Pipas.A :(

M

Martinx

New member
Hi guys! Unfortunately I recently found out that my computer has been infected with Pipas.A using Spybot S&D:( It frustrates me because I've always been able to keep my computer clean from a single spyware for a long time, and now suddenly I'm getting a lot of spywares, including this one. I managed to get rid of all spywares except for this one. I use Avast! Antivirus which automatically updates itself, and Zonealarm Firewall which also automatically updates itself. I also use many types of Spyware programs to make sure that spywares stay away, so I'm pretty protected. I'm surprised I got this one. Can it be the reason for my SUDDEN major slowdowns, and Windows sometimes freezing during boots? I hope so.

I've read other threads on this spyware, so I ran HijackThis to help you. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 21:31:43, on 2006-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\IMsecure\IMsecure.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\mmc.exe
C:\Program\Diskeeper Corporation\Diskeeper\DfrgNTFS.exe
C:\WINDOWS\explorer.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.imesh.com/intl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: IMsecure.lnk = C:\Program\IMsecure\IMsecure.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91E014D3-4244-4729-BEAB-7DB8BEA13167}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F63E0514-880F-4A7E-B09C-98A84DC9F4FD}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks a lot in advance! I'm so eagre to get rid of this spyware!
 
Here's the Fixwareout log:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cygmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Random Runs removed from HKLM
"dmgyc.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSUKU.EXE 51 798 2006-09-17
C:\WINDOWS\SYSTEM32\DMGYC.EXE 62 026 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
 
Here's the HijackThis log after Fixwareout:

Logfile of HijackThis v1.99.1
Scan saved at 23:17:31, on 2006-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\IMsecure\IMsecure.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: IMsecure.lnk = C:\Program\IMsecure\IMsecure.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{91E014D3-4244-4729-BEAB-7DB8BEA13167}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F63E0514-880F-4A7E-B09C-98A84DC9F4FD}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Well for some odd reason it seems Pipas.A no longer exists after the Fixwipeout. I ran Spybot S&D just out of curiosity to see if it was still there, and to my amazement it wasn't. Was it Fixwipeout that got rid of it, or is it still lurking somewhere there?
 
Welcome

Close all browsers
Start Hijackthis and place a check next to these items If there.
O17 - HKLM\System\CCS\Services\Tcpip\..\{91E014D3-4244-4729-BEAB-7DB8BEA13167}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F63E0514-880F-4A7E-B09C-98A84DC9F4FD}: NameServer = 85.255.114.38,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.38 85.255.112.7

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Manualy delete these files if they still exist
C:\WINDOWS\SYSTEM32\CSUKU.EXE
C:\WINDOWS\SYSTEM32\DMGYC.EXE
Your antivirus might delete when you get close to them, thats fine.

delete c:\fixwareout, it wont be needed any longer.

Note:
If You have connection problems or those 017's ~ 85.255.114.38 85.255.112.7, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
Do that for every conntection listed.

Post a fresh hijackthis log please, be sure to mention any current problems.
 
Thanks a lot LonnyRJones! I tried to do everything exactly as you told me, and I think I managed good in every step without too much complexity.

Here's the new HijackThis logfile done after your proceedings:

Logfile of HijackThis v1.99.1
Scan saved at 18:22:04, on 2006-09-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\IMsecure\IMsecure.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: IMsecure.lnk = C:\Program\IMsecure\IMsecure.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


There seems to be no problems as of now. Thanks a lot! I will gladly return when I get a new problem, which I really do not hope! Thanks once again!
 
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help.
 
Okay so I wanted to re-open this thread because I felt that I'm getting slowdowns for no apparent reason. I just want you guys to read my logfiles and make sure there isn't any malware left on my computer.

Okay, here's my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 16:05:22, on 2006-10-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_06\bin\jusched.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\IMsecure\IMsecure.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: IMsecure.lnk = C:\Program\IMsecure\IMsecure.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Hi
Slowdowns as in Browsers or the PC ?

When you suspect a virus/trojan or bots or the pc is just plain acting wierd get more opinions
post a report from one or both of these free online scans.

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
We dont need to see item's listed as "Object is locked skipped" so edit those out.
We do not need to see items reported that are in an antivirus quorantine folder.
 
Well I ran Fixwareout just now, so I might as well just post the logfile:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.



I'm working on the free online scans you provided. I'll post them immidiately after I finnished scanning.
 
When I pressed on the My Computer button, it tells me to enter my country and email adress, and then wants me to install some kind of program called ActiveX, is that the one you wanted me to press on?
 
Avast alerted when Panda activex was installing ?

You should go let the people at avast know about that later.

Allow it
 
Here is the result of the scan (quite a lot of spyware actually):

Incident Status Location

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.com.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.research-int.se/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.atwola.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.ig.com.br/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[drivecleaner.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[server.iad.liveperson.net/hc/1856972]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Martin\Application Data\Mozilla\Firefox\Profiles\fsrt92vb.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Martin\Cookies\martin@research-int[1].txt
Potentially unwanted tool:Application/Zango Not disinfected C:\Program\Mozilla Firefox\plugins\npclntax.dll
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx
 
Here's the Kaspersky scan result (I desperately waited for a whole hour!!):

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 79904
Number of viruses found 2
Number of infected objects 6 / 0
Number of suspicious objects 0
Duration of the scan process 00:58:33

C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped

C:\System Volume Information\_restore{5BDEA040-7E38-4EB9-98B7-5DEBC9351A9A}\RP115\A0018021.dll Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped

C:\System Volume Information\_restore{5BDEA040-7E38-4EB9-98B7-5DEBC9351A9A}\RP142\A0030292.dll Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped

C:\System Volume Information\_restore{5BDEA040-7E38-4EB9-98B7-5DEBC9351A9A}\RP142\A0030480.dll Infected: not-a-virus:AdWare.Win32.180Solutions.au skipped


These are the results.
 
You must log in or register to reply here.
Back
Top