[seamusoldfield]

A couple of years ago, after running msconfig, I noticed these odd Chinese characters that were running upon startup. I unchecked them and, on reboot, my computer crashed. I did a system restore, everything came back up as normal and I've just left them ever since. Norton doesn't knock them out, nothing does. Since I can't copy and paste the actual chracters, it's been difficult to figure out just what they were all these years.

So the other day I ran a Google search for where they were hiding. The path is this:
HKCU\software\microsoft\windows nt\current version\windows\run

The results pointed to a virus, most likely a key logger. A number of sites gave very detailed instructions on how to get rid of it but, being somewhat of a noob, I don't want to go fiddling around with the registry. So I downloaded the new Ad Aware Away program. It worked well and found it instantly. It defined it as a Krepper Trojan, Windows Key Logger, 2 traces of HKCR\.pca, 2 traces of HKLM\software\classes\.pca\

Then it wanted $30 to fix it. So I ran Spy Sweeper which also found it . . . and wanted $30 to delete.

Now I'm not trying to be cheap and I admit that it would be great to finally be rid of this virus, but really, isn't there an easy fix that isn't going to cost me $30? Right now, in my current situation, $30 is a lot to me. Is there a free program somewhere? Shareware? Something?

Anyone? Thanks!

[Advertisements]

Just ran the new Windows Defender beta and still nothing. I notice that the Chinese characters change after each (unsuccessful) removal attempt. Gimme a break! Is System Restore allowing this thing to stay on my computer? Should I turn it off? Can a newbie do this safely? Anyone?

[seamusoldfield]

Just ran the new Windows Defender beta and still nothing. I notice that the Chinese characters change after each (unsuccessful) removal attempt. Gimme a break! Is System Restore allowing this thing to stay on my computer? Should I turn it off? Can a newbie do this safely? Anyone?

[MasterJ]

Welcome to GeeksToGo seamusoldfield

My name is MasterJ and I will be helping you with your problem.

As you can see we are very busy here. Sorry for the delay. If you still need help, please go here and follow those guidelines. Then post the HijackThis log here in this topic using Add Reply.

[seamusoldfield]

Hi Master J, thanks for getting back to me. Here;s what I've already done, HiJackThis log to follow.
1) Disabled System Restore
2) Enable viewing of hidden files, system files and file extensions
3) Boot into Safe Mode
4) Ran the following in this order; CCcleaner, MS Malicious Software Remover, Ad Aware, Spybot, MS Defender, CWShredder, Kill2Me, Registry Mechanic
5) Re-boot into normal mode
6) Ran Norton Antivirus and ZeroSpyware Elite

Still there, characters changing each time. What the...? Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:22 AM, on 3/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ZSLEScheduler] RunDll32.exe "C:\Program Files\ZeroSpyWare\ZeroSpyware Limited Edition\ZSScheduler.dll", runScheduler C:\Program Files\ZeroSpyWare\ZeroSpyware Limited Edition\
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.subs...ve/makeover.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129639239093
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...fig/MailCfg.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - Unknown owner - C:\Program Files\FBM Software\ZeroSpyware Limited Edition\FileDeleter.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you so much!

[MasterJ]

Make sure that your Norton AntiVirus definitions are up to date.

Run a full system scan with Norton.

Click the Start Menu> Run.
Type regedit

Then click OK.

Please download Registrar Registry Manager Lite

Install it, then please run the program.

Copy and paste the follow text into the address bar, then hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the panel on the right are the values associated with that key.

We want to find this one:

"xp_system" = "%Windir%\inet10050\services.exe"

Right click on it, and select delete.
If you get a confirmation question, respond OK

Copy and paste the follow text into the address bar, then hit 'Go':

HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run

We want to find this one:

"xp_system" = "%Windir%\inet10050\services.exe"

Right click on it, and select delete.

Copy and paste the follow text into the address bar, then hit 'Go':

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Run

We want to find this one:

"xp_system" = "%Windir%\inet10050\services.exe"

Right click on it, and select delete.

Copy and paste the following text into the address bar, then hit 'Go':

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

On the right side, find the folder that says:

{5321E378-FFAD-4999-8C62-03CA8155F0B3}

Right click on it, and select delete.

Exit registrar lite.

Click the Start Menu> Run.
Type the following:

edit c:\windows\system.ini

and then click OK.

(The MS-DOS Editor opens.)

Locate the following text within the file:

load = %Windir%\inet10050\services.exe

If this line exists, delete it.

Click File > Save.
Click File > Exit.

Reboot your computer, enable system restore, and post a new HiJackThis log.

Is the trojan still being detected?

MasterJ

[seamusoldfield]

Master J, you rock! OK, my Norton is up to date and I've done a full system scan (finds nothing, as usual). I've also downloaded Registry Mgr Lite. Question: do I disable System Restore prior to running the program? Thanks --

[MasterJ]

Now that I think about it, keep system restore enabled. If something were to go wrong, we need something to revert to. We'll clean the restore points after your computer is clean.

[seamusoldfield]

Hi there. So.

The values we're looking for don't come up when I search for the requested keys. Everything that comes up looks legit except for one item that's found in all three searches. The name is "default" and the type is REG_SZ. For each it says the value is "not set." Is this the one we're looking for each time? As I said, there's no other data. I sure appareciate your help on this!

[MasterJ]

I apologize for the delay. This trojan took a little bit of researching...

Please print these instructions for reference.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open notepad and copy the following contents into the document.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jopa]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\romahere]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\jopa]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\romahere]

Save the file as fixkrepper.reg as type All Files on your desktop. Double click the new file. When asked if you want to allow the data to merge with the registry, say yes.

Remove these files (if present) with Windows Explorer:

C:\system\matrixhere.exe
C:\system\sysstartup.exe
C:\system32\matrixhere.exe
C:\system32\sysstartup.exe

You will need to click Start Menu > Search to find these files and delete them (try searching for krepper and see what comes up).

trojan.win32.krepper.a.exe
trojan.win32.krepper.a_(120).exe
trojan.win32.krepper.o.dll
trojan.win32.krepper.p.dll
trojan.win32.krepper.p_(10).dll

Reboot and see if Krepper is still detected.

MasterJ

Edited by MasterJ, 08 March 2006 - 07:35 PM.

[seamusoldfield]

Master J, I soooo appreciate all your help here. I'm going to do as you instructed soon and will get right back to you. Thanks again --

[seamusoldfield]

OK, did as instructed. Tried to open the text file and got an error stating "cannot import, the specified file is not a registry script. You can only import binary registry files from within the registry editor." Also searched for the files you listed and found nothing. Jeez. I'm feeling a bit . . . defeated. Anything else I should try or are you getting sick of this? Thanks again, your help is greatly appreciated.

[MasterJ]

In notepad make sure that there are no spaces before REGEDIT4. Then there should be one line below it before the other data.

Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now try to find those files again.

MasterJ :thumsup:

[seamusoldfield]

There was a problem with the first text doc. You called it. OK, here goes.

[MasterJ]

Good luck. I will try to check for your response later tonight.

[seamusoldfield]

OK, merged the text doc with the registry then went hunting for files but found nothing. Searched for matrix, matrixhere, matrixhere.exe, C:\system\matrixhere.exe, etc. Also searched for trojan, krepper, specific file names, nothing. Where are these things? I enabled show hidden files and system files. Virus still there on startup. Any suggestions (besides just paying the [bleep] $30 and hoping that clears it up)? Thanks again --