spybot doesn't pick it up but these other programs so...


According to spy doctor free version i have Trojan.PWS.Tanspy in
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\currentversion\controlpanel\load




AVG picked up 2 other trojans which it cleared for me trojan.Pakes.edg and trojan.Agent.qt


Panda active scan logfile

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jay\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jay\My Documents\Unzipped\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected O:\Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected O:\Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe]



AVG Anti spyware logfile

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:17:12 15/05/2007

+ Scan result:



C:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP83\A0024653.exe/keygen.exe -> Adware.Virtumonde : Ignored.
O:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP83\A0024625.exe/keygen.exe -> Adware.Virtumonde : Ignored.
O:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP86\A0024914.exe/keygen.exe -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP86\A0025035.dll -> Trojan.Agent.qt : Ignored.
O:\Soulseek\Download\Unsorted\SONY.SoundForge.8.0b.FULL.Include.Keymaker.PDX.zip/KEYGEN/SONYkeygen.exe -> Trojan.Pakes.edg : Ignored.
O:\System Volume Information\_restore{A3B07286-811B-4CAC-9770-E30C318740C8}\RP163\A0105022.exe -> Trojan.Pakes.edg : Ignored.


::Report end





HJT logfile

Logfile of HijackThis v1.99.1
Scan saved at 22:51:38, on 15/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\DeltTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.navreg.com/index.asp?siteid=8
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hello,

First of all, you say you are using the Spyware doctor trial version. As you noticed, it doesn't remove anything - but it's still running in the background, using extra system resources, slowing down your system a bit more while it's useless because it doesn't remove anything.

The entry it flags is indeed a leftover from a Bzub Variant, but I see you have been using SDFix previously, so SDFix should already solve it for you.
However, SDFix doesn't remove the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\currentversion\controlpanel\load and its subvalues.
Actually, above key is no standard on XP and is in 99% of the cases added by malware. And if present - it should show no subvalues. In your case, since you were most probably dealing with Bzub, it contains random subvalues.
So we can safely remove it.
To remove it,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\currentversion\controlpanel\load]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Your HijackThislog looks clean though..
But you may check and fix next entry if you didn't set it:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.navreg.com/index.asp?siteid=8

Extra notes...


Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jay\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jay\My Documents\Unzipped\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected O:\Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected O:\Downloads\SmitfraudFix.zip[SmitfraudFix/Process.exe]You may ignore these alerts, because above ones are parts of tools you have been using (Smitfraudfix, SDFix, Combofix..)


C:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP83\A0024653.exe/keygen.exe -> Adware.Virtumonde : Ignored.
O:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP83\A0024625.exe/keygen.exe -> Adware.Virtumonde : Ignored.
O:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP86\A0024914.exe/keygen.exe -> Adware.Virtumonde : Ignored.
C:\System Volume Information\_restore{0873BBAA-A75B-4D4F-906F-27CE12FE99B6}\RP86\A0025035.dll -> Trojan.Agent.qt : Ignored.
O:\Soulseek\Download\Unsorted\SONY.SoundForge.8.0b.FULL.Include.Keymaker.PDX.zip/KEYGEN/SONYkeygen.exe -> Trojan.Pakes.edg : Ignored.
O:\System Volume Information\_restore{A3B07286-811B-4CAC-9770-E30C318740C8}\RP163\A0105022.exe -> Trojan.Pakes.edg : Ignored.If you ignore what was found, it won't indeed not delete them, so rescan again and make sure you clean them.
Also, I see you're not afraid of downloading/using illegal software, because I see you used Soulseek to download Pirated software.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :(
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords as well, because the Bzub infection gathers your passwords.

sigh..

http://www.geekstogo.com/forum/Trojan-PWS-Tanspy-HJT-log-here-t158308.html
http://forums.spywareinfo.com/index.php?showtopic=99069
http://forum.malwareremoval.com/viewtopic.php?p=179043#179043

:sad:

Thanks for the help Mieke

I've done the fix.reg and put it into the registry files now.

Do I need to tick/delete..
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.navreg.com/index.asp?siteid=8

in HJT ?????

What does it do exactly? I use opera, and wish I could disable IE from opening everytime I go to check my hotmail inbox directly from msn, because I can't stand the flaws in IE security. (Having said that all my passwords are stored in opera which maybe a bad thing?)

Thanks for the warning about crack sites, and yeah I never had any issues with using pirated/cracked software in nearly 10 years on the net because I've always had good anti-virus solutions but this time I was stupid enough to click on an .exe file without scanning it first. My fault.

All my data is on one hard drive and windows is on the other so i don't mind reformatting the other drive every few months to keep me clean. Using ccleaner and opera browser with zonealarm and AVG is a massive help though.

Thanks again,

Jay

Hi,


Do I need to tick/delete..
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.navreg.com/index.asp?siteid=8

in HJT ?????Only if you didn't set it. It's like a registration page, but it shows blank here. It looks like it's related with http://www.acxiom.co.uk/ which you most probably recognise.
But it won't hurt to fix above entry in HijackThis anyway. That's up to you. :)


because I can't stand the flaws in IE securityThen it's about time you update to Internet Explorer 7 which is more secure.
People are always complaining about the flaws in IE, but they forget that IE is the main browser targetted by malware, since it's the most used one.
If malware writers would mainly target other browsers like Firefox and Opera, I am sure a lot of flaws will become known there as well. But, yes, I agree, Opera and Firefox are a bit more secure to use.


Thanks for the warning about crack sites, and yeah I never had any issues with using pirated/cracked software in nearly 10 years on the net because I've always had good anti-virus solutions but this time I was stupid enough to click on an .exe file without scanning it first. My fault.Yes, but things have changed nowadays. One single exe can download a huge malware bundle and immediately disable your Antivirus and Firewall.
Also,
but this time I was stupid enough to click on an .exe file without scanning it firstThat's a wrong way of thinking. Even though you scanned it first and your Antivirus says the file is clean, it can still be malware, because after all, not all scanners do recognise all malware. Just do NOT trust any pirated/illegal software.
It's really not worth it. There are so many free alternatives, sometimes even better than the purchased ones.

Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Thanks for all that !!

I most certainly have no idea what that http://www.navreg.com/index.asp?siteid=8 or http://www.acxiom.co.uk is, so thats been ticked for fixing in HJT.

Jay

You're welcome. Now make sure you keep your computer clean. :)

Happy Surfing again!

Since this issue appears resolved ... this Topic has been archived.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.