Malware issue: please review this CWShredder log

A coworker has had his computer infected with some bad malware. I’ve run both adaware (found 570 objects) and Spybot S&D (about 30 objects) and the problem is still as bad as it ever was. I have now run CWShredder and would like somebody to review the log and make some recommendations for me. Also, should I try running hijack this, or will the problem be found here?

Since CWShredder has found problems, run it again to clean them. Just click on the “fix” button and it will remove all the stuff it found.

Then run hijackthis and post the log to see if there are other problems.

Okay, I ran the fix and then ran HJT. Here is the log file, and I can already see a few things that can probably go…

You’re correct.

First of all, you have the Peper trojan, which requires special treatment

Go to this page and download the Peper uninstaller.

You must be connected to the Internet while running the program. If you have a firewall, disable it during the process.
Close Internet Explorer, run Hijackthis again, and scan the computer. Put a check mark by the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS waintec.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM…\Run: [9uFX5I9] C:\documents and settings\owner\local settings emp\9uFX5I9.exe
O4 - HKLM…\Run: [gasfthgyfkiqf] C:\WINDOWS\System32\kddykd.exe
O4 - HKLM…\Run: [3Z8QBM65QW4GFC] C:\WINDOWS\System32\XlwA.exe This is Peper. The removal tool should have removed it.
O4 - HKLM…\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM…\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM…\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM…\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM…\Run: [hadows] C:\WINDOWS\System32\hadows.exe I’m not 100% sure of this, but it’s extremely suspicious. If you haven’t installed anything named “hadows.exe,” delete it.
O4 - HKLM…\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKCU…\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU…\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe (This purports to sync your clock, but it’s loaded with spyware)
O4 - HKCU…\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 “C:\Program Files\ISTbar\istbar.dll”
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} -

Click on “Fixed Checked” and delete the items.

Restart your computer. Search for the following and, if they exist, delete:

XlwA.exe (should already be gone)
TV Media (entire folder)
STsvc (entire folder)
hadows.exe (note my comment above)
ClockSync (Remove the program using Add/Remove Programs, then delete the entire folder)
ISTbar (entire folder)

See if all that helps.

Just to clarify, don’t run hijackthis until after you finished running the Peper installer.

Okay, I have done everything that you outlined and it seems to have done the trick. I do have a couple of follow up questions though.

  1. I can’t delete the ISTsvc folder. It tells me that access is denied to ISTsvc.exe.
  2. The Norton definitions were last updated (prior to today) on 5/26, any idea of how that peper virus may have gotten through?
    I owe you one. Thanks very much.
  1. It means the program is running. The software may reinstall itself if deleted, so you should boot in safe mode. Then check your hijackthis log for any entry with a file running in the ISTsvce folder (especially in the O4 - HKLM entries) and remove it. After that, you should be able to delete.

  2. Most antivirus software doesn’t notice the peper trojan. I have no idea why.