Pigeon PP and svchost.exe issues

pedroman · Jan 11, 2008

I have noticed very routine small sessions of svchost.exe using as little as 174K and suspected possible problems based on there is a constant network traffic blip from this pc for no apparent reason. Ran different spyware products and found pigeon pp backdoor on the system. Searching for this I found majorgeeks and have followed directions per thread 139313.

Although the network traffic could be anything I want to insure it is not some bot running on my machine. From time to time the computer simply freezes while reading/writing to the various disks for an extended period of time. (<2-4 minutes)
Attached are the log files. Please review and advise as to removal of this pest Pigeon pp. Thanks for a great forum.

Pedroman

TimW · Jan 12, 2008

I'm not seeing alot that is left after running Combofix ...but lets clean up a bit.

Please use add/remove programs to uninstall:
J2SE Runtime Environment 5.0 Update 10"
J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 4"
J2SE Runtime Environment 5.0 Update 6"
J2SE Runtime Environment 5.0 Update 9"
Java(TM) 6 Update 2"
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Media Player (Remove Only)

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
Click to expand...

After clicking Fix, exit HJT.

Now empty out:
C:\WINDOWS\Temp\

Questions ...I didn't see a firewall, is that right? Some of your programs will "call home" periodically ....so you can control that with a firewall.

How much ram do you have installed and have you done a defrag lately?

pedroman · Jan 13, 2008

Thanks for the reply...funny to be bumped back to an E2-----ouch

Removed all files as requested, cleaned the registry as requested, emptied temp folder and defragged C.

I am using a firewall (WindowXP firewall) behind a router DLink DI 614+ with firewall so incoming traffic I'm not too concerned with

My only problem now is that IE 7 (7.05730.11) is not launching properly and hanging on first try. When looking at the system information dialog opening from IE7 I noticed the following:System / Internet Settings / Cache / List of objects: ---
Program File Status CodeBase
DownloadFile Control Installed http://81.86.29.25/cab/DownloadFile_8000.cab
iPIX ActiveX Control Installed http://www.ipix.com/download/ipixx.cab
PCPitstop Utility Installed http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
Shockwave ActiveX Control Installed http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Shockwave ActiveX Control Installed http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
Java Runtime Environment 1.6.0 Installed http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Java Runtime Environment 1.6.0 Installed http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Java Runtime Environment 1.6.0 Installed http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Shockwave Flash Object Installed http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

My concern is this first item as the IP routes to Amsterdam and who knows what the heck this is doing. How do I remove this?

Thanks again,

Pedro

Log in or Sign up

Pigeon PP and svchost.exe issues

pedroman Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

Report-Scan-20080111-100020.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

pedroman Private E-2