Thread: Please Help! I have tried everything!
View Single Post
  #7 (permalink)  
Old 09-09-2004, 07:20 PM
owen's Avatar
owen owen is offline
D-A-L Team Member (UK)
Loyal Contributor
  
Join Date: Jun 2004
Posts: 5,272
owen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furnitureowen is beginning to become part of the furniture
Re: Please Help! I have tried everything!
I'm going away on Saturday so I want to get this case resolved before then.

First of all download the Peper Fix from http://downloads.subratam.org/PeperFix.exe. Run it and let it remove your Peper Trojan infection.

Then close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Jonathan\Local Settings\Temp\ggI.dll
O4 - HKLM\..\Run: [Microsoft Registry Update] regedit32.exe
O4 - HKLM\..\Run: [Windows System Manager Proc] winsmc.exe
O4 - HKLM\..\Run: [XML Service] msli.exe
O4 - HKLM\..\Run: [Microsoft Direct Configs] directx64.exe
O4 - HKLM\..\Run: [System32 Spool ] winint.exe
O4 - HKLM\..\Run: [a] C:\windows\temp\a.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Xej7.exe
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\uncanny.exe
O4 - HKLM\..\RunServices: [Microsoft Registry Update] regedit32.exe
O4 - HKLM\..\RunServices: [Windows System Manager Proc] winsmc.exe
O4 - HKLM\..\RunServices: [XML Service] msli.exe
O4 - HKLM\..\RunServices: [Microsoft Direct Configs] directx64.exe
O4 - HKLM\..\RunServices: [System32 Spool ] winint.exe
O4 - HKCU\..\Run: [msorc32r] C:\WINDOWS\System32\msorc32r.exe
O4 - HKCU\..\Run: [Microsoft Registry Update] regedit32.exe
O4 - HKCU\..\Run: [System32 Spool ] winint.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/25562c10ac91ea...tzip/RdxIE2.cab

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Go to C:\windows\temp\ and once in the folder click Edit> Select All and hit the delete key to empty the contents of the folder. But don't delete the folder itself.

Go to C:\Documents and Settings\Jonathan\Local Settings\Temp\ and once in the folder click Edit> Select All and hit the delete key to empty the contents of the folder. But don't delete the folder itself.

Go to Start> Control Panel and double click Add/Remove programs. Uninstall the following programs if they exist. If not, move onto the next:

TV Media

Then delete the following files and folders:
C:\Program Files\TV Media
C:\Program Files\Inet Delivery
C:\WINDOWS\System32\msorc32r.exe
C:\WINDOWS\System32\directx64.exe

Then reboot and post a fresh log
__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info
Reply With Quote