You have the peper trojan. Use the removal tool here -> http://thatcomputerguy.us/viewlink-32.html. This program will have to access the internet to work so you will have to give it permission if your firewall tries to block it.
Thank you so much for telling me what this is. I've tried the link (both the one posted and going through computer guy's front page) but I get a 'Page cannot be found error'. Is there another way that I can remove this trojan? Thanks!
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\. Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
On the first prompt, copy and paste: Bxe0n.exe and hit ok.
On the second, paste: Pflvs4.exe and hit ok again.
It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted.
When done, restart your computer, and post the contents of that Peper.txt file here, along with a fresh hijackthis log.
Thank you for all your help. I followed your instructions, but when I do this:
"Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\. Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
On the first prompt, copy and paste: Bxe0n.exe and hit ok.
On the second, paste: Pflvs4.exe and hit ok again. "
It tells me that the files don't exist. I ran this
Logfile of HijackThis v1.97.7 Scan saved at 6:12:51 PM, on 2/6/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sorry for all the bother. This has been a pretty slippery problem for me the last few weeks. Again, thank you for all your help. Is the trojan gone now? Or are there steps that I still need to take? Have a great weekend!
Yellowhammer
725 Posts
0
February 5th, 2004 20:00
You have the peper trojan. Use the removal tool here -> http://thatcomputerguy.us/viewlink-32.html. This program will have to access the internet to work so you will have to give it permission if your firewall tries to block it.
That is the only thing I can see in your log.
Post another hijackthis log when you are through.
slumba01
5 Posts
0
February 6th, 2004 10:00
Yellowhammer
725 Posts
0
February 6th, 2004 15:00
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
http://www.mjc1.com/files/mo/drpeper.html
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
On the first prompt, copy and paste: Bxe0n.exe and hit ok.
On the second, paste: Pflvs4.exe and hit ok again.
It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
When done, restart your computer, and post the contents of that Peper.txt file here, along with a fresh hijackthis log.
slumba01
5 Posts
0
February 6th, 2004 22:00
Yellowhammer,
Thank you for all your help. I followed your instructions, but when I do this:
"Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
On the first prompt, copy and paste: Bxe0n.exe and hit ok.
On the second, paste: Pflvs4.exe and hit ok again. "
It tells me that the files don't exist. I ran this
http://home01.wxs.nl/~kleyn080/uninst.exe
and here is the new hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 6:12:51 PM, on 2/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stltoday.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.stltoday.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://education.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B394325B-474D-4400-9194-72C9BC8C5119}: NameServer = 151.164.14.201 151.164.1.8
Sorry for all the bother. This has been a pretty slippery problem for me the last few weeks. Again, thank you for all your help. Is the trojan gone now? Or are there steps that I still need to take? Have a great weekend!
Yellowhammer
725 Posts
0
February 6th, 2004 22:00
slumba01
5 Posts
0
February 6th, 2004 22:00
Yellowhammer,
Thank
slumba01
5 Posts
0
February 6th, 2004 22:00
Yellowhammer,
Thank you