj2s6.exe
C:\WINDOWSN\system32\Iel277g.exe
C:\WINDOWSN\system32\MztYifG.exe

Logfile of HijackThis v1.97.7
Scan saved at 11:00:41 PM, on 11/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSN\System32\smss.exe
C:\WINDOWSN\system32\csrss.exe
C:\WINDOWSN\system32\winlogon.exe
C:\WINDOWSN\system32\services.exe
C:\WINDOWSN\system32\lsass.exe
C:\WINDOWSN\system32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\System32\svchost.exe
C:\WINDOWSN\system32\spoolsv.exe
C:\WINDOWSN\System32\alg.exe
C:\WINDOWSN\system32\crypserv.exe
C:\WINDOWSN\System32\nvsvc32.exe
C:\WINDOWSN\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWSN\Explorer.EXE
C:\WINDOWSN\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Documents and Settings\jeff d\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.foxnews.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.9109722222
O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6526FE0-E651-11CF-99CB-00C04FD64497} (Microsoft MSChat Control Object) - http://www.forextips.com/chat/mschatocx.cab
Back to top
Bulldog

General
General
Premium Member

Joined: Nov 16, 2003
Posts: 4375
Location: Canada
MVP Premium

PostPosted: Mon Dec 01, 2003 1:24 pm    Post subject:
Reply with quote

Good job jaws99.
Looks like you nailed all the nasty files. Popups should be history.
You can now delete the entire C:\drpeper\ <--- folder

Your good to go.

Locking this thread. If you need it reopened send one of the mods a PM. Anyone else with a similar problem please start a new topic.
.
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   This topic is locked you cannot edit posts or make replies       All -> FavForums -> Trend Micro HijackThis Logs All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
196ppm 0.208s (0.043s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer