Unable to get rid of malware

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Unable to get rid of malware, Malware

Options

Superhobbit View Member Profile	Mar 7 2005, 07:25 AM Post #1
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Hi Everyone, I really hope someone can point me in the right direction as I am going around in circles at the moment. I seem to have an assortment of different adware and malware on my PC. I have steadily worked through it and have got rid of most of it, but I still seem to be having some problems. I have run HJT and I think the "O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll" is definitely one of the problems, but I want to make sure before I do something irreversible. I run MScofig at startup and I can not stop Mobsync.exe running. Every time I delete it from the registry it still comes back, is this a known problem? Or am I barking up the wrong tree? Thanks in advance for your help. Logfile of HijackThis v1.99.1 Scan saved at 11:41:13, on 07/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\Explorer.EXE C:\All Downloads\Spyware\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\paul\Desktop\msconfig.exe /auto O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [nvsvca32] C:\WINDOWS\nvsvca32.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - Global Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\Smc.exe O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Daisuke View Member Profile	Mar 7 2005, 05:05 PM Post #2
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	REBOOT normally. Some items are disabled in MSCONFIG, and not all your startup items are visible. Go to Start -> Run -> Type msconfig and press Enter. Click the Startup tab and check all Startup items or press the Enable All button and Close. Then press the Exit without restart button. Do not reboot your computer. Please run HijackThis! in Normal Mode and post a new log. This post has been edited by Daisuke: Mar 7 2005, 05:05 PM -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 9 2005, 08:17 AM Post #3
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Thanks Daisuke, I have rebooted and run HJT again. Here is the full log. Logfile of HijackThis v1.99.1 Scan saved at 13:13:31, on 09/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\All Downloads\Spyware\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by Paul Browne O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\StopItBlockItSystemTray.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\msexploren.exe /i O4 - HKLM\..\Run: [MonitorSD] C:\WINDOWS\system32\SDMonitor.exe O4 - HKLM\..\Run: [element furth] c:\windows\system32\vert\repcale.exe c:\windows\system32\vert\palsp.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe O4 - Global Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\Smc.exe O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\Office\1033\phdintl.dll/phdContext.htm O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe I appreciate your help

Daisuke View Member Profile	Mar 9 2005, 01:10 PM Post #4
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	Hi Download System Security Suite here: System Security Suite Download. Unzip it to your desktop. Install the program. Don't use it yet. Please print or copy these instructions because you are not able to access the Internet in SafeMode. Make sure you are set to show hidden files and folders: A. On the Tools menu in Windows Explorer, click Folder Options. B. Click the View tab. C. Under Hidden files and folders, click Show hidden files and folders. D. Uncheck Hide extensions for known filetypes and Hide protected operating system files. How to see hidden files in Windows REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode Run HijackThis!, press Scan, and put a check mark next to all these: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O4 - HKLM\..\Run: [element furth] c:\windows\system32\vert\repcale.exe c:\windows\system32\vert\palsp.exe Check this if you don't know what it is O4 - HKLM\..\Run: [SystemTraySD] C:\WINDOWS\system32\StopItBlockItSystemTray.exe Close all other windows and browsers, and press the Fix Checked button. Search for these files and delete them if present: Delete this file if you dn't know what it is C:\WINDOWS\system32\StopItBlockItSystemTray.exe <-- this file Delete these folders, if present: c:\windows\system32\vert\ <-- this folder With all windows and browsers closed. Clean out temporary and Temporary Internet Files. A. Open System Security Suite. B. In the Items to Clear tab thick: - Internet Explorer (left pane): Cookies & Temporary files - My Computer (right pane): Temporary files & Recycle Bin Press the Clear Selected Items button. Close the program. REBOOT normally. Perform a full scan here: BitDefender Free Online Virus Scan Follow the instructions on the screen. Tick all the boxes on the left and let him remove anything it findes. Run HijackThis! again and post a new log please. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 11 2005, 09:52 AM Post #5
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Thanks Daisuke, I have done as you suggested and things seem a lot better. However after I have run several scans and set up sygate firewall, and reinstalled Norton Antivirus 2005 and the updates. I started getting spoolsv.exe running in the processes. Looking it up on the web Backdoor.ciadoor is mentioned. I can not stop it as access is denied. I rebooted and killed it through msconfig. Is there someway of getting contorl of my pc back free of viruses and then set up the firewall and antivirus so they work properly. I have been battling this for a number of weeks now and every time I seem to get somewhere it starts off again. Norton antivirus does not seem to pick up any of the threats that the other utilities do. Are they giving false positives or is Norton useless? I have run regedit repeatedly, but the information given on the web does not seem to be present on my machine. Am I being duped into scanning the wrong registry file. All I know is that I seem to keep having odd things happening. I can not run the icons in control panel directly, I have to make shortcuts. There is also no right click available on the icons. If I boot in safe mode they all work ok. My home page has just swopped to MSN again. Please, please suggest a way forward from this. I desperately need this machine to work properly. My thanks in advance for any suggestions.

