Pipas.A Trojan and other problems-need help

Discussion in 'Malware Help (A Specialist Will Reply)' started by Pimped, Oct 3, 2006.

  1. Pimped

    Pimped Private E-2

    Hey there again :)

    I really hate this computer! lol

    Bin working fine up till now when all of a sudden it just went beserk and started getting some trojans from somewhere, and norton 2004 antivirus/firewall was up to date as wel as win defender etc.

    Anyways when you have the time, please have a look at the attached logs, some files are just in old backups zip folders and others are definitely new and fishy. PIPAS.A was detected and removed by spybot sd, but i remember it doing it before, and a google search told me that it isnt easy to remove!

    CCCleaner - Cleaned
    WIndows Malicious Software Removal - Nothing detected
    Spybot SD - Pipas.A detected
    Windows Defender - Nothing Detected
    Bitdefender - Nothing detected
    Activescan - A lot detected

    p.s: the file activescan-mycomputer.txt is where i selected my computer in activescan and it found one virus
     

    Attached Files:

    Pimped, Oct 3, 2006
    #1
  2. Pimped

    Pimped Private E-2

    More files :)
     

    Attached Files:

    Pimped, Oct 3, 2006
    #2
  3. Pimped

    Pimped Private E-2

    DO you require this file: tmpnewfiles.txt?
     
    Pimped, Oct 3, 2006
    #3
  4. Pimped

    Pimped Private E-2

    Update, forgot to tell you that when im clicking any link on gogle for the first time, it always ends up just going to msn.com or another page, and then if i click back and do it again it works perffectly.

    thanks
     
    Pimped, Oct 3, 2006
    #4
  5. Pimped

    Pimped Private E-2

    Bump.... sorry, its got to page 3, so had to ;)
     
    Pimped, Oct 4, 2006
    #5
  6. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Sadly your not helping yourself by bumping as the malware guys work from the oldest thread to the newest, so bumping will just send you to the back of the queue.
     
    DavidGP, Oct 4, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are using OLD outdated versions of ShowNew and GetRunKey. You must ALWAYS check for new versions of all programs to make sure you have current versions. Please download the current versions from the links given in the READ ME and attach new logs.

    Also note Halo's comment about bumping. It only hurts you when you bump. Just post you message and please be patient until we can get to you. We are extremely busy and lately only one person (me) has been working here for any length of time each day. Those 3 messages you added after your initial logs were posted, cost you about 2 days of additional wait time.

    In the mean time, you also need to delete the below junk in a backup folder:
    C:\Documents and Settings\HP_Owner\My Documents\Backup Of Old PC\Backup Of Old PC\C Drive\Program Files\Common Files\SearchUpgrader\system.cfg
    C:\Documents and Settings\HP_Owner\My Documents\Backup Of Old PC\Backup Of Old PC\C Drive\Program Files\MyWay\myBar\2.bin\MY2NS.EXE
    C:\Documents and Settings\HP_Owner\My Documents\Backup Of Old PC\Backup Of Old PC\C Drive\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
    C:\Documents and Settings\HP_Owner\My Documents\Backup Of Old PC\Backup Of Old PC\C Drive\Program Files\MyWay\myBar\2.bin\NPMYWAY.DLL
    C:\Documents and Settings\HP_Owner\My Documents\Backup Of Old PC\Backup Of Old PC\C Drive\WINDOWS\SYSTEM\P2P Networking v126.cpl


    You also need to install the current version of Sun Java from: Sun Java Runtime Environment

    Then uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 5

    You now need to run this: WareOut Removal and attach the requested log.

    After running the above, also attach a new HJT log.
     
    chaslang, Oct 5, 2006
    #7
  8. Pimped

    Pimped Private E-2

    Im sorry i didnt realise that they had been updated. I think maybe a flashing *UPDATED* next to their respective links might have helped (just a thought)

    Sorry, i coudldnt edit my initial posts so i had to include extra posts and i didnt know that bumping would delay things, bu now it makes sense... D'OH!

    OK, dont what you asked and i think that fixwareout is onto something because it found some suspect files which look like the filenames of the trojans that noron kept on going crazy over (after some random Hard Drive activity)

    Cheers :)
     

    Attached Files:

    Pimped, Oct 5, 2006
    #8
  9. Pimped

    Pimped Private E-2

    AH POOP! I forgot to uninstall the older version of sun java before i did the runkeys and newfiles and the rest.

    What does this mean?
     

    Attached Files:

    Pimped, Oct 5, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must ALWAYS run steps in the order that they are written!

    Note: We do not need the tmpnewfiles.txt log. It is already in the newfiles.txt log. tmpnewfiles.txt log is just a temporary file used while building the full log.


    Make sure viewing of hidden files is enabled (per the tutorial).
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [vgswx.exe] C:\WINDOWS\system32\vgswx.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E753944-0B67-47C2-A47E-6211C651DD6D}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E7E74EC-E43B-4959-9B6F-E31A09362A8F}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AFB4ACD-934B-41A1-BF89-776BAB35ACD7}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF175D23-0D57-4C12-B9C7-6EA72670BEA1}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BF40AEAD-F386-4D72-A244-5ACBB99AD874}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.227
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E753944-0B67-47C2-A47E-6211C651DD6D}: NameServer = 85.255.116.78,85.255.112.227
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.78 85.255.112.227

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\vgswx.exe
    C:\WINDOWS\System32\CSXQJ.EXE
    C:\WINDOWS\system32\{5EEF4856-45D6-46F3-9E5C-BB41428611AF}.exe
    C:\WINDOWS\system32\{F7FBA638-B3A7-441C-A993-D81340D6674D}.exe

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode

    Now attach a the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now! It could be necessary to run the WareOut fix again if those O17 lines do not go away.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 6, 2006
    #10
  11. Pimped

    Pimped Private E-2

    Hey there.

    Yes sorry i missed that step.

    I had a very strong feeling that the 017 lines were dodgy.

    Everything went according to plan, but there was no c:\windows\system32\vgswx.exe , i searched all over windoes for it but i couldnt find it.

    Apart from that, it seems alright so far. :D

    btw, I noticed one thing in the GetRunKeys log, it says installation folder of the "Show New" files. I think the programmer made a typo. :)
     

    Attached Files:

    Pimped, Oct 6, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! It is a copy & paste and forgot to edit error that is fixed in the new but as of yet, unreleased version of GetRunKey. A new version of ShowNew is coming too and both programs will be in one download which is a self extracting and installing program which also autoruns to create the two logs.


    Run Pocket Killbox and select File, Cleanup, Delete All Backups!

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Oct 7, 2006
    #12
  13. Pimped

    Pimped Private E-2

    Aha I see, wow thats really impressive dude. What's your secret? lol, wot brand of cereal do u eat? :)

    OOkay, i do remember one san i did a litle while back found killbox backups to be infected and deleted them automatically, but i will do it rite now and then do the system restore thing.

    Many thanks once again dude, its really appreciated :D
     
    Pimped, Oct 7, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf Safely!
     
    chaslang, Oct 7, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds