1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

norton can't get rid of w32.spybot worm

Discussion in 'Virus & Other Malware Removal' started by ir0nchef13, Oct 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    I have norton anti-virus 2004, and it found the spybot worm virus and it is not able to get rid of it! Please help me get rid of it
    here's my log

    Logfile of HijackThis v1.96.0
    Scan saved at 7:13:33 PM, on 10/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\VYISYTIPA.EXE
    C:\Program Files\ClearSearch\Loader.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Jonathan Chan\Application Data\urod.exe
    C:\WINDOWS\System32\HteKY6P.exe
    C:\WINDOWS\System32\SsrJCIS.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jonathan Chan\Desktop\a\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129825
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129825
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {1CB8FCDE-651A-496C-B34F-42CB12ECC5EA} - C:\WINDOWS\System32\klbdusl.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Microsoft Service Networks] VYISYTIPA.EXE
    O4 - HKLM\..\Run: [MSConfig] HNHNNHZQWP.EXE
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Bio9f.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Iotn] C:\Documents and Settings\Jonathan Chan\Application Data\urod.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: TFTP2180
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3760B54-B18A-4722-A8D1-0735700D98F8}: NameServer = 64.105.172.26 64.105.163.106
     
  2. kath100

    kath100

    Joined:
    Aug 20, 2003
    Messages:
    1,062
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    ir0nchef13

    It looks like you have the peper.a trojan (among other things).

    These entries:

    Running Processes;

    C:\WINDOWS\System32\HteKY6P.exe
    C:\WINDOWS\System32\SsrJCIS.exe

    And;

    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Bio9f.exe

    Indicate the peper.a trojan which is very difficult to remove.

    Let's deal with that first.

    The best way and only real efficient way is to download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update

    This is a Trial version so you will have to do the update manually. The automatic update only works with the registered version which costs $49. When you dowload the update put the radius.td3 file in the C:/Program Files/TDS3 folder provided that is where you installed TDS3.

    Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin. Let it scan and remove all suspicious files.

    After that Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Then you need to update Hijack This. The version you are using is outdated.

    Open Hijack This and click on the "Config" button in the lower right corner then click on the "Misc tools" button then click on "Check for update online" and dowload the update.

    After updating scan with HJT again and post the log from that and we'll deal with the rest..
     
  4. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    flrman1, i did everything you told me to
    here's my updated log...

    Logfile of HijackThis v1.97.3
    Scan saved at 11:56:09 PM, on 10/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\SsrJCIS.exe
    C:\WINDOWS\System32\Hst0W6wh.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jonathan Chan\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Microsoft Service Networks] VYISYTIPA.EXE
    O4 - HKLM\..\Run: [MSConfig] HNHNNHZQWP.EXE
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Bio9f.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: TFTP2180
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3760B54-B18A-4722-A8D1-0735700D98F8}: NameServer = 64.105.172.26 64.105.163.106
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi........you still have peper.a......like firman said,its a nasty one to remove.When you ran the TDS3 scan what was the result? after,did it identify the trojan and if so what did it say?
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Run H/T again nd "fix" these items.
    Get back to us on the result from TDS3 before we try anything else with peper.a

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [Microsoft Service Networks] VYISYTIPA.EXE
    O4 - HKLM\..\Run: [MSConfig] HNHNNHZQWP.EXE
    O4 - Global Startup: TFTP2180

    ;)
     
  7. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    There was a positive identification for the "TroganDownloader.Win32.AdGoblin" and a bunch of "TroganDownloader.Win32.VB". I saved the results of the scan..so i hoped this information will help...

    13:20:29 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    13:20:29 [Init] Started 20-10-03 13:20:29 Pacific Standard Time (UTC: 8), Internet Time @889.22
    13:20:29 [Init] Loading TDS-3 Systems ...
    13:20:29 [Init] Token successfully adjusted.
    13:20:29 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    13:20:29 [Init] • Plugins : OK. Loaded 13
    13:20:29 [Init] • Exec Protection : Not Installed
    13:20:29 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    13:20:29 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    13:20:29 [Init] Licensed users can use the Update facility from the TDS menu
    13:20:30 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    13:20:38 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    13:20:38 [Init] • Systems Initialised [28908 references - 9876 primaries/8238 traces/10794 variants/other]
    13:20:38 [Init] Radius Systems loaded. <Databases updated 18-10-2003>
    13:20:38 [Init] TDS-3 Ready. <Jonathan [email protected], 127.0.0.1, 169.254.181.236 - United States>
    13:20:39 [Tip Of The Day] Did you know? - DiamondCS are the only anti-trojan company that updates DAILY.
    13:20:39 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
    13:20:39 [TDS] Good afternoon Jonathan chan.
    13:20:50 [Mutex Memory Scan] Started...
    13:20:52 [Mutex Memory Scan] Finished (no trojan mutexes found).
    13:20:52 [Trace Scan] Started...
    13:21:06 [Trace Scan] Finished.
    13:21:06 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
    13:21:43 [CRC32] Started - verifying 29 files ...
    13:21:51 [CRC32] Test finished.
    13:23:35 [Memory Scan] Memory scan started, please wait a moment ...
    13:23:39 [Memory Scan] Memory scan complete.
    13:23:39 [Mutex Memory Scan] Started...
    13:23:40 [Mutex Memory Scan] Finished (no trojan mutexes found).
    13:23:40 [Trace Scan] Started...
    13:23:51 [Trace Scan] Finished.
    13:23:51 [ServiceScan] Scanning for services and drivers ...
    13:23:59 [ServiceScan] Scanned 304 services and drivers.
    13:23:59 [File Scan] Scanning in A:\ ...
    13:24:00 [File Scan] Scanned 0 files: 0 alarms in 1.15625 seconds (Avg 1. files/sec)
    13:24:00 [File Scan] Scanning in C:\ ...
    14:04:34 [File Scan] Scanned 52435 files: 151 alarms in 2434.188 seconds (Avg 22.54 files/sec)
    14:04:35 [File Scan] Scanning in D:\ ...
    14:04:37 [File Scan] Scanned 3 files: 151 alarms in 1.578125 seconds (Avg 2.9 files/sec)
    14:04:37 [Scan] Finished.

    also.....i wasn't able to get rid of the "GlobalStartup - TFTP2180" thing on hijack this!

    alright...here's my most recent log

    Logfile of HijackThis v1.97.3
    Scan saved at 2:16:33 PM, on 10/20/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\Hst0W6wh.exe
    C:\WINDOWS\System32\KlwTjJ.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Microsoft Money\System\urlmap.exe
    C:\Documents and Settings\Jonathan Chan\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Eah1q5.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: TFTP2180
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt0_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F3760B54-B18A-4722-A8D1-0735700D98F8}: NameServer = 64.105.172.26 64.105.163.106
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You still have the peper.a trojan. Did you do the manual update as suggested? If so try running TDS-3 in safe mode.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    It looks like you didn't do the manual update.

    This entry from your saved log from TDS-3 says so:

    "13:20:29 [Init] WARNING: Your Radius.TD3 database needs to be updated! "

    13:20:38 [Init] Radius Systems loaded. <Databases updated 18-10-2003>


    Make sure you do the manual update and save the radius.td3 file in the C:\program files\TDS3 folder

    Run the scan in safe mode.
     
  10. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    I don't know what to tell you......i DID update the radius.td manually, yet "WARNING: Your Radius.TD3 database needs to be updated" still pops up whenever i open TDS-3!!! Please help!:(
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You obviously did not get the update file where it was supposed to go when you downloaded it.

    Go here again:

    http://tds.diamondcs.com.au/index.php?page=update

    right click on the radius.td3 file and choose "Save target as". Then in the "Save in" box browse to C:\Program Files\TDS3 folder and save it there. A promp will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

    Run the "full System scan" again preferably in safe mode.
     
  12. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    I am sooo positive that i did everything you told me to (MANUALLY updating radius.td3 and overwriting it in C:\ProgramFiles\TDS3 folder)!!

    I really don't know what to tell you!!!


    Ahhhhh, it's so frustrating!!
    :mad:
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Can't hurt to try it again. :)
     
  14. ir0nchef13

    ir0nchef13 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    16
    I'VE DONE IT AGAIN AND AGIAN AND AGAIN!!!!

    I REALLY HAVE, LOL!!!

    :confused:
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There are only two other options.

    1: To try to manually which is very tricky and most times unsuccessful.

    2: Uninstall TDS-3. Get the trial version of NOD32 (the only other program that I know of that has been successful at removing peper.a)

    If you want to try NOD32 you will have to uninstall TDS-3 and temporarily disable your curren Antivirus program.

    You can get it here:

    http://www.nod32.com/download/trial.htm

    Once again I recommend running it in safe mode. You must also disable your current AV.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172977

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice