I am having problems with my IE6 browser getting me to unwanted pages. Also IE is started automatically every now and then.
Spybot finds an infection named "Pipas.A".
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
It is supposed to be fixed but the next time I restart and test again it is still there.
AVG anti-spyware and AVG anti-virus had found a few infections too, but after following your general suggestions it looks like I have managed to clean things a bit. So, last time I ran those two programs they found nothing.
Thank you in advance for any help.
____________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 9:45:42 PM, on 12/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Apache2\bin\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TASKBA~1\TaskBar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MACROE~1\MACEXP.EXE
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [dmlrn.exe] C:\WINDOWS\system32\dmlrn.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Taskbar Hide] C:\PROGRA~1\TASKBA~1\TaskBar.exe -Start
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Macro Express 3.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradesta...ugIn/tsTemp.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A2A6ADB-AD3B-4EB8-8A7F-4E041363767E}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8487492-FDF5-466D-92EA-2C54D4B8CDB7}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9927C7D-A2AD-41A6-B88D-DC4F657DEE9A}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.3 85.255.112.127
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.3 85.255.112.127
O17 - HKLM\System\CS2\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.114.3,85.255.112.127
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.3 85.255.112.127
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\MySQL\bin\mysqld-nt.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
________________________________________________
Uninstall list
Acronis True Image
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.7
Adobe Stock Photos 1.0
Advanced File Organizer
ApachePHPMySQL 1.1
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
Chessmaster 9000
Dolet Light for Finale 2004
Finale 2004
FM Modifier 2.1
FM Scout
Football Manager 2006
Google Earth
HijackThis / CWShredder Installer 1.0
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 7
Kaspersky On-line Scanner
Kyodai Mahjongg 2006 v1.42
Macro Express 3
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
MahJong Suite
MetaStock Professional 8.0
Microsoft Office 2003 Proofing Tools
Microsoft Office Professional Edition 2003
MIG Trading Station 4.00
NVIDIA Audio Driver
NVIDIA Gart Driver
NVIDIA nForce Drivers
Panda ActiveScan
PrimoPDF
PrimoPDF Redistribution Package
Prishtina FTP
RegScrubXP 3.25
Simple Sudoku 4.1
SnagIt 7
SpeedTouch USB Software
Spybot - Search & Destroy 1.4
SpyRemover 2.65
SpywareBlaster v3.5.1
SUPERAntiSpyware Free Edition
Sygate Personal Firewall
Taskbar Hide
TradeStation 8.1 SP1 (Build 3258)
WinRAR archiver
Your Uninstaller! 2006 Version 5
__________________________________________________
SUPERAntiSpyware Scan Log
Generated 12/23/2006 at 04:55 PM
Application Version : 3.4.1000
Core Rules Database Version : 3153
Trace Rules Database Version: 1170
Scan type : Complete Scan
Total Scan Time : 00:41:42
Memory items scanned : 349
Memory threats detected : 0
Registry items scanned : 4916
Registry threats detected : 0
File items scanned : 65124
File threats detected : 3
Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\HELPER.DLL
C:\WINDOWS\SYSTEM32\HELPER1.DLL
Worm.SASSER-E
C:\WINDOWS\SYSTEM32\LSASSS.EXE
____________________________________________________
ActiveScan
Incident Status Location
Virus:Trj/Ruins.GC Disinfected Operating system
Adware:Adware/WinAntivirus2006 Not disinfected c:\progra~1\grisoft\avgfre~1\avgcc.exe
Adware:Adware/WinAntivirus2006 Not disinfected c:\program files\common files\acronis\schedule2\schedhlp.exe
Adware:Adware/WinAntivirus2006 Not disinfected c:\program files\thomson\speedtouch usb\dragdiag.exe
Adware:adware/cws Not disinfected C:\Documents and Settings\Spyros\Favorites\Health
Adware:adware/megatds Not disinfected Windows Registry
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Spyware:spyware/apropos Not disinfected Windows Registry
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Spyros\Local Settings\Temporary Internet Files\Content.IE5\FXOK8FBF\drf1166820807[1].htm
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Spyros\Local Settings\Temporary Internet Files\Content.IE5\UTOJIPE5\drf1166828273[1].htm
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Spyros\Local Settings\Temporary Internet Files\Content.IE5\W7P326Z9\drf1166869948[1].htm
Virus:Bck/Webber.BT Disinfected C:\explorer1.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Program Files\Grisoft\AVG Free\avgcc.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
Adware:Adware/WinAntivirus2006 Not disinfected C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Virus:Trj/Ruins.GC Disinfected C:\WINDOWS\system32\dmlrn.exe
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\system32\kilacln.exe[KillAndCleanUpdate.exe]
Adware:Adware/WinAntivirus2006 Not disinfected C:\WINDOWS\system32\lsasss.exe