View Full Version : pipas.a/wareout ? help? please?
Silent Badger
2006-04-07, 22:09
Hiya guys and girls,
Im brand new to the forums so hope you dont mind me starting off by asking for help? these came to light as my antivirus kept detecting things.
My general symptoms are
Had some problems with my comp for a few days now, mostly things appearing in the "startup" that i know should not be there, to date i've disabled, hgqhp.exe / iehelper.exe / carrida.exe / dialer423 / dtours.exe and dmaen.exe.
The last file appeared in my antivirus too(AVG) as a "reading error" and once id disabled it (in msconfig startup) and restarted my comp, another "thing" appeared called dmvqz.exe which appears in both AVG and my msconfig startup. I assume that there could be a never ending circle of this happening.
All these "things" seem to stem from my system32 folder
Spybot contiually finds a problem called pipas.a, fixes it, but again it reappears after a restart
Panda freescan identified 1 virus (which it fixed) 18 spywares and 3 diallers, but AVG, adaware, or Spybot do not find them, niether can i find the associated paths manually.
Is a startup thing called nwix.exe a possible problem? opinion seems divided on google.
i did a hyjack log thingamajig
Logfile of HijackThis v1.99.1
Scan saved at 20:49:41, on 07/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dmvqz.exe] E:\WINDOWS\system32\dmvqz.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
Any help would be very much appreiciated as this is doing my head in.
Thanks.
Silent Badger
2006-04-08, 19:24
Is there any other info i can provide which might help to shed light on matters?
Silent Badger
2006-04-08, 21:24
in other threads this is often given as advice?
"Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal."
is this safe in my case? i have a bad habit of jumping the gun when it comes to comp fixes and worsening the problem,
hi
you have that part right ;)
Download fixwareout to your desktop,
http://downloads.subratam.org/Fixwareout.exe
Or from:
http://swandog46.geekstogo.com/Fixwareout.exe
run fixwareout and simply fallow the prompts, you will need to reboot when prompted
Open the your root folder (usualy c) c:\fixwareout\report.txt and
post it here
next
Please download ewido anti malware (http://www.ewido.net/en/download/) it is a free version of the program.
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
reboot your computer in SafeMode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
then launch ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti malware.
reboot back to normal mode, post the ewido report and a log from a fresh hjt scan
Silent Badger
2006-04-09, 13:20
thanks for tha advice, carried it all through and ehre are the logs
Fixwareout
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmqln.exe"=-
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
Ewido
+ Created on: 12:07:12, 09/04/2006
+ Report-Checksum: 3006C248
+ Scan result:
E:\Documents and Settings\adam\Cookies\adam@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@7search[1].txt -> TrackingCookie.7search : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@cneteurope.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@com[1].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wflysgcjslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wgmielc5caq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wjliakdpegp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wjmyejdpmao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@roispy[1].txt -> TrackingCookie.Roispy : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@com[2].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
E:\WINDOWS\system32\dmqln.exe -> Trojan.Pakes : Cleaned with backup
E:\WINDOWS\system32\mshlpa.exe -> Downloader.Mediket.br : Cleaned with backup
E:\WINDOWS\system32\WinNB57.dll -> Adware.NetNucleus : Cleaned with backup
::Report End
Hyjackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:10:34, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\wuauclt.exe
E:\hyjackthis\HijackThis.exe
R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
Everything looks clear to me, but what do i know?
Thanks again for having a look.
hi
open hijackthis
click do a system scan only
checkmark these lines:
R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98
then close all browser and explorer windows, until only hijackthis is running on your desktop
and click fix checked
reboot
go to Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm)
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
Silent Badger
2006-04-10, 12:37
and i thought the coast was clear!
heres the activescan report
Incident Status Location
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\adam\Cookies\adam@adopt.hbmediapro[2].txt
Spyware:Cookie/Seeq Not disinfected E:\Documents and Settings\adam\Cookies\adam@www48.seeq[1].txt
Spyware:Cookie/Xmts Not disinfected E:\Documents and Settings\adam\Cookies\adam@xmts[1].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@atwola[1].txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf
Dialer:dialer.xd Not disinfected E:\WINDOWS\switchagreement.txt
and heres the hjt report
Logfile of HijackThis v1.99.1
Scan saved at 11:32:01, on 10/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
would it by safe to delete all the activescan stuff manually? (if i could fnd them)
i thought i'd kept a nice secure clean computer :(
thanks for all this help.
hi
do you have any spyware scanners installed? like spybot, adaware?
i suppose that a scan with those in safe mode should remove all dialers
one line in the log still requires a fix with hiajckthis
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
fix that line, reboot and post me a new hjt log
Silent Badger
2006-04-12, 11:30
Fixed that line, here is the new log..
Logfile of HijackThis v1.99.1
Scan saved at 10:24:28, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
Ran Spybot, adaware and ewido in safe mode then rescan with panda and got this report afterwards..
Incident Status Location
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Cookies\adam@atwola[1].txt
Spyware:Cookie/Xmts Not disinfected E:\Documents and Settings\adam\Cookies\adam@xmts[1].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@atwola[1].txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf
Dialer:dialer.xd Not disinfected E:\WINDOWS\switchagreement.txt
so i removed these files manually, restarted and rescanned and got this result.
Incident Status Location
Spyware:Cookie/Atwola Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De6.txt
Spyware:Cookie/Xmts Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De7.txt
Spyware:Cookie/Atwola Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De8.txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf
Is this anything to be concerned about?
hi
that line still remains
fixwareout was updated recently, i believe that you have an older version
please redownload it
http://downloads.subratam.org/Fixwareout.exe
the proceed as instructed above to run the fix
post the fixwareout report and a new hijackthis log thank you
Silent Badger
2006-04-12, 13:44
hiya, sory this is taking up do much time
here we go again :)
ran fixwareout, ran hyjackthis, checked line and fixed, restarted computer.
But it still appears to be there...
Fixwareout
Fixwareout ver 1.003
Last edited 04/09/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
hyjackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:42:16, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\wuauclt.exe
E:\hyjackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
hi
lets try another online virus scan
go to http://www.bitdefender.com/scan8/ie.html
let it scan your computer, and disinfect its findings
it will show a log once finished, copy /paste the text from the report into notepad and post here
Silent Badger
2006-04-12, 18:23
bit defender found nothing at all, so there was no log im afraid :(
hi
open hiajckthis
checkmark/fix this item with all browsers and explorer windows closed
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
reboot
Note:
If You have connection problems or those 017's ~ O17 - HKLM~ 85.255.116.103,85.255.112.198, return =>
Before doing this write down all the settings, Note that not all system/setups even have these settings, while some connection service's will require them.
In the windows control panel: If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
post a fresh hijackthis log when done
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems
Silent Badger
2006-04-12, 19:07
Hiya again
done the hjt bit again but it made no difference, i currently have no connection probs so didnt make the second change and when i checked the properties tab it listed under TCP/IP it listed:-
85.255.113.194 as my preffered DNS
85.255.112.98 as my alternate
does this mean that line 017 in the hjt report may be ok? or that its very very bad :)
Logfile of HijackThis v1.99.1
Scan saved at 17:59:09, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\wuauclt.exe
E:\hyjackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
hi
this is the whois info on that IP
netnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
status: ASSIGNED PI "status:" definitions
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
source: RIPE # Filtered
organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: abuse@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: support@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
mnt-ref: DAV-MNT
mnt-by: DAV-MNT
source: RIPE # Filtered
person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
source: RIPE # Filtered
person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
address: UA
phone: +357 99 117759
e-mail: support@fwebhost.com
nic-hdl: FWHS1-RIPE
source: RIPE # Filtered
its definitely bad
can you post me an uninstalls list from hijackthis:
Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread
Silent Badger
2006-04-13, 19:47
heres the list, what about changeing the DNS server setting to "obtain automatically" cause i never actually did try that?
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
Athlon 64 Processor Driver
AVG Free Edition
Battlefield 2(TM)
Battlefield 2: Special Forces
BitTorrent 4.4.1
Crashday
ewido anti-malware
FEAR
GameSpy Arcade
Half-Life(R) 2
HijackThis 1.99.1
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
LiveUpdate BVRP Software
Macromedia Flash Player
Macromedia Flash Player 8
MagicTune3.5_Client
Microsoft Office 2000 Premium
Microsoft Windows Journal Viewer
mobile PhoneTools
MSN Messenger 7.5
Natural Color
Nero Suite
NVDVD
NVIDIA Drivers
Panda ActiveScan
PeerGuardian 2.0
Picture Package
Scooby-Doo 2 - Monsters Unleashed
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Shockwave
Sony USB Driver
SpeedTouch USB Software
Spybot - Search & Destroy 1.3
Steam(TM)
TeamSpeak 2 RC2
The Sims 2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.1
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xfire (remove only)
Silent Badger
2006-04-13, 19:50
hang on? does that info you posted indicate that my connection is being redirected through Ukrain????:scratch:
hang on? does that info you posted indicate that my connection is being redirected through Ukrain????:scratch:
exactly :wink::
heres the list, what about changeing the DNS server setting to "obtain automatically" cause i never actually did try that?
thats what you need to do next. i wanted to see the list to check if there was an antispyware app that automatically restores these settings
something there still:
you have an out of date version of spybot s&d
click the download link at the top of this forum
uninstall the previous version and install update and scan with the new version
allow it to fix the red entries
Silent Badger
2006-04-14, 19:23
downloaded and fixed all the bits recommended by spybot, rebooted, then ran HJT, line 017 had vanished,
then went to "properties" of my connection the i.p's listed were
85.255.113.194
85.255.112.98
changed it to obtain dns servers automatically and logged on to the internet, ran HJT and line 017 had reappeared :(
Logfile of HijackThis v1.99.1
Scan saved at 18:19:01, on 14/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4724/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 80.225.255.185 80.225.255.177
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
Silent Badger
2006-04-14, 19:31
line 017 only appears when i am connected to the internet, could it be something written into my dialler? could try reinstalling from the orig disk if i could find it, if that might help?
Download and Save Blacklight (http://www.f-secure.com/blacklight/try.shtml) to your desktop:
Double-click blbeta.exe then accept the agreement, click > scan then > next
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
Silent Badger
2006-04-14, 22:18
hi again :)
blacklight didnt find anything, but heres the log anyway.
04/14/06 21:16:12 [Info]: BlackLight Engine 1.0.35 initialized
04/14/06 21:16:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/14/06 21:16:12 [Note]: 7019 4
04/14/06 21:16:12 [Note]: 7005 0
04/14/06 21:16:16 [Note]: 7006 0
04/14/06 21:16:16 [Note]: 7011 1432
04/14/06 21:16:16 [Note]: 7026 0
04/14/06 21:16:16 [Note]: 7026 0
04/14/06 21:16:16 [Note]: FSRAW library version 1.7.1015
04/14/06 21:16:39 [Note]: 7007 0
hi
those lines reappeared, but thi time they are your internet service providers DNS servers= as it should be now :)
see the info on the IP below, sound familiar ?
Information related to '80.225.0.0 - 80.225.255.255'
inetnum: 80.225.0.0 - 80.225.255.255
org: ORG-TUL3-RIPE
netname: UK-TELINCO-20011016
descr: PROVIDER Local Registry
country: GB
tech-c: TU935-RIPE
admin-c: TU935-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: TU935-RIPE-MNT
mnt-routes: TU935-RIPE-MNT
source: RIPE # Filtered
organisation: ORG-TUL3-RIPE
org-name: Tiscali UK Limited
org-type: LIR
address: 20 Broadwick Street
address: W1F 8HT
address: London
address: United Kingdom
phone: +44 207 087 2000
fax-no: +44 207 087 2295
admin-c: TU935-RIPE
admin-c: DC-RIPE
admin-c: DG9105-RIPE
mnt-ref: TU935-RIPE-MNT
mnt-ref: RIPE-NCC-HM-MNT
abuse-mailbox: abuse@uk.tiscali.com
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: Tiscali UK
address: Tiscali UK Limited
address: 20 Broadwick Street
address: London W1F 8HT
phone: +44 207 087 2000
remarks: Information: http://www.tiscali.com
admin-c: DC-RIPE
admin-c: DG9105-RIPE
tech-c: DC-RIPE
nic-hdl: TU935-RIPE
remarks: Hostmaster Role Account
mnt-by: TU935-RIPE-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@uk.tiscali.com
% Information related to '80.225.0.0/16AS9105'
route: 80.225.0.0/16
descr: Tiscali UK Ltd (dial pool)
origin: AS9105
mnt-by: TU935-RIPE-MNT
source: RIPE # Filtered [
are there any more problems ?
Silent Badger
2006-04-15, 20:59
hiya,
no more probs that i can see!
thanks very much for all your help, wish i could return the favour somehow, if ya ever need any help with psychology let me know :)
once again thankyou for all your help, you've been an absolute star, if theres ever a nobel prize for computer debugging i'll put your name forward.
Silent Badger
2006-04-15, 21:01
relooking at your last post, im not actually with Tiscali, but at least its in the UK not Ukraine so good job!
relooking at your last post, im not actually with Tiscali, but at least its in the UK not Ukraine so good job!
hi
i suppose you're on a subsidiary of tiscali then
anyway a clean log:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)
or
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
here are some additional utilities that will enhance your safety
IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showthread.php?t=2559
As the problem appears to be resolved this topic will be archived. :)
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help, thanks illukka