PDA

View Full Version : another Pipas.A problem



Jak P
2006-10-03, 01:16
Apologies for adding another Pipas.A problem. Spybot picked it up and as with the other people, I can't get rid of it. Could someone advise? Not quite sure where to access the log that everyone else includes as a first step. Thanks if anyone can help.

pskelley
2006-10-03, 16:43
Welcome to the forum, please be advised that most forums Pin the information you need at the top of the page. These two links are a must before you can proceed, but I suggest you review all Pinned (Sticky) information.

http://forums.spybot.info/showthread.php?t=425
http://forums.spybot.info/showthread.php?t=288

Thanks...pskelley
Safer Networking Forums

Jak P
2006-10-04, 20:12
Thanks very much - I'll read them!

tashi
2006-10-09, 10:06
As the information requested has not been provided, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

tashi
2006-10-16, 18:53
Re-opened upon request.

Jak P
2006-10-17, 19:23
Thanks very much Tashi. The logs are below. The problems I've had are (a) Pipas.A detected (b) clicking links from Google goes to sites that aren't the link (c) slow running (but I use Google Desktop and that could contribute). I've read both the recommended links above. I'm running XP with Service Pack 2. I think SP2 was installed quite a while back, but I don't know if the computer was malware-free at the time as it belonged to someone else then. It has all the up to date Windows updates. SpyBot is up to date and run daily. I've had Pipas.A about 2 weeks. Logs:

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 17:14:52, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\csrss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\svchost.exe
C:\XP\system32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\XP\system32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\XP\system32\wdfmgr.exe
C:\XP\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\XP\System32\alg.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\XP\system32\wuauclt.exe
C:\AntiSpyWare\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD6A75-6DD3-44CB-8B81-4427A89DAAF9}: NameServer = 85.255.116.106,85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\..\{588F5999-0F48-4118-94B1-0EC172A0E3F1}: NameServer = 85.255.116.106,85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.230
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Panda:


Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyGlobalSearch
Virus:trj/ruins.a Disinfected Operating system
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\John\Local Settings\Temp\Cookies\john@2o7[1].txt
Thanks very much Jak P

pskelley
2006-10-20, 13:45
Thanks for returning your information, I apologize for the deley, I received no notification when you posted. Please follow these instructions for the best chance of success.
Some kind of strange install of XP on this computer? Do you know why? Looks like XP is installed on the C:\ ?

Turn off SpybotSD TeaTimer until you are done, it will block changes we must make.
http://russelltexas.com/malware/teatimer.htm

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Thanks to LonnyRJones and any others who helped with this fix.

Download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
.exe

Save it to your Desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan,
and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{57AD6A75-6DD3-44CB-8B81-4427A89DAAF9}: NameServer = 85.255.116.106,85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\..\{588F5999-0F48-4118-94B1-0EC172A0E3F1}: NameServer = 85.255.116.106,85.255.112.230
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.106 85.255.112.230

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the results of the Fixwareout scan, a new HJT log and let me know if that fixes your problem.

Thanks

Jak P
2006-10-20, 16:08
Thanks very much, will do

Jak P
2006-10-24, 22:58
Thank you. All done as your instructions.

I don't know why XP was installed like that - it used to belong to someone else. Yes I see what you mean from the log, it does look as if it's on C.

Turned the two Spybot resident items off, downloaded the 2 programs and ran as instructed.

Google search links no longer divert to odd pages. A fresh scan with Spybot shows no Pipas.A. It showed DropSpam and '7 problems found'. I have run Spybot's Fix Selected Problems and it said '7 items fixed'. I haven't re-scanned.

The Fixwareout log, and new HJT log are below:

FIXWAREOUT LOG:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}550EC24CA73E-14F8-DEB4-7775-DE604E20{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zismd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmsiz.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\XP\SYSTEM32\CSMCX.EXE 51,736 2006-09-25
C:\XP\SYSTEM32\DMSIZ.EXE 62,048 2004-08-04

Other suspects.
Directory of C:\XP\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

END OF LOG

HJT LOG:

Logfile of HijackThis v1.99.1
Scan saved at 19:53:16, on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\XP\System32\smss.exe
C:\XP\system32\winlogon.exe
C:\XP\system32\services.exe
C:\XP\system32\lsass.exe
C:\XP\system32\svchost.exe
C:\XP\System32\svchost.exe
C:\XP\system32\spoolsv.exe
C:\XP\system32\atievxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\XP\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\XP\system32\wuauclt.exe
C:\AntiSpyWare\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

END OF LOG

What should I do next? Thanks for your help

pskelley
2006-10-24, 23:24
Thanks for returning your information, the HJT log looks clean of malware. these two files are probably left from the infection:

C:\XP\SYSTEM32\CSMCX.EXE
C:\XP\SYSTEM32\DMSIZ.EXE

To be sure, use these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

If they scan bad, delete them. If Windows says they are running use Safe Mode to do it or you can:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: (navigate to the file) and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now. For both files wait until they are both entered before you choose to ok & reboot.

Run Spybot and let use know if all is well. If so I will have some closing information to help you stay safe and you will be good to go.

Thanks.

Jak P
2006-10-27, 19:19
Thanks very much, it appears now to be all clear:

I checked:

C:\XP\SYSTEM32\CSMCX.EXE
C:\XP\SYSTEM32\DMSIZ.EXE

using http://virusscan.jotti.org/ which identified them as bad. I deleted them both using Delete on Reboot tool on Hijackthis. Checked on reboot that they had gone. Ran Spybot and it came up blank. So that looks as if all done. Should I run any other scan or post log, or is that it?

Thanks and your further advice will be appreciated.

pskelley
2006-10-27, 19:26
Thanks, those files that the fix finds are usually bad but I think it is best to check, good job:bigthumb: let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

You should be good to go, safe surfing...tashi:) will close the topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Jak P
2006-10-30, 21:29
Thanks so much, I really appreciate your kind help. I'll do those things you recommend, and again, thanks.

tashi
2006-11-07, 18:40
As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.