Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Pickee.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Pickee.exe

Unread postby JamesBrown » May 18th, 2008, 8:04 am

Hi...after restarting my computer it opens a window in dos with this file name and opens IE with a this page:

http://www.alinone.net

I done a search on Google and i didn´t get anything...it´s this new???Any ideia of what this could be?

Here´s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:30, on 18-05-2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Programas\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\Rundll32.exe
C:\DOCUME~1\Jaime\DEFINI~1\Temp\inetsvrs.exe
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\mssmpp.exe
C:\Programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\Programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
c:\programas\panda software\panda antivirus 2007\WebProxy.exe
C:\Programas\IncrediMail\bin\IMApp.exe
C:\Programas\Skype\Phone\Skype.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Programas\Skype\Plugin Manager\skypePM.exe
C:\Programas\Mozilla Firefox\firefox.exe
F:\eMule\emule.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programas\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Programas\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Gerenciamento de segurança para contas locais] C:\DOCUME~1\Jaime\DEFINI~1\Temp\inetsvrs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programas\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Programas\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Internet Explorer] c:\windows\system32\IEXPLORER.EXE
O4 - HKCU\..\Run: [msnmsg] C:\WINDOWS\system\msnmsssg.exe
O4 - HKCU\..\Run: [Firewal] c:\windows\system32\nortons.exe
O4 - HKCU\..\Run: [Skype] "C:\Programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Programas\Panda Software\Panda Antivirus 2007\PsImSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programas\WinPcap\rpcapd.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)


--
End of file - 7103 bytes

I ran Panda and i cleaned all with CleanUp and the file still there...
i deleted it and after the reboot the file pickee.exe was again at C:
JamesBrown
Active Member
 
Posts: 3
Joined: May 18th, 2008, 7:47 am
Advertisement
Register to Remove

Re: Pickee.exe

Unread postby peku006 » May 18th, 2008, 1:41 pm

Welcome to the MWR forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: I am still in training here at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Pickee.exe

Unread postby peku006 » May 20th, 2008, 11:27 pm

Hi JamesBrown

First off all, you need to be informed that your computer might be seriously compromised, you have a W32.IRCBot with backdoor capabilities:
giving intruders complete control of your computer, logging key strokes, stealing information, etc....
Though it has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. In all honesty, if this were to be my computer, I would reformat and reinstall Windows XP.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reformat & reinstall your OS and would like me to attempt to clean it, I will be happy to do so but it is not fully guaranteed that your computer will be completely rid of malware.

Your log indicates that your system is seriously lacking in security updates. That issue needs to be addressed prior to cleaning your system. If you are for any reason unable to install security updates, it will not be possible to secure your system to any degree as it will just keep getting reinfected.

Accordingly, please do the following:

  • Download a diagnostic tool (MGADiag.exe) from >here< and save the tool to your Desktop.
  • Double-click on MGADiag.exe.
  • Select "Continue."
  • Next, the Windows tab should open with a report in it. Select the "Copy" button.
  • Open Notepad and paste the contents of the clipboard into a Notepad text file and save it to your Desktop.
  • Paste the contents of that text file into a reply in this topic.

Thanks
peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Pickee.exe

Unread postby JamesBrown » May 24th, 2008, 3:53 pm

First of all thank you for your help...after your post i checked the Hijack log , i made a search on all the processes running and i´ve found this one :

C:\WINDOWS\System32\mssmpp.exe
was infecting my machine...
I killed it with Hijack This and i disabled system restore...after that i rebooted and the page that opened at the begining and the file that were created(pickee.exe) weren´t there no more...a few seconds after the reboot Panda detected the virus\backtrojan w32\sdbot.JVM.worm was
detected and eliminated...i had run the antivirus several times before and nothing were detected before...
Maybe this was fixed...maybe no..i know i have to upgrade my Windows..i guess i will install the more recent version with SP3...
Thanks for your help...i will follow your advises...
I will keep one eye on my credit card in daily basis for now...thanks again...you are great..
JamesBrown
Active Member
 
Posts: 3
Joined: May 18th, 2008, 7:47 am

Re: Pickee.exe

Unread postby JamesBrown » May 24th, 2008, 3:57 pm

If there´s any other advise you want to give i will be glad to listen...
JamesBrown
Active Member
 
Posts: 3
Joined: May 18th, 2008, 7:47 am

Re: Pickee.exe

Unread postby peku006 » May 25th, 2008, 4:57 pm

Hi JamesBrown

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again.
That malware you have on this machine is not that simple or easy to remove. Fixing lines with HJT and running anti-virus scans cannot possibly clean out this sort of infection

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

You have indicated that your intention is to reformat your system. After you have reformatted and reinstalled Windows, your system will be clean. Here are some tips that will help you to keep it clean.

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Scan for and install all available Security Updates, including all offered Service Packs.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Pickee.exe

Unread postby Gary R » May 27th, 2008, 3:57 am

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21864
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware