Pipas.A Removal

Hi,

Need to remove Pipas.A. I have been unable to remove this... Spybot 1.4 runs real slow and then reports Pipas.A infection.. I have run all the items on your forum website checklist... I am attaching results from scans and HighJackthis pgm. Any help would be greatly appreciated...

I could not run the scans in safe mode....

I have not reset system restore yet...


Thanks,

Dan

Here are reports...

Inline logs attached!

 

Please see the below thread on how to install and run Ewido Security Suite.

• Running Ewido Security Suite ...

 

Hi..Thanks... I have already ran that and it still shows up when running Norton Internet Security 2006 Scan..

Dan

 

Opps, sorry.. a little mushy this morning.. up most of the night with this problem... I was thinking of Avira

Dan

 

After you complete the Ewido scan, reboot and attach this log with a fresh HJT log.

 

Thanks running now...

 

Here are the results of the Ewido scan and a new HighJackthis log...

Dan

Inline logs attached!

 

From now on please ATTACH all logs to your post using the Manage Attachments feature.

Reboot into Safe Mode and run Ewido once more to see if can clean those found infections.

 

OK.. thanks for the correction.. will be right back..

 

Just a quick question....

I have different logins, should I run Ewido under each of the different logins..

Dan

 

You should run the READ ME for each account as each account has it's own settings and files.

Run Ewido in safe mode under the Administrator account if possible.

 

ok.. will do and then repost.. Evido and HiJack logs..

 

Ewido said on the screen that it found 4 and fixed.. here are the logs from Ewido and HighJack this..

Thanks,

Dan

 

This HJT log appears to be from safe mode, if you will attach a fresh one from normal mode.

 

ok...here it is....

Dan

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.


Download FixWareout by Lonny and save it to your Desktop.

Please locate your download of FixWareout and INSTALL it.
Be sure that Run fixit is checked.
Click Finish to begin the fix.
Follow the prompts and Reboot when asked to do so.
Upon Reboot, follow the prompts and HijackThis should open.

After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://tucson.cox.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{E337761F-62E0-475D-A7DF-6EAB05EDF5C9}: NameServer = 85.255.114.10,85.255.112.61

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After you complete the above, reboot and attach a fresh HJT log along with the log from the Fix wareout utility. (C:\fixwareout\report.txt)

 

ok.. thanks will do as you suggest.. I am in the step of doing the Spybot Scan, but running will slow will post the items as soon as they are done...

Thanks,

Dan

 

Will be awaiting results!

 

Hi,

When I ran Spybot Pipas.A showed up agin.. Selected fix.. did as you suggesetd Ran FixWareout and two logs are attached.. one before and one after fix. Also ran HighJackThis and log is attached..

Thanks

Dan

 

Could not get the 2nd report to post as it is the same as the first.. it states that it has already been posted...

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [dmdsg.exe] C:\WINDOWS\system32\dmdsg.exe

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dmdsg.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot into Safe Mode. Run the Fix wareout utility once more and attach this log. Close HJT when it opens.

 

Good morning...

Here is the Fixwareout log...

Dan

 

Attach a fresh HJT log from normal mode.

 

Here is HighJackThis log..

Thanks

 

microlion,

You seem to be rebooting after attaching these logs, attach a fresh HJT log and DO NOT REBOOT until you hear from me.

 

ok...

 

Attach a current HJT log and wait for my reply before you reboot as this renames the infected file and makes it harder to remove.

 

Here is the log file.. awaiting instructions...

 

Scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [dmnqz.exe] C:\WINDOWS\system32\dmnqz.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\dmnqz.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot to SAFE MODE and run the Fix wareout utility once more, close HJT when it pops up. Attach this log to your next post with a fresh HJT log after you have rebooted back to normal mode after running the utility.

 

Here are the logs...

Thanks...

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Microsoft AntiSpyware

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )\

O4 - HKLM\..\Run: [dmnqz.exe] C:\WINDOWS\system32\dmnqz.exe

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, attach a fresh HJT log.

 

Here is the latest HJT log.

Thanks

Dan

 

The HJT log looks clean, to assure your clean lets run the below.

Please see the below thread on how to run WinPfind and attach the log.

• Running WinPfind by OldTimer

 

Running now...

Thanks

Dan

 

Here is the WinPFind Log

Thanks

Dan

 

Looks good, only one thing that bothers me. Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

Right click on Ratings and select EXPORT. Save this to your desktop, ZIP it and attach it to your next post.

 

Ratings is attached.. did not zip only 2k..

Thanks

Dan

 

Sorry on it's way...

 

Here is Ratings.zip

Thanks, sorry about not following directions.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After you complete the above, reboot and let me know how things are running and if any problems remain.

 

I left the machine running...


Thanks.. I will do this later as I am away from the computer until later this evening... Do you think it wise it reinstall MS Antispyware or run without it...?

Also, I have Spy Catcher (full Version) to install if you think it wise....

Should I run Spybot and see if Pipas.A shows up..?

Thanks again

Dan

 

MSAS is still in Beta, I personally dont use it because its a resource hog and a few other reasons. It's up to you whether you install it or not. Spy Catcher I cant judge because I've never used it, but I believe there are better.

Yes, run another scan with Spybot, see if it detects the entry. Run the reg fix in my previous post first, then attach the Spybot log.

 

Ok.. will do and let you know this evening...

Thanks..

 

I will be awaiting results.

 

I do beleive the machine is clean of Pipas.A..

I am attaching Spybot report and HighJackthis Report..

I have just one more question about System Restore.. Should I disable it and then turn it back on to clear it out..

Also,, I can not express how much I appreciate your help.....

Thanks....

Dan

 

Your logs are clean!

You can disable and re-enable system restore if you like. I requested it be done a few steps back but it probably wouldnt hurt to do it again.

If things are running fine, see this article on How to Protect yourself from malware!

 

Thanks for your help......

I don't how else to show my appreciation..the interchange was great....


Dan

 

Your Welcome!

Surf Safely