Daisuke View Member Profile	Mar 11 2005, 10:21 AM Post #6
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	spoolsv.exe could be a legitimate file. Post a hijackthis log please. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 11 2005, 12:17 PM Post #7
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Here is my latest HJT log. It seems that some of this is being reinstalled again. Logfile of HijackThis v1.99.1 Scan saved at 17:11:43, on 11/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QUICKENW\QAGENT.EXE C:\WINDOWS\system32\SDMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\All Downloads\Spyware\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by Paul Browne O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [MonitorSD] C:\WINDOWS\system32\SDMonitor.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\Smc.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Thanks in advance for your help.

Daisuke View Member Profile	Mar 11 2005, 02:36 PM Post #8
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	Do you know what this file does ? C:\WINDOWS\system32\SDMonitor.exe <-- this file Run HijackThis!, press Scan, and put a check mark next to all these: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Close all other windows and browsers, and press the Fix Checked button. REBOOT your machine and post a new log. -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 11 2005, 07:41 PM Post #9
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Hi Daisuke, C:\WINDOWS\system32\SDMonitor.exe No, I don't know what it does. I thought it was to do with spybot, but checking on the web it doesn't seem to be. Should I delete it? I have done as you said and this is my latest log. Logfile of HijackThis v1.99.1 Scan saved at 00:36:04, on 12/03/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\system32\stisvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QUICKENW\QAGENT.EXE C:\WINDOWS\system32\SDMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\All Downloads\Spyware\Hijackthis\HijackThis.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer by Paul Browne O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE O4 - HKLM\..\Run: [MonitorSD] C:\WINDOWS\system32\SDMonitor.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - Global Startup: Sygate Personal Firewall.lnk = C:\Program Files\Sygate\SPF\Smc.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe How am I doing? Thanks for all your great help.

Daisuke View Member Profile	Mar 12 2005, 04:44 AM Post #10
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	QUOTE Should I delete it? No, let's see what it is first. Submit it please here: http://www.bleepingcomputer.com/submit-malware.php Thank you -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 12 2005, 12:39 PM Post #11
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Hi Daisuke, I have submitted the file you asked for. I don't know what it is for. I hope this helps. My PC is operating a bit better, but spoolsv.exe is still running and there are some odd symptoms. Thanks for your help.

Daisuke View Member Profile	Mar 12 2005, 01:10 PM Post #12
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	spoolsv.exe is a legitimate Microsoft file: Microsoft Printer Spooler Service. It handles the printing process to your local printers. Please search for a file ProcessMonitorDll.dll <-- this file and submit it here: http://www.bleepingcomputer.com/submit-malware.php Please submit also the full path. It is probably c:\Windows\system32 This post has been edited by Daisuke: Mar 12 2005, 01:10 PM -------------------- Everyday is virus day. Do you know where your recovery CDs are ? Did you create them yet ?

Superhobbit View Member Profile	Mar 12 2005, 07:09 PM Post #13
Member Group: Members Posts: 28 Joined: 7-March 05 Member No.: 13,771	Daisuke, I know spoolsv.exe is a valid microsoft file, but looking on the web it also states that it can be used as a cover for the Ciadoor.121 virus. Ref: http://www.auditmypc.com/process/spoolsv.asp I would have thought I could terminate terminate the spoolsv process with an administrator account, but I can not. It says "The "operation could not be completed" "Access is denied". This does not seem normal for a print spooler. I have submitted the .dll you asked for. What do you think that file was doing? Thanks again for all your help.

Daisuke View Member Profile	Mar 12 2005, 08:41 PM Post #14
Cleaner on Duty Group: HJT Team Posts: 5,480 Joined: 1-September 04 From: Bucharest, Romania Member No.: 2,383	QUOTE but looking on the web it also states that it can be used as a cover for the Ciadoor.121 virus. Trust me . You don't have the Ciadoor virus. Your file is in the right place and it is a Microsoft file. Search for it, right click on it and select Properties. Click the version tab. It is a MS file, isn't it