Need help with removal of Pipas.A

Hi Bill, Welcome to Majorgeeks, your not wasting anyones time, so dont worry about that, we or more so the malware experts here will go at your speed and try to help you through this with easy instructions as they are very good at that,

But do you also have the

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat

logs from section #4 of the guide, they will want to see what items they show up.

 

Please run MSconfig and select Normal Startup as requested in step 7 of the READ ME.

Now run this WareOut Removal and attach the requested log.

Then also attach new logs from HJT and GetRunKey.

 

Not according to your previous GetRunKey log. It showed the below:

But now you have it correct because it shows:

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O1 - Hosts: 172.20.12.14 mail
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT....com/shop_phones.jsp?startPhone=motorola_razr
O17 - HKLM\System\CCS\Services\Tcpip\..\{58560511-2542-4AA4-A581-63BA7148CE88}: NameServer = 85.255.115.2,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{9590430C-F78B-4BE0-9E65-713B412D2E88}: NameServer = 85.255.115.2,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{58560511-2542-4AA4-A581-63BA7148CE88}: NameServer = 85.255.115.2,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{58560511-2542-4AA4-A581-63BA7148CE88}: NameServer = 85.255.115.2,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.2 85.255.112.7


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINNT\SYSTEM32\CSKEC.EXE
C:\WINNT\SYSTEM32\DMJZO.EXE

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Sometimes this is just a problem with screen resolution.

• Boot into safe mode
• Right click the desktop
• Select Properties
• Select the Settings tab
• There are 2 things to change here. First is the Screen resolutuion. drag the slider to the right and select the highest resolution allowed
• Second is the Color quality. Select the highest allowed
• Select Apply and OK your way out of this window.

Did that help? If no change was seen immediately, does it help after a reboot. If not, tell me exactly what happens when you boot into safe mode. This is probably not a malware isse. It may even be necessary to reinstall your graphics card drivers.

 

Okay since you cannot right click but you can open Task Manager in safe mode. Boot into safe mode again and open Task Manager and click File, New Task (Run...) and enter Desk.cpl

Then in the next window

Select the Settings tab
There are 2 things to change here. First is the Screen resolutuion. drag the slider to the right and select the highest resolution allowed
Second is the Color quality. Select the highest allowed
Select Apply and OK your way out of this window.

Did that help? If no change was seen immediately, does it help after a reboot.

This is not a malware issue. It may even be necessary to reinstall your graphics card drivers. If the above does not help, I suggest posting a message in the Software Forum.

 

Are you still having any malware problems?

 

You're welcome.

If you are not having any other malware problems, you should work thru the below link:

How to Protect yourself from malware!