Bad Codec + Pipas.A

[LonnyRJones]

Files here
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
are what SpyBot has removed and backed up, not to worry about them

The files in avast's quarantine look like imposters, avast did its job.

I left clicked (by mistake) on one of them and it just dissapeared so i couldn`t delete this one (second you mentioned) as it`s not there anymore.Is this bad?About

Sounds like the file got executed, you should run fixwareout again , after pc is restarted post its log.

[invisible]

Here is the new log:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSZTD.EXE 51 746 2006-09-20
C:\WINDOWS\SYSTEM32\DMRZG.EXE 62 011 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

[LonnyRJones]

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe

Start Killbox . leave the setting where they are
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\SYSTEM32\CSZTD.EXE
C:\WINDOWS\SYSTEM32\DMRZG.EXE
Back in Killbox go > file > paste from clipboard,
Click the "Delete File" button which looks like a stop sign untill all the files are deleted then exit killbox and delete the folder it made
c:\!killbox

Post back in a few days to let us know of any problems.

[invisible]

Strange thing is already happening.I cannot save anything on the clipboard.I noticed that i didn`t delete one of those files you mentioned earlier.I deleted it before i read your last reply.Meybe i should also delete it the second one manually?But what`s wrong with the clipboard?

[invisible]

Sorry.I must be to tired of this by now.I was trying to save the text on the notepad,not clipboard.But it really doesn`t work.Can you tell me what clipboard is?I never used it before and my english is not to good (i have my native language on my computer so i don`t know where to look for it).

[invisible]

My notepad is working fine.False alarm.I`m so tired (for few days i`m not doing anything else but trying to cure my computer) that i forgot to type name of the file.Still don`t know where to look for clipboard (funny thing,somehow,with your help i`m fixing my computer but i can`t do such simle thing).I deleted that last file manually so meybe killbox won`t be needed anymore.it`s still in my recycle bin in case i need using killbox to kill it.

[invisible]

I just read some more about the kill box.Then i coppied the names of those 2 files into the kill box window and deleted them (one at a time).CSZTD.EXE was not found becouse i deleted it earlier (without executing it),but the second file was deleted succsessfuly.Now i`ll see how my computer will behave and i will let you know.Thanks for your help and time.This website is really great.

[LonnyRJones]

Good

The clipbourd is where windows save's something we copy, like copy this text from here to another text, but you've figured that out.

[invisible]

Hi again.For the past few days i was using my computer to make sure that it is really OK.And everything was working fine until i downloaded "Bearshare" and begin to look for some files.While opening one of them i had another avast worning.I clicked the avast quarantine button.Then i launched Spybot to make sure if everything was fixed and guess what?Pipas.A again!I fixed the problem using Spybot,but it was coming back like the first time.So i repeated all the steps:hijackthis,blacklight,fixwareout and then checked with Spybot again.It is OK again.I didn`t delete any files yet because i`m not 100% sure if they are the right ones.So if you could advise me on this i would be greatful.Here the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 14:55:15, on 2006-09-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [dmbjv.exe] C:\WINDOWS\system32\dmbjv.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68288170-6EAE-4BAA-8B89-4F866D34B45A}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


09/30/06 15:01:39 [Info]: BlackLight Engine 1.0.46 initialized
09/30/06 15:01:39 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack 2)
09/30/06 15:01:39 [Note]: 7019 4
09/30/06 15:01:39 [Note]: 7005 0
09/30/06 15:01:52 [Note]: 7006 0
09/30/06 15:01:52 [Note]: 7011 1860
09/30/06 15:01:53 [Note]: 7026 0
09/30/06 15:01:53 [Note]: 7026 0
09/30/06 15:01:56 [Note]: FSRAW library version 1.7.1019
09/30/06 15:02:09 [Info]: Hidden file: c:\WINDOWS\system32\dmbjv.exe
09/30/06 15:02:09 [Note]: 7002 32
09/30/06 15:02:09 [Note]: 7003 1
09/30/06 15:02:09 [Note]: 10002 1
09/30/06 15:02:10 [Info]: Hidden file: c:\WINDOWS\system32\cszfv.exe
09/30/06 15:02:10 [Note]: 7002 32
09/30/06 15:02:10 [Note]: 7003 1
09/30/06 15:02:10 [Note]: 10002 1
09/30/06 15:05:19 [Note]: 7007 0



Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmbjv.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSZFV.EXE 51 811 2006-09-29
C:\WINDOWS\SYSTEM32\DMBJV.EXE 60 971 2004-08-04
C:\WINDOWS\SYSTEM32\DMUHI.EXE 60 971 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


Also,Spybot detected "Bearshare" as a threat.Is it really that dangerous?I know downloading files using it is,but i`m asking about the program itself.Shold i fix it with Spybot?(i didn`t yet)I really need such software so meybe i should look for another one?

And one other thing.I noticed that when surfing the net advertising content of some pages is being blocked.Instead of this i have a message "the page can not be found'It`s not a full screen message,it is only displayed on those parts of the screen where advertising should be.Is Spybot doing this?And if so,then can i set this option off?Or maybe some virus is still hidden and doing it`s tricks?
Thanks for your help in advance.

[invisible]

And the last hijackthis log,after fixwareout:


Logfile of HijackThis v1.99.1
Scan saved at 17:01:12, on 2006-09-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe