Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.downloader.ruins


  • Please log in to reply
64 replies to this topic

#1 ally1350

ally1350

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 16 July 2007 - 11:12 AM

I did a scan with Spyware Doctor and it said I had a critical virus--> trojan.downloader.ruins
I do not know how to get rid of it.

Please help

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:24 AM, on 7/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\Program Files\SpywareRemover\SpywareRemover.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\NoAdware5.0\NoAdware5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKCU\..\Run: [SpywareRemover] "C:\Program Files\SpywareRemover\SpywareRemover.exe" -boot
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.193.157.18/activex/AxisCamControl.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.55 85.255.112.21
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 23 July 2007 - 08:14 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A Hijackthis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 23 July 2007 - 02:30 PM

Thank you for the help.

One note--on the instrutions about Avert Stinger I did not find the "auto clean" but I did the scan anyway

Below is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:32 PM, on 7/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ALPEAR~1.AL-\LOCALS~1\Temp\{0F8F3C17-080E-4DD9-A939-C07F44DE3CCF}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.193.157.18/activex/AxisCamControl.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 6096 bytes

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 23 July 2007 - 03:16 PM

Hi there, don't worry about Stinger.
Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Reboot your computer.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

Please include the Panda log in your next reply, and also let me know what file Spyware Doctor is flagging as infected.
Thanks,
Charles

Edited by rookie147, 23 July 2007 - 03:16 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 23 July 2007 - 05:36 PM

Spyware Doctor (3) infections:
hkey_local_machine/software/microsoft/windowsNT/current version/winlogon, system

C:/winnt/system32/kdole.exe

hkey_local_machine/software/microsoft/windowsNT/current version/winlogon C:/winnt/system32/kdole.exe

==========

Panda:


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@doubleclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@perf.overture[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Cookies\al pearce@tribalfusion[1].txt
Potentially unwanted tool:Application/RegCure Not disinfected C:\Program Files\RegCure\RegCure.exe
Potentially unwanted tool:Application/RegCure Not disinfected C:\Program Files\RegCure\uninst.exe
Virus:Trj/dmRandom.KZ Disinfected C:\WINNT\system32\kdole.exe
=========

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:44 PM, on 7/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ALPEAR~1.AL-\LOCALS~1\Temp\{0F8F3C17-080E-4DD9-A939-C07F44DE3CCF}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.193.157.18/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 6347 bytes

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 24 July 2007 - 03:41 AM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 24 July 2007 - 09:35 AM

This box popped up twice during combofix reboot:
REGISTRY EDITOR
Can not import creg.cf: Errot accessing the registry

I clicked ok both times
==========

Combofix log:



