Tech Support Guy banner
Cancel
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

[Solved] Need help with virus's found

2687 Views 34 Replies 3 Participants Last post by  Flrman1
C
I am hoping someone can help me.

I have a few issue's going on. First - NAV found Downloader. Trojan and I recieve a message saying it was unable to be cleaned. Quarantine failed. Access Denied.
Second - NAV also found the Trojan.ByteVerify Virus and I receive the same message. NAV has all the latest updates.
Third- other problems are that all of a sudden when using the mouse to scroll down a page or highlight a word, the entire page highlights, when trying to highlight to change the a url it highlights the entire line and I can't do anything then. When reading email either thru yahoo or optimum, the same things happen and when trying to sign off email I find that there are multiple windows open for the same emails and have to close all the windows to finally be signed out.
Third- when trying to play Medal of Honor online pop-ups appear like crazy and the game stops saying that it cannot find a server- or server not responding, (this just started recently) then the game tries to restart comes up with a half - window and restarts again..you end up constantly shutting it off and restarting it again, it makes it impossible to play.
I have run NAV- nothing found, I have run CWShredder, finds nothing, run SpybotSearch and Destroy and Adware 6. and it finds the same things even after immunizing- PeopleonPage, MY Web Search (when I try to uninstall the progam just hangs), and Doubleclick.

Any help would be very much appreciated
Save
Like
Status
Not open for further replies.
1 - 12 of 35 Posts
Flrman1
First run this uninstaller to get rid of the peper.a trojan:

http://www.zerosrealm.com/downloads/uninst.exe

*Note: Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {98569882-6B8C-45FD-AB91-66856046A5DC} - C:\WINDOWS\System32\comhaddin.dll

O3 - Toolbar: (no name) - {BD8AFCD2-F6AB-4C8D-8050-017BD77A5C09} - (no file)

O3 - Toolbar: (no name) - {47BD0AB8-6109-4D42-B611-6AC9DF9DA9FC} - (no file)

O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv225.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

Restart to safe mode and delete:

The C:\Program Files\LimeShop folder
The C:\Program Files\couponsandoffers folder
The C:\Program Files\POP folder

How to start your computer in safe mode.
See less See more
Save
Like
Flrman1
Originally posted by Nok1:
Follow these steps for removing the "peper" trojan:

1 -- download and run the "uninstaller" here:
http://home.iprimus.com.au/mbuchan/peperuninst.exe

(it has to be run while you are still connected online)

2 -- download and extract the dr peper script from here:
http://www.mjc1.com/files/mo/drpeper.html
(it extracts to: C:\drpeper\Find backup and Delete Peper files.vbs)
Double click on the *.vbs file to run it. You may get a "script" warning; allow it to run.
Click to expand...
That method is no longer reqired to remove peper Nok1. All that has to be done is run the uninstaller as in my post above.

cubz

Just run the uninstaller as I posted and fix the entries with HJT.
Save
Like
Flrman1
These are all peper files:

C:|WINDOWS\SYSTEM32\Erl6ax.exe
C:|WINDOWS\SYSTEM32\Jel277g.exe
C:|WINDOWS\SYSTEM32\OooFY10.exe
C:|WINDOWS\SYSTEM32\QoceK8.exe
C:|WINDOWS\SYSTEM32\Rnz8N.exe
C:|WINDOWS\SYSTEM32\TmoU.exe


Did you run the uninstaller as I suggested?
See less See more
Save
Like
Flrman1
Well if you ran Adaware and Spybot before fixing the entries with HJT that's why they weren't there.

The log is clean now. :up:

Post the next log from the next user account now.
Save
Like
Flrman1
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\TJ\Application Data\ttuh.exe

O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

Restart to safe mode:

Then click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete:

The C:\Program Files\couponsandoffers folder
The C:\Program Files\Common Files\PSD Tools folder
The C:\Documents and Settings\TJ\Application Data\ttuh.exe file
The C:\WINDOWS\System32\wnscpsv.exe file
See less See more
Save
Like
Flrman1
Clean! :up:

Next! :)
Save
Like
Flrman1
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

O4 - HKCU\..\Run: [li-multi00027] c:\program files\Webdialer\li-multi00027[1].exe -m

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Rich\Application Data\ttuh.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Restart to safe mode and delete:

The C:\Program Files\LimeShop folder
The c:\program files\Webdialer folder
The C:\Documents and Settings\Rich\Application Data\ttuh.exe file
The C:\WINDOWS\System32\wnscpsv.exe file
See less See more
Save
Like
Flrman1
Clean! :up:

Is that the last one?
Save
Like
Flrman1
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

Restart to safe mode and delete:

The C:\Program Files\LimeShop folder
The C:\Program Files\couponsandoffers folder
See less See more
Save
Like
Flrman1
Clean! :up:
Save
Like
Flrman1
That one comes from just surfing to the wrong website and because your security settings are to low it is able to download to your machine.

Now for some tips to help prevent this:

Go to Windows update and install all "Critical Updates and Service Packs"

Go to Start > All Programs > Spybot Search & Destroy > Spybot S & D (Advanced mode) to open Spybot in Advanced Mode.
Click on the "Spybot S&D" button in the left column and under that click on "Immunize". On that page under "Permanent Internet Explorer Immunity" click the "Immunize" button then down below that under "Permanently running bad download blocker for Internet Explorer" click "Install" then right there in the dropdown menu set it to "Block all bad pages silently". Next under that you will see "Recommended miscellaneous protections". Put a check by "Lock IE start page against user changes (current user)".

Remember to Immunize regularly as the protectons are updated too.

Finally go here for info on how to tighten your security settings and how to help prevent future attacks.
On this page you will find links to Javacool's SpywareBlaster, SpywareGuard and IE-SPYAD. Get them all and check for updates frequently.
The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard, IE-SPYAD and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware and be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.
See less See more
Save
Like
Flrman1
My Pleasure! :up:
Save
Like
1 - 12 of 35 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top