PDA

View Full Version : Pipas-A



elizabeth
2006-06-22, 12:25
Hello

i'm new in here. I have been infected with what i believe is a trojan infection. I have tried running my pc in safe mode to fix it but it has'nt worked. I have tried following some of the threads on here, but i don't understand what some of the logs are eg...what is a HJT scan?

I am running Spybot and i update it regularly, i also run Kaspersky fire wall and AVG anti-virus program. I am at my wits end can you please help me to get rid if this pesky infection? :(

spybotsandra
2006-06-22, 13:18
Hello,

Do you run Spybot Search and Destroy version 1.4 and the latest updates from the 2006/16/06?

Please* *download *HijackThis*© Merijn from: http://www.thespykiller.co.uk/files/HJTsetup.exe

*Clean* out your *Temporary Internet files*. Proceed like this:

* Quit Internet Explorer and quit any instances of Windows Explorer.
* Click *Start*, click *Control Panel*, and then double-click
*Internet Options*.
* On the *General* tab, click *Delete Files* under *Temporary
Internet Files*.
* In the *Delete Files* dialog box, tick the *Delete all offline
content check box* , and then click *OK*.
* On the *General* tab, click *Delete Cookies* under *Temporary
Internet Files*, and then click *OK*.
* Click on the *Programs* tab then click the *Reset Web Settings*
button. Click *Apply* then *OK*.
* Click *OK*.

Next Click *Start*, click *Control Panel* and then double-click *Display*. Click on the *Desktop* tab, then click the *Customize Desktop* button. Click on the *Web* tab. Under *Web Pages* you should see a checked entry called *Security info* or something similar. If it is there, select that entry and click the *Delete* button. Click *Ok* then *Apply* and *Ok*.
*Empty* the Recycle Bin by right-clicking the *Recycle Bin* icon on your Desktop, and then clicking *Empty Recycle Bin.

*Reboot *Windows*.

* Double click *HijackThis.exe*.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a
"Save Log" button.
* Click that, save the log somewhere.

Best regards
Sandra
Team Spybot

elizabeth
2006-06-22, 15:52
Hi Sandra

I followed your instructions, but unfortunatley it hasn't worked. Although i did notice that when i came to empty the recycle bin there was nothing in it, and also the 'security info' entry was not present in 'Display' just a 'my current homepage' entry. i don't know if that means anything. After following your instructions i ran my spybot again and the infection was either still there.

I do run Spybot search and destroy 1.4.

elizabeth
2006-06-22, 16:27
Hello again Sandra

i have been trying to upload a copy of the HJT log i did to you but the attachment tool keeps saying either ivalid file or upload of file failed.

Elizabeth:confused:

spybotsandra
2006-06-22, 16:43
Hello Elizabeth,

Please send the file as .txt attachment to detections(at)spybot.info .
I will have a look at it. :-)

Best regards
Sandra
Team Spybot

tashi
2006-06-22, 17:34
elizabeth you can also:

Follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Start your own topic here and copy paste the hjt log into it:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

A helper will then take a look at the system as soon as available. :)

elizabeth
2006-06-22, 18:20
Hi Sandra

here is the log that you asked me for:

Logfile of HijackThis v1.99.1
Scan saved at 16:14:58, on 22/06/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\Run: [Mi7sft sdce] scorti.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [dmdfj.exe] C:\WINDOWS\System32\dmdfj.exe
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\RunServices: [Mi7sft sdce] scorti.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mahjongSetup.exe] C:\DOCUME~1\LIZZYS~1\MYDOCU~1\MAHJON~1.EXE /r
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140872680116
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37590.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: ICFCFFIE - {1BF76B08-1F47-0FE7-00DE-64A757B11C11} - C:\WINDOWS\System32\Jacnnf32.dll (file missing)
O21 - SSODL: mtklefa - {46696ACF-4FB5-4ED2-B29D-C8E9BF2265E6} - C:\WINDOWS\System32\fbjf32.dll (file missing)
O21 - SSODL: mtklefap - {65BD9CA7-98B0-4114-D39A-8B82EEE05398} - C:\WINDOWS\System32\blbke32.dll (file missing)
O21 - SSODL: mtklef - {B3B56C67-280F-4C88-A494-4A367CDB1289} - C:\WINDOWS\System32\vkaq32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

I had to cut and paste it, sorry.

Liz.

tashi
2006-06-22, 18:33
Hello elizabeth

A helper will take a look when able to do so.

Meanwhile please see:
You and Windows, a joint effort (http://forums.spybot.info/showpost.php?p=25290&postcount=4) :)

LonnyRJones
2006-06-23, 01:08
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\Run: [Mi7sft sdce] scorti.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\RunServices: [Mi7sft sdce] scorti.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O21 - SSODL: ICFCFFIE - {1BF76B08-1F47-0FE7-00DE-64A757B11C11} - C:\WINDOWS\System32\Jacnnf32.dll (file missing)
O21 - SSODL: mtklefa - {46696ACF-4FB5-4ED2-B29D-C8E9BF2265E6} - C:\WINDOWS\System32\fbjf32.dll (file missing)
O21 - SSODL: mtklefap - {65BD9CA7-98B0-4114-D39A-8B82EEE05398} - C:\WINDOWS\System32\blbke32.dll (file missing)
O21 - SSODL: mtklef - {B3B56C67-280F-4C88-A494-4A367CDB1289} - C:\WINDOWS\System32\vkaq32.dll (file missing)

Fix this also unless you intentionaly installed it
O4 - HKCU\..\Run: [mahjongSetup.exe] C:\DOCUME~1\LIZZYS~1\MYDOCU~1\MAHJON~1.EXE /r
====================================
Hit fix checked and close Hijackthis.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Note:
If You have connection problems or those 017's ~ 85.255.116.91,85.255.112.234, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.

Do that for every conntection listed.


Also, be sure to mention any current problems.

elizabeth
2006-06-23, 15:25
Hello Lonny

Thank you for the information.

I waited for the report from the Fixwareout to open but it didn't, but here is the new HJT log that you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 13:19:35, on 23/06/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140872680116
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37590.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Liz

LonnyRJones
2006-06-23, 15:41
Its should be here
c:\fixwareout\report.txt

Scan with hijackthis and fix this item
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
Close it and restart your pc

Post back with a new log

elizabeth
2006-06-23, 15:57
Hello

I have just run another bot scan and all seems fine the pest has finally gone

Thank you for your help. Thank you.

Liz.

LonnyRJones
2006-06-23, 17:08
Great but do continue with my last instructions, there will be more to.

tashi
2006-06-29, 21:13
elizabeth
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)


5) Final Run:

Towards the end of a cleanup please make sure you follow through with any final log requested even if it appears to you that your computer is back to normal operation.
As much as we like our members ;) we would rather not see you back in a few weeks because there was no follow up with the helper.

tashi
2006-07-04, 22:46
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.