Pipas.a and then some

[PuckettD]

I have gone through the preliminary steps including running an online virus scan and running SpyBot multiple times. I have run it three times and Pipas.a continues to be detected. The Kill and Clean "spyware application" continues to show up as well.

The SpyBot scan takes nearly 24 hours to complete and I don't know why.

I have the latest version of HijackThis as well. I have even tried to follow other posts thinking that certainly this very same thing has happened to someone else. I ran the Fixwareout.exe and still I've got problems. My system is degrading and the whole bit.

A couple of questions; I've done some searching to see what these nasty buggers do but I couldn't really find anything. Should I minimize time online? Are my files at risk of being lifted?

Also, is there any reason to believe that reformatting my hard drive wouldn't get rid of the problem? If I'm not 100% certain that it is gone I may go this route.

Thank you in advance for your help.

[LonnyRJones]

A format then clean install can be a good idea, as far as i know no malware will survive a format, or if its a recent infection you could use system restore to go back a few days before the infection started.

Delete fixwareout, and its folder c:\fixwareout more than likely your using an old version.

Lets get a look, Post a fresh hijackthis 1.99.1 log and a blacklite report

F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

[PuckettD]

Here is the fresh HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:18:51 AM, on 7/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.paceengrs.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.paceengrs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.paceengrs.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Here is the Blacklight log:
07/17/06 10:22:35 [Info]: BlackLight Engine 1.0.42 initialized
07/17/06 10:22:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/17/06 10:22:37 [Note]: 7019 4
07/17/06 10:22:37 [Note]: 7005 0
07/17/06 10:22:43 [Note]: 7006 0
07/17/06 10:22:43 [Note]: 7011 2200
07/17/06 10:22:43 [Note]: 7026 0
07/17/06 10:22:43 [Note]: 7026 0
07/17/06 10:22:56 [Note]: FSRAW library version 1.7.1019
07/17/06 10:25:53 [Info]: Hidden file: c:\WINDOWS\system32\csrqk.exe
07/17/06 10:25:53 [Note]: 7002 32
07/17/06 10:25:53 [Note]: 7003 1
07/17/06 10:25:53 [Note]: 10002 1
07/17/06 10:25:53 [Info]: Hidden file: c:\WINDOWS\system32\dmqee.exe
07/17/06 10:25:53 [Note]: 7002 32
07/17/06 10:25:53 [Note]: 7003 1
07/17/06 10:25:53 [Note]: 10002 1
07/17/06 10:25:57 [Info]: Hidden file: c:\WINDOWS\system32\{252CE89A-369A-48C8-A994-77C5BA23A844}.exe
07/17/06 10:25:57 [Note]: 10002 1
07/17/06 10:25:58 [Info]: Hidden file: c:\WINDOWS\system32\{82FDD3F7-866E-45B5-A0C5-BCFC693AA205}.exe
07/17/06 10:25:58 [Note]: 10002 1
07/17/06 10:25:58 [Info]: Hidden file: c:\WINDOWS\system32\{96206F22-1153-44CE-9192-D6C7ABCB45D5}.exe
07/17/06 10:25:58 [Note]: 10002 1
07/17/06 10:25:58 [Info]: Hidden file: c:\WINDOWS\system32\{B2A43A4A-CB16-4765-9BB1-8EEC601E45BF}.exe
07/17/06 10:25:58 [Note]: 10002 1
07/17/06 10:31:42 [Note]: 7007 0

[LonnyRJones]

Re-download and run FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Also run blacklight again , post its log if any files are present

[PuckettD]

Here is the fixwareout report:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cdymd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmydc.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSRQK.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSRQK.EXE 51,213 2006-07-10
C:\WINDOWS\SYSTEM32\DMYDC.EXE 44,115 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{252CE89A-369A-48C8-A994-77C5BA23A844}.exe
{B2A43A4A-CB16-4765-9BB1-8EEC601E45BF}.exe
{82FDD3F7-866E-45B5-A0C5-BCFC693AA205}.exe
{96206F22-1153-44CE-9192-D6C7ABCB45D5}.exe


Blacklite did not find any hidden files after running fixwareout. I believe the suspects listed in the fixwareout report is the Kill and Clean application, yes?

[LonnyRJones]

Manual delete those files at that location (system32 folder) be carefull with spelling on the first two, if in doubt leave them at this point they should be hamless.

C:\WINDOWS\SYSTEM32\CSRQK.EXE
C:\WINDOWS\SYSTEM32\DMYDC.EXE
C:\WINDOWS\system32\{252CE89A-369A-48C8-A994-77C5BA23A844}.exe
C:\WINDOWS\system32\{B2A43A4A-CB16-4765-9BB1-8EEC601E45BF}.exe
C:\WINDOWS\system32\{82FDD3F7-866E-45B5-A0C5-BCFC693AA205}.exe
C:\WINDOWS\system32\{96206F22-1153-44CE-9192-D6C7ABCB45D5}.exe
=========

You must have items on Hijackthis ignorlist ?
For example ca's etrust program show's as a proccess but not elswhere.

What version of suns java is it that you use ? to check windows control panel java applet (various names depending on version)

[PuckettD]

I have deleted those six files.

Yes I did have some items in the ignore list. Here is the HijackThis log after removing items from the ignore list:
Logfile of HijackThis v1.99.1
Scan saved at 9:39:29 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CA\eTrust\Antivirus\realmon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Business Objects\JRE\bin\javaw.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Business Objects\JRE\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.paceengrs.com
O17 - HKLM\Software\..\Telephony: DomainName = corp.paceengrs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.paceengrs.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I have the Java Plug-in "Java 2 Runtime Environment, Standard Edition 1.4.2_04"

[LonnyRJones]

For security reasons Update suns java manualy
Sun Java V1.5.0_07 is Available:
http://forums.spybot.info/showpost.p...80&postcount=2
Afterwards it's important to uninstall (via addremove programs) the old version's.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

[PuckettD]

So I presume I'm all cleaned up. I have installed the latest Java and taken the precautions you recommended.

Thank you so much for your help. You folks provide a great free service. Certainly above and beyond the philosophy of free software. I'll have no problem making a donation.

Thanks again.

[LonnyRJones]

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).