Pipas.A and other cr@p...

Hello!

I *think* I have maticulously followed the step by step for cleaning my computer. I think I have gained ground and was hopefull when the Spybot S&D started running faster again... (It had been taking 1 1/2 to 2 hours to complete for the past couple of weeks. And the end result was ALWAYS "Pipas.A" being detected and fixed. So I've gone back and re-did the step by steps.. rebooting in Safe mode, cleaning up with CCleaner, Microsoft Windows Malicious Software Removal Tool, Ad-Aware SE, Spybot S&D (Not sure what the "SDHelper function" was..., and then the Microsoft Antispyware. I'm not sure if "Pipas.A" is back or still on, but when I ran the on-line scanners BOTH picked up bad stuff. I've attached the Bitdefender and Panda ActiveScan logs and the HJT log for good measure. I hope I've done this right. Can you please help and advise?

Thank you!
Emily

 

1. Download and Install CCleaner
   • Note that, when asked to run CCleaner, you should run ONLY the default scan (Windows Tab). Do Not “Scan For Issues”!
   
   
2. Download FixWareout by Lonny and save it to your Desktop.
   
   
   
3. Download & Install Ewido Security Suite
   • Be sure to uncheck Install background guard and Install scan via context menu when you Install Ewido.
   • After installing EWIDO, please update it’s definitions by Clicking the Update Button > Start.
   • Just leave it for now. You'll be running it shortly
   
   
4. Please locate your download of FixWareout and INSTALL it.
   • Be sure that Run fixit is checked.
   • Click Finish to begin the fix.
   • Follow the prompts and Reboot when asked to do so.
   • Upon Reboot, follow the prompts and HijackThis should open.
   
   
5. After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:
   
   O17 - HKLM\System\CCS\Services\Tcpip\..\{1BA63887-50E3-4837-B1FA-1EA007B2B226}: NameServer = 85.255.114.85,85.255.112.13
   O17 - HKLM\System\CS1\Services\Tcpip\..\{1BA63887-50E3-4837-B1FA-1EA007B2B226}: NameServer = 85.255.114.85,85.255.112.13
   O17 - HKLM\System\CS2\Services\Tcpip\..\{1BA63887-50E3-4837-B1FA-1EA007B2B226}: NameServer = 85.255.114.85,85.255.112.13
   
   
   
6. Now, run CCleaner, Be sure you only run the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.
   
   
   
7. Please Boot to Safe Mode!
   • Open Ewido and Select Scanner. Click Settings, make sure ALL boxes are checked under How to Scan & Unwanted Software and that Scan Every File has been selected.
   • When EWIDO has been configured correctly, click OK.
   • Click Complete System Scan to begin the scan. Allow EWIDO to clean all that it finds and then save the log to where you can find it easily.
   
   
8. After ALL of the above has been completed, please REBOOT to normal Windows, scan with HijackThis and ATTACH that log. Please save and attach the logs from the EWIDO scan, and the log found at C:\fixwareout\report.txt as well.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

 

Ok BJ,

I went through the step by steps you gave me, and I *hope* we're good now! I am so tired that I can't hardly keep my eyes open (I've been fighting with this for the past week or so...) Ewido got rid of 37 bad files!! and that was AFTER Fixwareout got several too! Of course, you probably knew that...

so here are the latest reports attatched fot the Fixwareout, Ewido and HJT. I'll check back in the morning to see if you have any more advice and let you know how things are running. Thanks so much for the help!

Peace, Emily

 

Hello!

Well, the latest this morning... computer ran fine first thing, and since hubby is the first to use it in the morning AFTER he was done he ran Ad-Aware SE (in regular mode, not safe) and came up with 6 critical objects that he got rid of. Then, when I got up, I ran the Spybot S&D that came up clean, but then the rest of the computer froze up. I couldn't click on or run anything. So, I shut it down and restarted. THEN a little box pops up on the top part of the screen that says "no new messages" and the only way to get THAT off is to shut it down again.... incidently, the only time that little message shows up is when we choose "re-start" rather than shutting it completely down and then turning it back on again.

When we do choose to shut it down, there is still some message about "IMEKO..." something but it flashes up real quick and then off again before I can finish reading what it says...

Also, whenever we open there is a "desktop.ini - Notepad" that pops open automatically. I have NO IDEA where this came from, or what it's for, but is there a way we can stop it from loading? It just seems to slow down the start up of the computer.

Thanks again!
Emily

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

F2 - REG:system.ini: UserInit=userinit.exe

O4 - HKLM\..\Run: [321102] SysEntry.exe
O4 - HKLM\..\Run: [TorontoMail] driver32.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Brong32] driver64.exe
O4 - HKCU\..\Run: [typeconf] cnftips.exe
O4 - HKCU\..\Run: [init32] ssweeper.exe

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log from normal mode.

 

do I run any of these (except the HJT) in safe mode? Or just regular?

Thanks, Em

 

Okay, never mind, because when i tried to run in regular mode, my computer shut down and restarted... and the "no new messages" little tag-box was back on the opening screen. AND it even flashed for a moment and said "authorizing...." and then flashed back to "no new messages". Can't move it or get rid of it... hhhhmmmm....

Anyway, I ran both Ad-Aware and Spybot in safe mode. Both came up clean... but what about pocketkillbox? Since I haven't used that one before I will await further instruction before proceeding.

Thanks, Emily

 

Just double click to open the utility and then follow my steps below. You will see in the utlity what I'm talking about.

 

Well, I'm gonna try this again. I just tried to post a reply and my computer shut down... <<sigh>>

I followed the latest instructions, over again. I had to leave and when I got back , hubby had been using the computer, so I ran Ad-Aware and Spybot again in regular mode. Both came up clean, except for some MRU's on Ad Aware, but after I ran the Spybot, the computer froze up again and I had to shut it down and restart before i ran the killbox. I ran the killbox per your instructions and ran a new HJT scan, attatched.

Now some additional notes that you may or may not be able to help me with. On shutting the computer down I get a message for "MEKBDNO.EXE-DLL Initialization failed", and then this last time "Washer.exe-dll Initialization failed" also came up.

Now when I restart I get two bubble messages at the bottom of the screen on the start up bar. Both have the inverted yellow triangle and titled "Devices or applications disabled"

The first message reads: "Applications or devices on this computer use drivers that will cause Windows to become unstable. Widows has prevented these drivers from loading. Click here for more details."

The second message reads: "'CD Recording Software' will cause Windows to become unstable. Windows has prevented these drivers from loading. Click here for more details."

These have been coming up for quite some time, and we hadn't noticed any problems because of them. We usually just click off of them.

Finally, the desktop.ini-notepad still popped up when I restarted the computer. On the notepad it reads:
V.Shell
LocalizeResourceName@%SystemRoot%\system32\shell32.dll,-21787

I don't know where it came from or what it means, and we just "X" off of it.

Thanks for all the help!

Emily

 

Your HJT log is clean, something I just noticed that skipped past me is that you have Norton AntiVirus and AVG AntiVirus. This will cause conflicts on your computer, you need to pick one and uninstall the other.

After you do this, reboot and let me know if any malware related problems remain.

 

Okay,

I had forgotten about that... I have been trying to figure out HOW to uninstall the Norton. I have been using the AVG for the past couple of years since I hadn't been able to afford the updates for Norton. Any ideas how to uninstall?

I'll give it another look.

Thanks
Em

 

First, try Add/Remove Programs, if that doesnt work then there is a utility that will remove it.