"Al Pearce" - 07/24/2007 7:23:26 - ComboFix 07-07-23.6 - Service Pack 4 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 07:22 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-23 13:33 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-07-23 09:46 70,528 --a------ C:\WINNT\system32\drivers\PAVDRV50.SYS
2007-07-23 09:46 45,056 --a------ C:\WINNT\system32\avldr.dll
2007-07-23 09:46 <DIR> d-------- C:\Program Files\Panda Software
2007-07-23 07:50 <DIR> d-------- C:\WINNT\system32\Panda Software
2007-07-23 07:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-07-17 16:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-17 16:08 <DIR> d-------- C:\DOCUME~1\ALPEAR~1.AL-\APPLIC~1\SUPERAntiSpyware.com
2007-07-17 16:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
2007-07-16 08:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-16 08:55 <DIR> d-------- C:\New Folder
2007-07-16 08:36 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-07-15 19:42 <DIR> d-------- C:\DOCUME~1\ALPEAR~1.AL-\APPLIC~1\SpywareRemover
2007-07-15 19:39 <DIR> d-a------ C:\WINNT\system32\appmgmt
2007-07-15 13:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\STOPzilla!
2007-07-13 17:14 <DIR> d-------- C:\WINNT\PCHEALTH
2007-07-13 10:01 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-13 09:56 58,000 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2007-07-13 09:56 57,344 --a------ C:\WINNT\uneng.exe
2007-07-13 09:56 49,152 --a------ C:\WINNT\system32\cdrtc.dll
2007-07-13 09:56 45,056 --a------ C:\WINNT\system32\cdral.dll
2007-07-13 09:56 23,420 --a------ C:\WINNT\system32\drivers\cdralw2k.sys
2007-07-13 09:56 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2007-07-13 09:54 98,304 --a------ C:\WINNT\system32\wmpshell.dll
2007-07-13 09:54 225,280 --a------ C:\WINNT\system32\wmpdxm.dll
2007-07-13 09:54 20,480 --a------ C:\WINNT\system32\wmpui.dll
2007-07-13 09:54 20,480 --a------ C:\WINNT\system32\wmpcore.dll
2007-07-13 09:54 20,480 --a------ C:\WINNT\system32\wmpcd.dll
2007-07-13 09:54 167,936 --a------ C:\WINNT\system32\wmerror.dll
2007-07-13 09:54 106,496 --a------ C:\WINNT\system32\wmpasf.dll
2007-07-13 09:53 997,888 --a------ C:\WINNT\system32\wmvdmoe2.dll
2007-07-13 09:53 892,416 --a------ C:\WINNT\system32\wmspdmoe.dll
2007-07-13 09:53 82,432 --a------ C:\WINNT\system32\drmstor.dll
2007-07-13 09:53 52,224 --a------ C:\WINNT\system32\mspmsnsv.dll
2007-07-13 09:53 486,536 --a------ C:\WINNT\system32\wmspdmod.dll
2007-07-13 09:53 384,512 --a------ C:\WINNT\system32\mp4sdmod.dll
2007-07-13 09:53 316,040 --a------ C:\WINNT\system32\mp43dmod.dll
2007-07-13 09:53 301,712 --a------ C:\WINNT\system32\drmclien.dll
2007-07-13 09:53 143,360 --a------ C:\WINNT\system32\wmidx.dll
2007-07-13 09:53 1,111,040 --a------ C:\WINNT\system32\wmsdmoe2.dll
2007-07-13 09:37 <DIR> d-------- C:\WINNT\winsxs
2007-07-13 09:37 <DIR> d-------- C:\Program Files\MSECache
2007-07-13 07:42 974,848 --a------ C:\WINNT\system32\dxdiag.exe
2007-07-13 07:42 83,968 --a------ C:\WINNT\system32\drivers\nabtsfec.sys
2007-07-13 07:42 68,096 --a------ C:\WINNT\system32\dsdmoprp.dll
2007-07-13 07:42 57,856 --a------ C:\WINNT\system32\dpwsockx.dll
2007-07-13 07:42 56,832 --a------ C:\WINNT\system32\drivers\msdv.sys
2007-07-13 07:42 53,248 --a------ C:\WINNT\system32\devenum.dll
2007-07-13 07:42 524,800 --a------ C:\WINNT\system32\qedit.dll
2007-07-13 07:42 480,256 --a------ C:\WINNT\system32\msvidctl.dll
2007-07-13 07:42 47,104 --a------ C:\WINNT\system32\wstdecod.dll
2007-07-13 07:42 386,048 --a------ C:\WINNT\system32\diactfrm.dll
2007-07-13 07:42 382,976 --a------ C:\WINNT\system32\qdvd.dll
2007-07-13 07:42 377,856 --a------ C:\WINNT\system32\dpnet.dll
2007-07-13 07:42 363,520 --a------ C:\WINNT\system32\dsound.dll
2007-07-13 07:42 354,816 --a------ C:\WINNT\system32\psisdecd.dll
2007-07-13 07:42 276,480 --a------ C:\WINNT\system32\qdv.dll
2007-07-13 07:42 265,728 --a------ C:\WINNT\system32\ddraw.dll
2007-07-13 07:42 241,664 --a------ C:\WINNT\system32\qasf.dll
2007-07-13 07:42 22,016 --a------ C:\WINNT\system32\dpmodemx.dll
2007-07-13 07:42 206,336 --a------ C:\WINNT\system32\gcdef.dll
2007-07-13 07:42 203,264 --a------ C:\WINNT\system32\dpvoice.dll
2007-07-13 07:42 194,560 --a------ C:\WINNT\system32\mswebdvd.dll
2007-07-13 07:42 18,688 --a------ C:\WINNT\system32\drivers\wstcodec.sys
2007-07-13 07:42 177,152 --a------ C:\WINNT\system32\qcap.dll
2007-07-13 07:42 166,400 --a------ C:\WINNT\system32\dinput8.dll
2007-07-13 07:42 16,896 --a------ C:\WINNT\system32\msyuv.dll
2007-07-13 07:42 16,896 --a------ C:\WINNT\system32\dpnsvr.exe
2007-07-13 07:42 16,384 --a------ C:\WINNT\system32\drivers\ccdecode.sys
2007-07-13 07:42 150,016 --a------ C:\WINNT\system32\dinput.dll
2007-07-13 07:42 15,104 --a------ C:\WINNT\system32\drivers\mpe.sys
2007-07-13 07:42 14,976 --a------ C:\WINNT\system32\drivers\streamip.sys
2007-07-13 07:42 11,392 --a------ C:\WINNT\system32\drivers\bdasup.sys
2007-07-13 07:42 104,448 --a------ C:\WINNT\system32\dmusic.dll
2007-07-13 07:42 10,880 --a------ C:\WINNT\system32\drivers\slip.sys
2007-07-13 07:42 10,112 --a------ C:\WINNT\system32\drivers\ndisip.sys
2007-07-13 07:42 1,769,472 --a------ C:\WINNT\system32\dxdiagn.dll
2007-07-13 07:42 1,689,600 --a------ C:\WINNT\system32\d3d9.dll
2007-07-13 07:42 1,227,776 --a------ C:\WINNT\system32\quartz.dll
2007-07-13 07:42 1,179,648 --a------ C:\WINNT\system32\d3d8.dll
2007-07-13 07:41 98,816 --a------ C:\WINNT\system32\dmstyle.dll
2007-07-13 07:41 80,896 --a------ C:\WINNT\system32\dpvsetup.exe
2007-07-13 07:41 797,184 --a------ C:\WINNT\system32\d3dim700.dll
2007-07-13 07:41 76,800 --a------ C:\WINNT\system32\dmscript.dll
2007-07-13 07:41 733,184 --a------ C:\WINNT\system32\qedwipes.dll
2007-07-13 07:41 7,424 --a------ C:\WINNT\system32\drivers\mskssrv.sys
2007-07-13 07:41 7,168 --a------ C:\WINNT\system32\d3d8thk.dll
2007-07-13 07:41 68,096 --a------ C:\WINNT\system32\dpnhupnp.dll
2007-07-13 07:41 64,512 --a------ C:\WINNT\system32\amstream.dll
2007-07-13 07:41 602,624 --a------ C:\WINNT\system32\dx7vb.dll
2007-07-13 07:41 58,368 --a------ C:\WINNT\system32\dmcompos.dll
2007-07-13 07:41 5,504 --a------ C:\WINNT\system32\drivers\mstee.sys
2007-07-13 07:41 5,248 --a------ C:\WINNT\system32\drivers\mspclock.sys
2007-07-13 07:41 48,512 --a------ C:\WINNT\system32\drivers\stream.sys
2007-07-13 07:41 46,592 --a------ C:\WINNT\system32\dxdllreg.exe
2007-07-13 07:41 44,032 --a------ C:\WINNT\system32\dimap.dll
2007-07-13 07:41 4,096 --a------ C:\WINNT\system32\ksuser.dll
2007-07-13 07:41 4,096 --a------ C:\WINNT\system32\drivers\swenum.sys
2007-07-13 07:41 34,304 --a------ C:\WINNT\system32\mciqtz32.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 14:31:32 16,384 ----atw C:\WINNT\system32\Perflib_Perfdata_738.dat
2007-07-23 20:56:11 -------- d-----w C:\Program Files\Spyware Doctor
2007-07-23 20:51:55 -------- d-----w C:\Program Files\Google
2007-07-23 16:46:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-23 16:28:53 -------- d-----w C:\Program Files\Symantec
2007-07-23 16:22:28 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-07-17 23:07:53 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-15 20:04:23 -------- d-----w C:\Program Files\RegCure
2007-06-16 22:34:33 -------- d-----w C:\Program Files\ClubUBT
2007-06-16 02:17:02 -------- d-----w C:\Program Files\UBT
2007-06-06 21:54:40 -------- d-----w C:\DOCUME~1\ALPEAR~1.AL-\APPLIC~1\AdobeUM
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-02-27 20:35:43 11,736 ----a-w C:\DOCUME~1\ALPEAR~1.AL-\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-02-20 05:35:16 271 ---h--w C:\Program Files\desktop.ini
2007-02-20 05:35:16 21,952 ---h--w C:\Program Files\folder.htt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-20 05:00 C:\WINNT\system32\mobsync.exe]
"AtiPTA"="atiptaxx.exe" [00-06-05 11:46 C:\WINNT\system32\atiptaxx.exe]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05-01-12 15:54 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-02-16 23:11 ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]
"LanzarL2007"="C:\DOCUME~1\ALPEAR~1.AL-\LOCALS~1\Temp\{0F8F3C17-080E-4DD9-A939-C07F44DE3CCF}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" [05-04-07 00:39 ]
"APVXDWIN"="C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.exe" [07-01-25 18:50 ]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [07-05-18 06:48 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\Al Pearce.AL-AB842DC8A500\Start Menu\Programs\Startup\
Expedia Fare Alert.lnk - C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe [2007-02-12 11:15:00]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\digital imaging\bin\hpqthb08.exe [2004-11-04 20:50:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"= {7007ACCF-3202-11D1-AAD2-00805FC1270E} - C:\WINNT\system32\NETSHELL.dll [03-06-20 05:00 477456]
"Network.ConnectionTray"= {7007ACCF-3202-11D1-AAD2-00805FC1270E} - Both [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 06-07-14 13:46 45056 C:\WINNT\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

R0 Diskperf;Diskperf;C:\WINNT\system32\drivers\Diskperf.sys
R0 srescan;srescan;C:\WINNT\system32\ZoneLabs\srescan.sys
R1 Cdr4_2K;Cdr4_2K;C:\WINNT\system32\drivers\Cdr4_2K.sys
R1 Cdralw2k;Cdralw2k;C:\WINNT\system32\drivers\Cdralw2k.sys
R1 IKFileFlt;File Filter Driver;C:\WINNT\system32\drivers\ikfileflt.sys
R1 IKFileSec;File Security Driver;C:\WINNT\system32\drivers\ikfilesec.sys
R1 IkSysFlt;System Filter Driver;C:\WINNT\system32\drivers\iksysflt.sys
R1 IKSysSec;System Security Driver;C:\WINNT\system32\drivers\iksyssec.sys
R1 Parport;Parallel port driver;C:\WINNT\system32\DRIVERS\parport.sys
R1 SASDIFSV;SASDIFSV;\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
R1 SASKUTIL;SASKUTIL;\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys
R3 atinrvxx;ATI WDM Rage Theater Video;C:\WINNT\system32\DRIVERS\atinrvxx.sys
R3 Parallel;Parallel class driver;C:\WINNT\system32\DRIVERS\parallel.sys
R3 Ptilink;Direct Parallel Link Driver;C:\WINNT\system32\DRIVERS\ptilink.sys
R3 Raspti;Direct Parallel;C:\WINNT\system32\DRIVERS\raspti.sys
R3 uhcd;Microsoft USB Universal Host Controller Driver;C:\WINNT\system32\DRIVERS\uhcd.sys
R4 EFS;EFS;C:\WINNT\system32\drivers\EFS.sys
S0 szkg;szkg;C:\WINNT\system32\DRIVERS\szkg.sys
S3 Fax;Fax Service;C:\WINNT\system32\faxsvc.exe
S3 MPE;BDA MPE Filter;C:\WINNT\system32\DRIVERS\MPE.sys
S3 NetDetect;NetDetect;C:\WINNT\system32\drivers\netdtect.sys
S3 RCA;Microsoft Streaming Network Raw Channel Access;C:\WINNT\system32\drivers\RCA.sys
S3 SABProcEnum;SABProcEnum;\??\C:\Program Files\Internet Explorer\SABProcEnum.sys
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
S3 TVICHW32;TVICHW32;\??\C:\WINNT\system32\DRIVERS\TVICHW32.SYS
S3 UtilMan;Utility Manager;C:\WINNT\System32\UtilMan.exe


Contents of the 'Scheduled Tasks' folder
2007-07-21 23:17:00 C:\WINNT\tasks\Backup.job
2007-07-24 13:06:00 C:\WINNT\tasks\HP Usg Daily.job
2007-07-24 14:30:59 C:\WINNT\tasks\RegCure Program Check.job
2007-07-22 19:21:06 C:\WINNT\tasks\RegCure.job
2007-07-24 10:00:00 C:\WINNT\tasks\SpywareRemover Scheduled Scan.job
2007-07-02 08:14:01 C:\WINNT\tasks\Stop HP Product Survey Program Participation.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 07:30:25
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINNT\system32\Perflib_Perfdata_738.dat

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-07-24 7:32:59 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-07-24 07:32

--- E O F ---

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 24 July 2007 - 11:35 AM

Can I have some information about how things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 24 July 2007 - 11:39 AM

Computer seems to be running pretty well....just worried about the 'downloader virus'


Ally
===

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 24 July 2007 - 11:49 AM

That file should have been deleted by the Panda scan, are you still getting warnings about it?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 24 July 2007 - 12:25 PM

It looks like the downloader virus is gone but 2 more popped up on 'spyware doctor'

Incredifind

Trojan.PWS.Tanspy

I am going to reload my norton anti-virus


What's next?

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 24 July 2007 - 02:54 PM

What files are they?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 24 July 2007 - 05:16 PM

This time 'spyware doctor' came up with only one:

Trojan.PWS.Tanspy

REGISTRY KEY
hkey_local_machine/software/microsoft/windows/currentversion/controlpanel/load


Ally
===

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 25 July 2007 - 03:16 AM

Please download Fixwareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your Desktop and run it by double clicking.
Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer, please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads save the text that will open (report.txt) and post it in your next reply.

Please include the report.txt along with a new HijackThis log in your reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 ally1350

ally1350
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 25 July 2007 - 09:15 AM

Report:

Username "Al Pearce" - 07/25/2007 6:57:10 [Fixwareout edited 2007/07/05]

»»»»»Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"LanzarL2007"="\"C:\\DOCUME~1\\ALPEAR~1.AL-\\LOCALS~1\\Temp\\{0F8F3C17-080E-4DD9-A939-C07F44DE3CCF}\\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\\..\\..\\L2007tmp\\Setup.exe\" /SETUP:\"/l0x0009\""
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus 2007\\APVXDWIN.EXE\" /s"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

======================

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:31 AM, on 7/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ALPEAR~1.AL-\LOCALS~1\Temp\{0F8F3C17-080E-4DD9-A939-C07F44DE3CCF}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Expedia Fare Alert.lnk = C:\Program Files\Expedia\Expedia Fare Alert\ExpediaFareAlert.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://66.193.157.18/activex/AxisCamControl.ocx
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv50.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5385 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users