pipas.a/wareout ? help? please?

**Silent Badger** · 2006-04-07, 22:09

Hiya guys and girls,

Im brand new to the forums so hope you dont mind me starting off by asking for help? these came to light as my antivirus kept detecting things.

My general symptoms are
Had some problems with my comp for a few days now, mostly things appearing in the "startup" that i know should not be there, to date i've disabled, hgqhp.exe / iehelper.exe / carrida.exe / dialer423 / dtours.exe and dmaen.exe.
The last file appeared in my antivirus too(AVG) as a "reading error" and once id disabled it (in msconfig startup) and restarted my comp, another "thing" appeared called dmvqz.exe which appears in both AVG and my msconfig startup. I assume that there could be a never ending circle of this happening.
All these "things" seem to stem from my system32 folder

Spybot contiually finds a problem called pipas.a, fixes it, but again it reappears after a restart

Panda freescan identified 1 virus (which it fixed) 18 spywares and 3 diallers, but AVG, adaware, or Spybot do not find them, niether can i find the associated paths manually.

Is a startup thing called nwix.exe a possible problem? opinion seems divided on google.

i did a hyjack log thingamajig

Logfile of HijackThis v1.99.1
Scan saved at 20:49:41, on 07/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dmvqz.exe] E:\WINDOWS\system32\dmvqz.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

Any help would be very much appreiciated as this is doing my head in.
Thanks.

**Silent Badger** · 2006-04-08, 19:24

Is there any other info i can provide which might help to shed light on matters?

**Silent Badger** · 2006-04-08, 21:24

in other threads this is often given as advice?

"Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal."

is this safe in my case? i have a bad habit of jumping the gun when it comes to comp fixes and worsening the problem,

**illukka** · 2006-04-08, 22:19

hi

you have that part right

Download fixwareout to your desktop,
http://downloads.subratam.org/Fixwareout.exe
Or from:
http://swandog46.geekstogo.com/Fixwareout.exe
run fixwareout and simply fallow the prompts, you will need to reboot when prompted
Open the your root folder (usualy c) c:\fixwareout\report.txt and
post it here

next

Please download ewido anti malware it is a free version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

then launch ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti malware.

reboot back to normal mode, post the ewido report and a log from a fresh hjt scan

**Silent Badger** · 2006-04-09, 13:20

thanks for tha advice, carried it all through and ehre are the logs

Fixwareout

Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nlqmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmqln.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

Ewido

+ Created on: 12:07:12, 09/04/2006
+ Report-Checksum: 3006C248

+ Scan result:

E:\Documents and Settings\adam\Cookies\adam@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@7search[1].txt -> TrackingCookie.7search : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@cneteurope.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@com[1].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wflysgcjslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wgmielc5caq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wjliakdpegp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@e-2dj6wjmyejdpmao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@roispy[1].txt -> TrackingCookie.Roispy : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
E:\Documents and Settings\adam\Cookies\adam@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@com[2].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
E:\WINDOWS\system32\dmqln.exe -> Trojan.Pakes : Cleaned with backup
E:\WINDOWS\system32\mshlpa.exe -> Downloader.Mediket.br : Cleaned with backup
E:\WINDOWS\system32\WinNB57.dll -> Adware.NetNucleus : Cleaned with backup

::Report End

Hyjackthis

Logfile of HijackThis v1.99.1
Scan saved at 12:10:34, on 09/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\wuauclt.exe
E:\hyjackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

Everything looks clear to me, but what do i know?
Thanks again for having a look.

**illukka** · 2006-04-09, 13:42

hi

open hijackthis
click do a system scan only

checkmark these lines:
R3 - URLSearchHook: (no name) - {4BA8E475-2894-9177-F017-AE866D606A73} - UserSp1.dll (file missing)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A36EBED3-3365-43C6-92F5-89D0BCE12A7E}: NameServer = 85.255.113.194,85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DD17F6-61F8-4116-8238-4B1201445209}: NameServer = 85.255.113.194,85.255.112.98

then close all browser and explorer windows, until only hijackthis is running on your desktop

and click fix checked

reboot

go to Panda ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log

**Silent Badger** · 2006-04-10, 12:37

and i thought the coast was clear!

heres the activescan report

Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\adam\Cookies\adam@adopt.hbmediapro[2].txt
Spyware:Cookie/Seeq Not disinfected E:\Documents and Settings\adam\Cookies\adam@www48.seeq[1].txt
Spyware:Cookie/Xmts Not disinfected E:\Documents and Settings\adam\Cookies\adam@xmts[1].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@atwola[1].txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf
Dialer:dialer.xd Not disinfected E:\WINDOWS\switchagreement.txt

and heres the hjt report

Logfile of HijackThis v1.99.1
Scan saved at 11:32:01, on 10/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

would it by safe to delete all the activescan stuff manually? (if i could fnd them)
i thought i'd kept a nice secure clean computer :(
thanks for all this help.

**illukka** · 2006-04-10, 17:21

hi

do you have any spyware scanners installed? like spybot, adaware?
i suppose that a scan with those in safe mode should remove all dialers

one line in the log still requires a fix with hiajckthis

O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98

fix that line, reboot and post me a new hjt log

**Silent Badger** · 2006-04-12, 11:30

Fixed that line, here is the new log..

Logfile of HijackThis v1.99.1
Scan saved at 10:24:28, on 12/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\HPZipm12.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\hyjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8606EC58-7947-49B2-896F-7CEE0EF57550}: NameServer = 85.255.113.194 85.255.112.98
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe

Ran Spybot, adaware and ewido in safe mode then rescan with panda and got this report afterwards..

Incident Status Location

Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Cookies\adam@atwola[1].txt
Spyware:Cookie/Xmts Not disinfected E:\Documents and Settings\adam\Cookies\adam@xmts[1].txt
Spyware:Cookie/Atwola Not disinfected E:\Documents and Settings\adam\Local Settings\Temp\Cookies\adam@atwola[1].txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf
Dialer:dialer.xd Not disinfected E:\WINDOWS\switchagreement.txt

so i removed these files manually, restarted and rescanned and got this result.

Incident Status Location

Spyware:Cookie/Atwola Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De6.txt
Spyware:Cookie/Xmts Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De7.txt
Spyware:Cookie/Atwola Not disinfected E:\RECYCLER\S-1-5-21-1644491937-1060284298-725345543-1003\De8.txt
Dialer:Dialer.ABR Not disinfected E:\WINDOWS\Downloaded Program Files\startbf.inf

Is this anything to be concerned about?

**illukka** · 2006-04-12, 12:08

hi

that line still remains

fixwareout was updated recently, i believe that you have an older version

please redownload it

http://downloads.subratam.org/Fixwareout.exe

the proceed as instructed above to run the fix

post the fixwareout report and a new hijackthis log thank you

Thread: pipas.a/wareout ? help? please?

Thread Tools

Display

pipas.a/wareout ? help? please?

Posting Permissions