PDA

View Full Version : torpig.dc-cant rid it to install Panda AV&Firewall07


mdawso01
2007-06-21, 03:26
XP professional, SP2 Ibm thinkpad
Panda Antivirus and firewall 2007 will not install due to PC-cillin conflict. However, I cannot uninstall PC-cillin from add/remove programs as its not installed on the PC. When I restart with Panda Antivirus and firewall 2007 CD in, the softeware scans and says that Trj/torpig.DC is in these infected files in a READ ONLY partition A0033629.exe, A0033631.exe, and A0033632.exe.

Sbybot ran in safemode, no RED results.

Hijack this log:
Scan saved at 7:48:01 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hijackthis\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

--
End of file - 1369 bytes
++++++++++++++++++++++++++++++++++++++++++++++++++++
Combofix log:

ComboFix 07-06-18.2 - D:\ComboFix.exe
"Administrator" - 2007-06-20 21:35:58 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


2007-06-20 20:58 52,758 --a------ C:\WINDOWS\system32\csilk.exe
2007-06-20 16:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SpywareBot
2007-06-19 22:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 10:37 26,752 -ra------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-06-18 10:37 165,120 -ra------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-06-18 10:27 <DIR> d-------- C:\Program Files\Common Files\Panda Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-16 21:54:53 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-14 20:41:33 10,179 ----a-w C:\xx1232255.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1645522239-562591055-1801674531-3404\Scripts\Logon\0\0]
"Script"=logon script.bat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
S3Tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPMN]
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UC_SMB]



Contents of the 'Scheduled Tasks' folder
2003-12-21 01:33:44 C:\WINDOWS\tasks\BMMTask.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 21:37:36
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System = csubl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = C:\WINDOWS\system32\userinit.exe,

scanning hidden files ...

C:\WINDOWS\system32\csubl.exe
C:\WINDOWS\system32\dmzpm.exe

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-06-20 21:38:21
C:\ComboFix-quarantined-files.txt ... 2007-06-20 21:38
C:\ComboFix2.txt ... 2007-06-20 16:27
C:\ComboFix3.txt ... 2007-06-19 23:13

--- E O F ---

thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
mdawso01
2007-06-21, 12:44
To further clarify the above:
Panda in Safe disk says the following files in read only partition have Trj/torpig.dc
../RP138/A0033629.exe
../RP138/A0033631.dll
../RP138/A0033632.dll
pskelley
2007-06-30, 14:47
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

If you have waited FOUR days for advice post here.
http://forums.spybot.info/showthread.php?t=1137

You seen to have missed all of the above instructions? If you issues are not resolved, read and follow the directions. If they are, please let me know so I can close the topic.

1) The HJT log is strange, missing items from the middle of the HJT log. Look at other posted logs to see what I mean. Have you manually or otherwise removed items from the HJT list?

2) Post a new HJT log, do not post anything that is not requested.

3) Where does Panda say those files are located? What is the pathway to them.

Thanks
tashi
2007-07-09, 08:09
This topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.