[NotoriousMSP]

Hi all,

Any help would be greatly appreciated! Here is my log...

Logfile of HijackThis v1.99.1
Scan saved at 1:13:15 PM, on 5/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wiaacm.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\webgmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RightFAX\FaxCtrl.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Business Objects\BusinessObjects 5.0\BUSOBJ.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\P_Zettl\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cb.salomon/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 141.175.84.122 a3006 #ricoh color printer
O1 - Hosts: 141.175.80.22 emily
O1 - Hosts: 141.175.79.20 marge
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Yur8PO5.exe] c:\documents and settings\p_zettl\local settings\temp\Yur8PO5.exe
O4 - HKLM\..\Run: [AL.exe] c:\documents and settings\p_zettl\local settings\temp\AL.exe
O4 - HKLM\..\Run: [37oV3FU] wiaacm.exe
O4 - HKLM\..\Run: [gCfKeLP.exe] C:\documents and settings\p_zettl\local settings\temp\gCfKeLP.exe
O4 - HKLM\..\Run: [4#GSTR6592MXCG] C:\WINDOWS\System32\Bwd0m.exe
O4 - HKLM\..\RunOnce: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /C /FS /X
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Iw79RPYtX] webgmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: RightFAX Print-to-Fax Driver.lnk = ?
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: Launcher - http://141.175.79.90...ex/Launcher.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://141.175.79.13...ntBootstrap.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevisio...e61/OrgPubX.cab
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://cbsv1040/wi/A...RptViewerEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: Domain = cb.salomon
O17 - HKLM\System\CCS\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: NameServer = 141.175.80.13,141.175.80.22
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = salomon,cb.salomon
O17 - HKLM\System\CS1\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: Domain = cb.salomon
O17 - HKLM\System\CS1\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: NameServer = 141.175.80.13,141.175.80.22
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = salomon,cb.salomon
O17 - HKLM\System\CS2\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: Domain = cb.salomon
O17 - HKLM\System\CS2\Services\Tcpip\..\{39DF5CFE-65C4-45FD-8605-1D77507B7323}: NameServer = 141.175.80.13,141.175.80.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = salomon,cb.salomon
O20 - AppInit_DLLs: AMInit.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[Advertisements]

Welcome NotoriousMSP to Geeks to Go!

Sorry for the delay, the forums are very busy.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

***

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

You have the Peper trojan.
Download the Peperfix Tool and save it to your Desktop.
Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.

***

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove

O4 - HKLM\..\Run: [Yur8PO5.exe] c:\documents and settings\p_zettl\local settings\temp\Yur8PO5.exe

O4 - HKLM\..\Run: [AL.exe] c:\documents and settings\p_zettl\local settings\temp\AL.exe

O4 - HKLM\..\Run: [37oV3FU] wiaacm.exe

O4 - HKLM\..\Run: [gCfKeLP.exe] C:\documents and settings\p_zettl\local
settings\temp\gCfKeLP.exe

O4 - HKCU\..\Run: [Iw79RPYtX] webgmgr.exe

Close all open windows except for HijackThis and click Fix Checked.

Spybot will prompt you to the changes we are making. Please allow them.

***

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[g2i2r4]

Welcome NotoriousMSP to Geeks to Go!

Sorry for the delay, the forums are very busy.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

***

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

You have the Peper trojan.
Download the Peperfix Tool and save it to your Desktop.
Make sure you are connected to the Internet and run it; reboot afterwards. Repeat the procedure as it has to be run twice to ensure its effectiveness.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Then please run Ewido, and run a full scan. Save the logfile from the scan.

***

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove

O4 - HKLM\..\Run: [Yur8PO5.exe] c:\documents and settings\p_zettl\local settings\temp\Yur8PO5.exe

O4 - HKLM\..\Run: [AL.exe] c:\documents and settings\p_zettl\local settings\temp\AL.exe

O4 - HKLM\..\Run: [37oV3FU] wiaacm.exe

O4 - HKLM\..\Run: [gCfKeLP.exe] C:\documents and settings\p_zettl\local
settings\temp\gCfKeLP.exe

O4 - HKCU\..\Run: [Iw79RPYtX] webgmgr.exe

Close all open windows except for HijackThis and click Fix Checked.

Spybot will prompt you to the changes we are making. Please allow them.

***

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

[NotoriousMSP]

Thanks for the information. There is only one problem though. Because this is a work computer I do not have the computer password to get into safe mode. I only have my networking password that logs me in to my system. Is there anyway I could do this outside of safe mode.

PS I tried to get our IT department to do it, but its been going no where.

[g2i2r4]

All you actually need is someone to reboot to save mode.

The rest is in the advise. Is there any way they will stand by you to reboot to safe mode?

[NotoriousMSP]

I sent these directions to our IT guys. I'll let you know how it goes. Thanks again for the help. It's greatly appreciated!

[g2i2r4]

I hope to hear from you!



EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 09 June 2005 - 03:21 PM.