Please help!I was stupid enough to download the bad Codec mentioned here.I used the Spybot to remove bugs and it found about 17 of them.I removed all except one: Pipas.A,which comes back.I found another thread on this subject and loaded the Hosts file mentioned there.The file was replaced succsessfuly but my problems still remain.Also,antivirus software (avast) found about 17 files (Trojan) and placed them on cwarentine.So i really don`t know if my only problem is still Pipas.A Logfile of HijackThis v1.99.1
Scan saved at 17:42:39, on 2006-09-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toya.net.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [dmokp.exe] C:\WINDOWS\system32\dmokp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68288170-6EAE-4BAA-8B89-4F866D34B45A}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Meybe this would help

And this...09/23/06 19:55:15 [Info]: BlackLight Engine 1.0.46 initialized
09/23/06 19:55:15 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack 2)
09/23/06 19:55:15 [Note]: 7019 4
09/23/06 19:55:15 [Note]: 7005 0
09/23/06 19:55:23 [Note]: 7006 0
09/23/06 19:55:23 [Note]: 7011 292
09/23/06 19:55:23 [Note]: 7026 0
09/23/06 19:55:23 [Note]: 7026 0
09/23/06 19:55:26 [Note]: FSRAW library version 1.7.1019
09/23/06 19:55:36 [Info]: Hidden file: c:\WINDOWS\system32\csaoy.exe
09/23/06 19:55:36 [Note]: 7002 32
09/23/06 19:55:36 [Note]: 7003 1
09/23/06 19:55:36 [Note]: 10002 1
09/23/06 19:55:37 [Info]: Hidden file: c:\WINDOWS\system32\dmspx.exe
09/23/06 19:55:37 [Note]: 7002 32
09/23/06 19:55:37 [Note]: 7003 1
09/23/06 19:55:37 [Note]: 10002 1
09/23/06 19:56:05 [Note]: 7007 0

So i tried another step mentioned on the other thread about same problem.I downloaded fixwareout and run it.Here is what came up:
Downloading BFU - Brute Force Uninstaller
File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or FTP server.

Server: castlecops.com
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: Unable to retrive specified file.Status: 406

Archive: bfu.zip
End-of-central-directory signature not found.Either this file is not a zipfile or it constitutes one disk of a multi-part archive.In the letter case the central directory and zipfile comment will be found on the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip and cannot find bfu.zip.zip,period.

Attempting download from alternate URL

File Downloader-Version 1.01(build 7.4)
Downloads a file from a HTTP or a FTP server.

Server: www.merijn.org
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: Time limit is over

Archive: bfu.zip
End-of-central-directory signature not found.Either this file is not a zipfile,or it constitutes one disk of a multi-part archive.In the letter case the control directory and zipfile comment will be found on the last disk(s) of this archive.

unzip: cannot find zipfile directory in bfu.zip and cannot find bfu.zip.zip,period.

BFU.exe was not present,unpacked or in proper location.

Please make sure you have a working internet connection or download bfu.zip(Brute Force Uninstaller) manualy and extract the file BFU.exe to the FireWareout\sub folder then restart the batch, fixit.bat
From this adress please http://www.merijn.org/files/


So i tried as it was advised:I opened the control panel and in Network Connections i selected:Obtain DNS servers automatically,still the same.
Then i tried to download BFU.zip manualy.I could not connect to www.merijn.com as my browser acts funny.I have lots of troubles to connect to many websites.I guess that explains why the program was not able to connect.Finally i managed to download BFU.zip from another website and extracted the file to the sub folder.Still no luck.My fingers are tired and i don`t know what i could do next.I guess this page is my only chance.

I forgot to mention about all the problems i have with my computer.It hungs very often,looses connection with the internet and i can`t acsses many websites,all kinds of strange search engines and messeges like "the page is misspeled or doesn`t exist" appear.And even if i acsses somehow,i only can see the home page.If i click on anything on it a message "the page was not found" appears.If i click on links i get something diffrent from what i was looking for.Sometimes typing on the adress window manually helps.

Hi

Download BFU manualy from here http://www.spywareinfo.com/~merijn/programs.php#bfu

Place it in the c:\fixwareout\sub folder, then run the c:\fixwareout\FixIt.BAT file and fallow the prompts

Thank you very much for your help.I downloaded the file and it finally worked.It asked me to reboot my computer so i did,then it was running on reboot mode.I had only small windows coming out telling me to be patient,fixing is in progress.Then this came out:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tslmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A24D758FA835-6698-C8C4-BCAC-4272542C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmlst.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSDA.EXE 51 746 2006-09-21
C:\WINDOWS\SYSTEM32\CSVUT.EXE 51 746 2006-09-20
C:\WINDOWS\SYSTEM32\DMLST.EXE 62 011 2004-08-04
C:\WINDOWS\SYSTEM32\DMOKP.EXE 62 011 2004-08-04
C:\WINDOWS\SYSTEM32\DMRZG.EXE 62 011 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

I scanned my computer with avast and Spybot.Both programs didn`t find any treats.Seems like Pipas.A is no longer here.Does that mean my computer is already cured?I noticed some strange things that didn`t happen before.When i click on Windows catalog i enter Windowsmarketplace website and my main page has changed to the Microsoft page.Is this normal?My browser seems to be working fine so far and computer doesn`t hung.And another thing i noticed:when scanning with avast,it scans about 35000 files.It used to be about 50000.And i have some folders in my thrash can.Should i delete them?Once again,thanks for your help.I don`t know what we would do without all the people who are helping us.

As the new hijackthis log didn`t appear (i don`t know why) i ran hijack this manually afterwords and fixed those 017 lines you mentioned (only 017`s were found).Here is the new hijack this log.I`m not quite sure if this was something i should do,but in case it`s not i have a back up.

Logfile of HijackThis v1.99.1
Scan saved at 16:34:58, on 2006-09-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Manualy delete these files
C:\WINDOWS\SYSTEM32\CSSDA.EXE
C:\WINDOWS\SYSTEM32\CSVUT.EXE
C:\WINDOWS\SYSTEM32\DMLST.EXE
C:\WINDOWS\SYSTEM32\DMOKP.EXE
C:\WINDOWS\SYSTEM32\DMRZG.EXE
Your antivirus might have already deleted them or might offer to cure when you get close to them, let it delete them, if not delete them yourself.

Yes you can empty the recycle bin, im not sure what your saying about windows marketplace, any other symtoms or problems ?

Thanks again.I did it.Deleted those files.I left clicked (by mistake) on one of them and it just dissapeared so i couldn`t delete this one (second you mentioned) as it`s not there anymore.Is this bad?About windowsmarketplace.When i used to click on Windows Catalog i always had something diffrent from what i have now.It`s just connects me to this website which offers some things to buy.The Windows catalog doesn`t open like it used to.Some more information.In the avast quarantine i have 27 files,3 of them are system files (not viruses),those 3 are:

kernel32.dll
winsock.dll
wsock32.dll

Also,when scanning with avast,a window opens telling me that it is unable to scan 39 files.Most of them are sbRecovery.reg and sbRecovery.ini files but 4 of them are:

desktop.html
vxf2.game
vx6.game
vx1.game

Should i do something with those files?Are they viruses?I can send full list if it will be needed.

Files here
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
are what SpyBot has removed and backed up, not to worry about them

The files in avast's quarantine look like imposters, avast did its job.

I left clicked (by mistake) on one of them and it just dissapeared so i couldn`t delete this one (second you mentioned) as it`s not there anymore.Is this bad?About
Sounds like the file got executed, you should run fixwareout again , after pc is restarted post its log.

Here is the new log:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSZTD.EXE 51 746 2006-09-20
C:\WINDOWS\SYSTEM32\DMRZG.EXE 62 011 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe

Start Killbox . leave the setting where they are
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\SYSTEM32\CSZTD.EXE
C:\WINDOWS\SYSTEM32\DMRZG.EXE
Back in Killbox go > file > paste from clipboard,
Click the "Delete File" button which looks like a stop sign untill all the files are deleted then exit killbox and delete the folder it made
c:\!killbox

Post back in a few days to let us know of any problems.

Strange thing is already happening.I cannot save anything on the clipboard.I noticed that i didn`t delete one of those files you mentioned earlier.I deleted it before i read your last reply.Meybe i should also delete it the second one manually?But what`s wrong with the clipboard?

Sorry.I must be to tired of this by now.I was trying to save the text on the notepad,not clipboard.But it really doesn`t work.Can you tell me what clipboard is?I never used it before and my english is not to good (i have my native language on my computer so i don`t know where to look for it).

My notepad is working fine.False alarm.I`m so tired (for few days i`m not doing anything else but trying to cure my computer) that i forgot to type name of the file.Still don`t know where to look for clipboard (funny thing,somehow,with your help i`m fixing my computer but i can`t do such simle thing).I deleted that last file manually so meybe killbox won`t be needed anymore.it`s still in my recycle bin in case i need using killbox to kill it.

I just read some more about the kill box.Then i coppied the names of those 2 files into the kill box window and deleted them (one at a time).CSZTD.EXE was not found becouse i deleted it earlier (without executing it),but the second file was deleted succsessfuly.Now i`ll see how my computer will behave and i will let you know.Thanks for your help and time.This website is really great.

Good

The clipbourd is where windows save's something we copy, like copy this text from here to another text, but you've figured that out.

Hi again.For the past few days i was using my computer to make sure that it is really OK.And everything was working fine until i downloaded "Bearshare" and begin to look for some files.While opening one of them i had another avast worning.I clicked the avast quarantine button.Then i launched Spybot to make sure if everything was fixed and guess what?Pipas.A again!I fixed the problem using Spybot,but it was coming back like the first time.So i repeated all the steps:hijackthis,blacklight,fixwareout and then checked with Spybot again.It is OK again.I didn`t delete any files yet because i`m not 100% sure if they are the right ones.So if you could advise me on this i would be greatful.Here the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 14:55:15, on 2006-09-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [dmbjv.exe] C:\WINDOWS\system32\dmbjv.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68288170-6EAE-4BAA-8B89-4F866D34B45A}: NameServer = 85.255.116.55,85.255.112.136
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.55 85.255.112.136
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


09/30/06 15:01:39 [Info]: BlackLight Engine 1.0.46 initialized
09/30/06 15:01:39 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack 2)
09/30/06 15:01:39 [Note]: 7019 4
09/30/06 15:01:39 [Note]: 7005 0
09/30/06 15:01:52 [Note]: 7006 0
09/30/06 15:01:52 [Note]: 7011 1860
09/30/06 15:01:53 [Note]: 7026 0
09/30/06 15:01:53 [Note]: 7026 0
09/30/06 15:01:56 [Note]: FSRAW library version 1.7.1019
09/30/06 15:02:09 [Info]: Hidden file: c:\WINDOWS\system32\dmbjv.exe
09/30/06 15:02:09 [Note]: 7002 32
09/30/06 15:02:09 [Note]: 7003 1
09/30/06 15:02:09 [Note]: 10002 1
09/30/06 15:02:10 [Info]: Hidden file: c:\WINDOWS\system32\cszfv.exe
09/30/06 15:02:10 [Note]: 7002 32
09/30/06 15:02:10 [Note]: 7003 1
09/30/06 15:02:10 [Note]: 10002 1
09/30/06 15:05:19 [Note]: 7007 0



Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmbjv.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSZFV.EXE 51 811 2006-09-29
C:\WINDOWS\SYSTEM32\DMBJV.EXE 60 971 2004-08-04
C:\WINDOWS\SYSTEM32\DMUHI.EXE 60 971 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


Also,Spybot detected "Bearshare" as a threat.Is it really that dangerous?I know downloading files using it is,but i`m asking about the program itself.Shold i fix it with Spybot?(i didn`t yet)I really need such software so meybe i should look for another one?

And one other thing.I noticed that when surfing the net advertising content of some pages is being blocked.Instead of this i have a message "the page can not be found'It`s not a full screen message,it is only displayed on those parts of the screen where advertising should be.Is Spybot doing this?And if so,then can i set this option off?Or maybe some virus is still hidden and doing it`s tricks?
Thanks for your help in advance.

And the last hijackthis log,after fixwareout:


Logfile of HijackThis v1.99.1
Scan saved at 17:01:12, on 2006-09-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Delete those three files, but first why not find out how and submit them to your antivirus vendor.
C:\WINDOWS\SYSTEM32\CSZFV.EXE
C:\WINDOWS\SYSTEM32\DMBJV.EXE
C:\WINDOWS\SYSTEM32\DMUHI.EXE
Bearshare is sponced software meaning it comes with built in addware, thats very clear when installing it,
not just that but anything you download can include crappware,same forany filesharring program.
scanning it with three / four or even five differant antivirus programs will not garentee its clean.
I suggest you use better judgement in the furture.
If you continue using any filesharring you had better get used to cleaning up the pc repeatadly.

I dont quite understand why the concern of adds not being displayed in web pages, most people would think thats a good thing.

That`s what i thought i should delete.I just wasn`t sure enough.Good advise,i will try to learn some more.Too bad that those softwares are that risky while being that useful.I guess i`ll just have to be as cautious as possible when using it and get used to the risk.
I definately agree with your view about adds on computer.It`s not a problem,but sometimes when you see,for instance,some girl`s (fake)private add you just think "why can`t i at least see this picture...":)
Once again,thank you for all your help.Dispite all the problems i had,at least i learnt something and it`s good to know that in case of trouble i will know where to look for help.

Just so you know Irresponsible Filesharring is about 99% of the cause of infections we see here. If you continue to use one im possitive youl be back again....

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).