Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pipas.A and other infections

Started by spra , Dec 23 2006 02:04 PM

  • This topic is locked This topic is locked

#46
spra
Posted 30 December 2006 - 01:05 PM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~

21504 "C:\Program Files\TradeStation 8.1 (Build 3258)\Program\Cache\_\@SI.eod"
21504 "D:\D data\My Documents 5\Excel Files\Excels\???à??? Moyenne New.xls"


21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\TradeStation 8.1 (Build 3258)\Program\Cache\P\POSC.eod"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005 12:04 AM 1,415,824 TeaTimer.exe
1 File(s) 1,415,824 bytes

Directory of C:\PROGRA~1\TASKBA~1\BAK

10/09/2005 11:56 AM 396,288 TaskBar.exe
1 File(s) 396,288 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:07 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ACRONIS\TRUEIM~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

05/12/2005 08:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK

12/12/2006 03:07 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\THOMSON\SPEEDT~1\BAK

04/07/2004 07:02 AM 877,568 Dragdiag.exe
1 File(s) 877,568 bytes

Directory of C:\PROGRA~1\COMMON~1\ACRONIS\SCHEDU~1\BAK

10/04/2005 12:18 AM 118,784 schedhlp.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

05/03/2006 01:56 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

38349 Dec 19 2006 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
1389056 Nov 2 2004 "C:\Program Files\SpyRemover\TeaTimer.exe"
1415824 May 31 2005 "C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe"
396288 Oct 9 2005 "C:\Program Files\Taskbar Hide\TaskBar.exe"
396288 Oct 9 2005 "C:\Program Files\Taskbar Hide\bak\TaskBar.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
38349 Dec 19 2006 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
38349 Dec 19 2006 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
406016 Dec 12 2006 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
38349 Dec 19 2006 "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe"
877568 Apr 7 2004 "C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe"
38349 Dec 19 2006 "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
118784 Oct 4 2005 "C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe"
38349 Dec 19 2006 "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
36975 May 3 2006 "C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe"


end of report
  • 0

Advertisements

#47
MFDnSC
Posted 30 December 2006 - 03:00 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Thanks to others I now know what is going own and how to fix it

Believe it or not the downloader awf infection makes a copy of the valid .exe files in a bak directory and then puts an infected one in its place

So for the list below - delete the file in the normal directory and then COPY the one from the bak folder to the proper folder

If you have any question ask first!

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe

C:\Program Files\Taskbar Hide\TaskBar.exe
C:\Program Files\Taskbar Hide\bak\TaskBar.exe

C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\bak\ctfmon.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\Schedule2\bak\schedhlp.exe

C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_07\bin\bak\jusched.exe
  • 0

#48
spra
Posted 30 December 2006 - 05:19 PM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
The system does not let me make the following replacements

C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\bak\ctfmon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Thomson\SpeedTouch USB\bak\Dragdiag.exe

They "are in use by another program..." and I must close it first...

How can I do that? Safe mode?
  • 0

#49
MFDnSC
Posted 30 December 2006 - 05:25 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Yes safe mode
  • 0

#50
spra
Posted 02 January 2007 - 04:19 AM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Happy New Year!

I haven't noticed any suspicious page changes lately.

However, SpySweeper keeps finding Trojan-phisher-passgrab each time I re-scan although it has previously eliminated the trojan, and although there has been no Internet surfing in the meanwhile.

Edited by spra, 02 January 2007 - 04:20 AM.

  • 0

#51
MFDnSC
Posted 02 January 2007 - 08:52 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Can you give more details about the file it is finding
  • 0

#52
spra
Posted 02 January 2007 - 09:21 AM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
I am afraid I don't have much more information to provide. What I only know is that SpySweeper finds a trojan. The trojan is called "Trojan-phisher-passgrab". I quarantined it several times. Then I decided to go to the quarantined files section and destroyed them.
No luck! When I restart and rescan SpySweeper finds it again. Please note for two days now I have not been surfing in the Internet. This makes me think that the trojan's presence is not due to any external infection any more.
Finally, for the time being I don't have any obvious symptoms in my system.
  • 0

#53
MFDnSC
Posted 02 January 2007 - 09:46 AM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Do SuperAS or AVG AS find anything
  • 0

#54
spra
Posted 02 January 2007 - 02:40 PM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
AVG AS did not find anything.

Super AS found 2 tracking cookies:

[email protected][2].txt

[email protected][1].txt
  • 0

#55
MFDnSC
Posted 02 January 2007 - 04:03 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Makes me wonder if its a false positive
  • 0

Advertisements

#56
spra
Posted 03 January 2007 - 01:47 PM

spra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 78 posts
Today I scanned twice and its clear. So, let's consider it resolved.
If something new occurs - I hope not - I may start a new topic. What do you think?

Thanks a lot!
  • 0

#57
MFDnSC
Posted 03 January 2007 - 02:39 PM

MFDnSC

    Banned

  • Banned
  • PipPipPipPip
  • 1,137 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP