Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Greetings, I think I have the same probem as narf41
ran spybot and adaware found Pipas.A residing and wont go away. Any selection from browser redirects me to site with changing name butvery similar look
here is Hijack log from safe mode: note that one entry, flagged with , keeps changing its name
Logfile of HijackThis v1.99.1
Scan saved at 7:13:50 PM, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
Thanks again, dont know what I'd do without this help
Here is fixwarout log:
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wvlmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmlvw.exe"=-
...
PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate
»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
»»»»» Misc files
»»»»» Checking for older varients covered by the Rem3 tool
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMJLB.EXE 44,127 2004-08-04
C:\WINDOWS\SYSTEM32\DMLVW.EXE 44,127 2004-08-04
and Hijack log
Logfile of HijackThis v1.99.1
Scan saved at 4:12:23 AM, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.
Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\SYSTEM32\DMLVW.EXE <<<--this file
C:\WINDOWS\SYSTEM32\DMJLB.EXE <<<--this file
ALCXMNTR.EXE<<<--this file
panel_its.exe<<<--this file
To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
Post a new HJT log back into this thread please.
Also, unless specified, please provide HJT log file generated in 'Normal Mode', thanks.
Deleted all instances I could find including from the recycle bin. Asuuming all is good thanks again for your help.
Hijack log in "Normal" mode:
Logfile of HijackThis v1.99.1
Scan saved at 5:34:39 PM, on 15/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I'd also like to run a precautionary scan, seeing how Wareout like to drop a rootkit evry now and again, which won't show in HJT, but does produce some symptoms.
Please download RootKitRevealer from here: http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
C:\$VAULT$.AVG\92236515.FIL 16/06/2006 7:09 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92243312.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92249828.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92255203.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92262171.FIL 16/06/2006 7:10 PM 3.49 KB Hidden from Windows API.
C:\$VAULT$.AVG\92267984.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92272937.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92278640.FIL 16/06/2006 7:10 PM 43.56 KB Hidden from Windows API.
C:\$VAULT$.AVG\92283203.FIL 16/06/2006 7:10 PM 3.49 KB Hidden from Windows API.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP2\A0000942.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP2\A0000957.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP2\A0000970.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP2\A0000989.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP5\A0001170.exe 2/06/2006 10:32 PM 3.03 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP6\A0001561.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP7\A0001588.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP8\A0001624.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP8\A0001667.exe 12/06/2006 12:57 AM 3.03 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{D34137C1-F216-4803-BF12-FAFE117CE9FA}\RP9\A0001771.exe 4/08/2004 10:00 PM 43.09 KB Visible in Windows API, MFT, but not in directory index.
C:\WINDOWS\ye2.exe 30/05/2006 12:18 AM 57.40 KB Visible in Windows API, MFT, but not in directory index.
D: 1/01/1601 10:00 AM 0 bytes Error mounting volume
All of those are either in the AVG vault or in system restore and are of no consequence.
Is your machine now running smoothly with no other problems?
If so, we can now reset system restore.
You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.
To turn off Windows XP System Restore:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.
To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK
OK, glad that was picked up and killed before things got out of hand, guess I got lucky. <PHEW>
To further prevent the installation of ad/mal/spyware, DL these apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:
SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable protection Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.
To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v9.8.1.0.
Links for tutorials for all the apps I mentioned can be found on my site as well.
And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here: Calendar of Updates
Subscribe to update alerts for all the above security apps here.
You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed. TeMerc Test Box Forum
, keeps changing its name
