Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pipas.a Won`t Go Away


  • This topic is locked This topic is locked
14 replies to this topic

#1 invisible

invisible

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2006 - 10:49 PM

Please help!I was stupid enough to download the bad Codec.I used the Spybot to remove bugs and it found about 17 of them.I removed all except one: Pipas.A,which comes back.I found another thread on this subject and loaded the Hosts file mentioned there.The file was replaced succsessfuly but my problems still remain.Also,antivirus software (avast) found about 17 files (Trojan) and placed them on quarantine.So i really don`t know if my only problem is still Pipas.A

Logfile of HijackThis v1.99.1
Scan saved at 17:42:39, on 2006-09-23
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toya.net.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [dmokp.exe] C:\WINDOWS\system32\dmokp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{68288170-6EAE-4BAA-8B89-4F866D34B45A}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Meybe this will help

Edited by invisible, 23 September 2006 - 10:56 PM.


BC AdBot (Login to Remove)

 


#2 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2006 - 10:53 PM

And this...

09/23/06 19:55:15 [Info]: BlackLight Engine 1.0.46 initialized
09/23/06 19:55:15 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack 2)
09/23/06 19:55:15 [Note]: 7019 4
09/23/06 19:55:15 [Note]: 7005 0
09/23/06 19:55:23 [Note]: 7006 0
09/23/06 19:55:23 [Note]: 7011 292
09/23/06 19:55:23 [Note]: 7026 0
09/23/06 19:55:23 [Note]: 7026 0
09/23/06 19:55:26 [Note]: FSRAW library version 1.7.1019
09/23/06 19:55:36 [Info]: Hidden file: c:\WINDOWS\system32\csaoy.exe
09/23/06 19:55:36 [Note]: 7002 32
09/23/06 19:55:36 [Note]: 7003 1
09/23/06 19:55:36 [Note]: 10002 1
09/23/06 19:55:37 [Info]: Hidden file: c:\WINDOWS\system32\dmspx.exe
09/23/06 19:55:37 [Note]: 7002 32
09/23/06 19:55:37 [Note]: 7003 1
09/23/06 19:55:37 [Note]: 10002 1
09/23/06 19:56:05 [Note]: 7007 0

#3 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2006 - 11:02 PM

So i tried another step mentioned on the other thread about same problem.I downloaded fixwareout and run it.Here is what came up:


Downloading BFU - Brute Force Uninstaller
File Downloader - Version 1.01 (build 7.4)
Downloads a file from a HTTP or FTP server.

Server: castlecops.com
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: Unable to retrive specified file.Status: 406

Archive: bfu.zip
End-of-central-directory signature not found.Either this file is not a zipfile or it constitutes one disk of a multi-part archive.In the letter case the central directory and zipfile comment will be found on the last disk(s) of this archive.
unzip: cannot find zipfile directory in bfu.zip and cannot find bfu.zip.zip,period.

Attempting download from alternate URL

File Downloader-Version 1.01(build 7.4)
Downloads a file from a HTTP or a FTP server.

Server: www.merijn.org
Port: 80
Protocol: HTTP

bfu.zip:
Download failure: Time limit is over

Archive: bfu.zip
End-of-central-directory signature not found.Either this file is not a zipfile,or it constitutes one disk of a multi-part archive.In the letter case the control directory and zipfile comment will be found on the last disk(s) of this archive.

unzip: cannot find zipfile directory in bfu.zip and cannot find bfu.zip.zip,period.

BFU.exe was not present,unpacked or in proper location.

Please make sure you have a working internet connection or download bfu.zip(Brute Force Uninstaller) manualy and extract the file BFU.exe to the FireWareout\sub folder then restart the batch, fixit.bat
From this adress please http://www.merijn.org/files/


So i tried as it was advised:I opened the control panel and in Network Connections i selected:Obtain DNS servers automatically,still the same.
Then i tried to download BFU.zip manualy.I could not connect to www.merijn.com as my browser acts funny.I have lots of troubles connecting with many websites.I guess that explains why the program was not able to connect.Finally i managed to download BFU.zip from another website and extracted the file BFU.exe to the sub folder.Still no luck.My fingers are tired and i don`t know what i could do next.Please help.

Edited by invisible, 23 September 2006 - 11:33 PM.


#4 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2006 - 11:58 PM

I forgot to mention about all the problems i have with my computer.It hungs very often,looses connection with the internet and i can`t acsses many websites,all kinds of strange search engines and messeges like "the page is misspeled or doesn`t exist" appear.And even if i acsses somehow,i only can see the home page.If i click on anything on it a message "the page was not found" appears.If i click on links i get something diffrent from what i was looking for.Sometimes typing on the adress window manually helps.

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:50 PM

Posted 24 September 2006 - 03:30 AM

Hi Invisible and welcome :thumbsup:

You will need to allow "download.exe" from the fixwareout tool to access internet through your firewall.
it needs to download some files to fix your problem.

It will first try to contact castlecops.com for the files needed. Failing that it will try merijn.org next.

If still having problems try this please:

Download BFU.zip from Merijns site:
http://www.merijn.org/files/bfu.zip

UNZIP/extract it.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

Place BFU.exe in next folder:
C:\Fixwareout\Sub <== this folder

Then open the C:\Fixwareout-folder and doubleclick FixIt.bat

Follow its prompts to clean.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:


O4 - HKLM\..\Run: [dmokp.exe] C:\WINDOWS\system32\dmokp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{68288170-6EAE-4BAA-8B89-4F866D34B45A}: NameServer = 85.255.113.90,85.255.112.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.90 85.255.112.5


Once checked; close all open windows except hijackthis and click "fix checked"

Exit HIjackthis and reboot once more.

Post both the fixwareout log (c:\fixwareout\report.txt) and new hijackthis log.

Thanks :flowers:

Edited by Blender, 24 September 2006 - 03:33 AM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2006 - 08:06 AM

Thank you very much for your help.I downloaded the file and it finally worked.It asked me to reboot my computer so i did,then it was running on reboot mode.I had only small windows coming out telling me to be patient,fixing is in progress.Then this came out:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tslmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A24D758FA835-6698-C8C4-BCAC-4272542C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Random Runs removed from HKLM
"dmlst.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

╗╗╗╗╗ Searching by size/names...

╗╗╗╗╗
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSDA.EXE 51 746 2006-09-21
C:\WINDOWS\SYSTEM32\CSVUT.EXE 51 746 2006-09-20
C:\WINDOWS\SYSTEM32\DMLST.EXE 62 011 2004-08-04
C:\WINDOWS\SYSTEM32\DMOKP.EXE 62 011 2004-08-04
C:\WINDOWS\SYSTEM32\DMRZG.EXE 62 011 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

╗╗╗╗╗ Misc files.

╗╗╗╗╗ Checking for older varients covered by the Rem3 tool.

Edited by invisible, 24 September 2006 - 08:07 AM.


#7 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2006 - 09:02 AM

I scanned my computer with avast and Spybot.Both programs didn`t find any threats.Seems like Pipas.A is no longer here.Does that mean my computer is already cured?I noticed some strange things that didn`t happen before.When i click on Windows catalog i enter Windowsmarketplace website and my main page has changed to the Microsoft page.Is this normal?My browser seems to be working fine so far and computer doesn`t hung.And another thing i noticed:when scanning with avast,it scans about 35000 files.It used to be about 50000.And i have some folders in my thrash can.Should i delete them?Once again,thanks for your help.I don`t know what we would do without all the people who are helping us.

Edited by invisible, 24 September 2006 - 12:14 PM.


#8 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2006 - 09:44 AM

As the new hijackthis log didn`t appear (i don`t know why) i ran hijack this manually afterwords and fixed those 017 lines you mentioned (only 017`s were found).Here is the new hijack this log.I`m not quite sure if this was something i should do,but in case it`s not i have a back up.

Logfile of HijackThis v1.99.1
Scan saved at 16:34:58, on 2006-09-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#9 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2006 - 01:25 PM

Some more information.In the avast quarantine i have 27 files,3 of them are system files (not viruses),those 3 are:

kernel32.dll
winsock.dll
wsock32.dll

Also,when scanning with avast,a window opens telling me that it is unable to scan 39 files.Most of them are sbRecovery.reg and sbRecovery.ini files but 4 of them are:

desktop.html
vxf2.game
vx6.game
vx1.game

Should i do something with those files?Are they viruses?I can send full list if it will be needed.

#10 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2006 - 05:04 PM

I got some help on the other forum and finally everything seems to be clean.Now i`ll see how my computer will behave and i will let you know.Thanks for your help and time.This website is great.

Edited by invisible, 24 September 2006 - 05:07 PM.


#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:50 PM

Posted 24 September 2006 - 11:37 PM

Hi

Glad things are running better.

Just a few points and a couple questions.

Thank you very much for your help.I downloaded the file and it finally worked.It asked me to reboot my computer so i did,then it was running on reboot mode.I had only small windows coming out telling me to be patient,fixing is in progress.Then this came out:


Yes this is normal. Explorer would have been stopped by the tool in order to delete the bad files/registry items.

And another thing i noticed:when scanning with avast,it scans about 35000 files.It used to be about 50000.And i have some folders in my thrash can.Should i delete them?


Probably normal. Your temporary files are deleted with this tool as well I believe. Temorary interent files can number in the thousands. If those folders in your recycle bin are no longer needed; yes you can delete them.

As the new hijackthis log didn`t appear (i don`t know why) i ran hijack this manually afterwords and fixed those 017 lines you mentioned (only 017`s were found).Here is the new hijack this log.I`m not quite sure if this was something i should do,but in case it`s not i have a back up.


Yes sometimes Hijackthis does not start at end of tool fix. You were correct to have started hijackthis and fix those O17s youself. :thumbsup:
The tool removed the O4 line I had set for you to fix.

Also,when scanning with avast,a window opens telling me that it is unable to scan 39 files.Most of them are sbRecovery.reg and sbRecovery.ini files but 4 of them are


You can safely clean out Spybot's quarentine.

----------------

Can you tell me what these files in your Avast "Chest" is infected with:

kernel32.dll
winsock.dll
wsock32.dll

If you still have these files:

C:\WINDOWS\SYSTEM32\CSSDA.EXE
C:\WINDOWS\SYSTEM32\CSVUT.EXE
C:\WINDOWS\SYSTEM32\DMLST.EXE
C:\WINDOWS\SYSTEM32\DMOKP.EXE
C:\WINDOWS\SYSTEM32\DMRZG.EXE

Please have em scanned here:

http://virusscan.jotti.org/

http://www.virustotal.com/

If results please let me know by copy/pasting scan results back here.
You can copy/paste the file paths into the scan site beside the upload/submit button.

Thanks :flowers:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 September 2006 - 08:54 AM

Thank you for your help.Did you mean that i can clean out Spybot`s or avast`s quarantine,cos i`m not sure.I know how to clean avast but i`m not sure about spybot. Those 3 files seem to be not infected at all.The "virus" windows are empty.I also have them (only those 3) in the "system files" folder of avast`s quarantine.those 5 "system32" files have been deleted already (manually,except one,which i deleted with "killbox".I executed it by mistake and it just dissapeared,then i used fixwareout again to get the new log.And some new file (or same one with a diffrent name,i don`t know) was found.Then i used killbox to delete it.You can see some more details here:forums.spybot
Bad thing i deleted it before i read your post.Meybe results of this scan could have been useful,also for others.

Edited by invisible, 25 September 2006 - 09:24 AM.


#13 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 September 2006 - 10:04 AM

The other thing that worries me at this time is that when i had first wornings from avast i panicked and instead of placing those found viruses in the avast quarantine i deleted few of them (2 or 3).As i was doing it my screen was getting black so i stopped and reboot my computer.Avast started detecting viruses again and i placed the rest of them in quarantine as it was suggested.I`m worrying becouse i don`t know if i didn`t delete any system files.I was trying to remove viruses,but i don`t know.As you wanted me to check those 3 files i suspect you were talking about the spybot`s quarantine otherwise i wouldn`t be able to check those three anymore or do something with them if needed.I already cleaned out spybot.

Edited by invisible, 25 September 2006 - 10:55 AM.


#14 invisible

invisible
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 September 2006 - 05:36 PM

I`m curious about one thing.If those three files are not infected,shouldn`t i recover them from avast quarantine?Or it just doesn`t matter?

#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:50 PM

Posted 26 September 2006 - 03:13 AM

Hi

Sorry bout not getting back sooner. I had to leave cus the neighbour tried to burn down the shack! :thumbsup:

Anyway... I see LonnyRJones has been handling your case just fine at the Spybot forums.
Rather than take up both his & my time I'll leave you with Lonny.
You are in great hands with him.

I believe Avast did its job just fine. Most likely those files it quarentined were fakes trying to replace the good ones. You can leave them in quarentine. Don't restore them.

Your system seems to be running ok so the real files must exist. :flowers:

Take care and surf safe!

Be sure to ask Lonny about info to help keep you safe online. :huh:

Blender

Topic closed. OP is getting help elsewhere. See here:

http://forums.spybot.info/showthread.php?t=7552

Thank you
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users