User Tag List

HELP! AV system virus

This is a discussion on HELP! AV system virus within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi I caught AV system virus and I used free super anti spyware to remove all the infected files. However


 
 
Thread Tools Search this Thread
Old 03-01-2008, 05:49 AM   #1
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



Hi I caught AV system virus and I used free super anti spyware to remove all the infected files. However although pop ups have now gone, the system is running extremely slow, took 45 minutes to boot up and will not allow me to view many websites like hotmail, facebook, ebay etc and just freezes.

Please help!

I am using Windows 2000 on IBM laptop
carolineakerr is offline  
Sponsored Links
Advertisement
 
Old 03-01-2008, 08:35 AM   #2
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



main txt log

Deckard's System Scanner v20071014.68
Backed up registry hives.
Performed disk cleanup.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:35 PM, on 3/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\system32\RunDll32.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\rkerr\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\rkerr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mirs Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.vmware.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mylearn1.vmware.com;mylearn2.vmware.com;*.emc.com;*.legato.com;*.documentum.com;*.dg.com;emc.com;legato.com;documentum.com;dg.com;vmweb.vmware.com;www.vmware.com;;;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bm(1)] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=https://avsystemcare.com ad=https://avsystemcare.com sd=https://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [3f3f145f] rundll32.exe "C:\WINNT\system32\mprqawvi.dll",b
O4 - HKLM\..\Run: [BM3c0c27c3] Rundll32.exe "C:\WINNT\system32\blikxjbd.dll",s
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.supanet.com/
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - https://www6.king.com/ctl/kingcomie.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1204387249090
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - https://download.abacast.com/download...basetup151.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vmware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vmware.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\system32\lxbscoms.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 10058 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,3
.js - JSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - DefaultIcon - C:\WINNT\System32\WScript.exe,2
.vbs - VBSFile - shell\open\command - C:\WINNT\System32\WScript.exe "%1" %*
.vbs - VBSFile - shell\edit\command - C:\WINNT\System32\Notepad.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 NaiFsRec - c:\winnt\system32\drivers\naifsrec.sys
R1 IBMTPCHK - c:\winnt\system32\drivers\ibmbldid.sys
R1 NEOFLTR_530_11159 (Juniper Networks TDI Filter Driver (NEOFLTR_530_11159)) - c:\winnt\system32\drivers\neofltr_530_11159.sys <Not Verified; Neoteris; Secure Application Manager>
R1 Smapint - c:\winnt\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\winnt\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\winnt\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\winnt\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 PMEM - c:\winnt\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R2 PRPC - c:\winnt\system32\drivers\prpc.sys <Not Verified; Intel Corp.; Intel(R) SpeedStep(TM) technology Applet>
R3 NaiFiltr - c:\program files\common files\network associates\mcshield\naifiltr.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S1 wceusbsh (Windows CE USB Serial Host Driver) - c:\winnt\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>
S3 dx32cxel - c:\winnt\system32\dx32cxel.sys (file missing)
S3 EGATHDRV (IBM Access Support) - c:\winnt\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
S3 prepdrvr (SMS Process Event Driver) - c:\winnt\system32\ccm\prepdrv.sys <Not Verified; Microsoft Corporation; Systems Management Server>
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AvSynMgr (AVSync Manager) - "c:\program files\network associates\virusscan\avsynmgr.exe"
R2 CcmExec (SMS Agent Host) - c:\winnt\system32\ccm\ccmexec.exe <Not Verified; Microsoft Corporation; Systems Management Server>
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>
R2 QCONSVC - system32\qconsvc.exe

S3 lxbs_device - c:\winnt\system32\lxbscoms.exe -service <Not Verified; Lexmark International, Inc.; Lexmark Communication System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CSVirtA


-- Scheduled Tasks -------------------------------------------------------------

2008-03-01 15:47:50 362 --a------ C:\WINNT\Tasks\BMMTask.job
2008-02-28 16:00:04 388 --ah----- C:\WINNT\Tasks\{8F087435-9E5C-4239-BD15-892ABD1A7AC5}_VMWAREM_rkerr.job
2008-02-25 16:21:12 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2008-02-25 09:31:50 270 --a------ C:\WINNT\Tasks\Scheduled Snapshot.job
2008-02-22 16:00:04 388 --ah----- C:\WINNT\Tasks\{3FF860B2-A615-486A-9848-FCB51C4128E7}_VMWAREM_rkerr.job
2008-02-22 09:00:04 388 --ah----- C:\WINNT\Tasks\{2CBDB50C-70B2-4DFC-82BB-C7831932C2C3}_VMWAREM_rkerr.job


-- Files created between 2008-02-01 and 2008-03-01 -----------------------------

2008-03-01 16:26:13 0 d-------- C:\Program Files\Trend Micro
2008-03-01 16:21:52 0 d-------- C:\Documents and Settings\rkerr\Application Data\Mozilla
2008-03-01 16:05:22 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-01 16:05:14 0 d-------- C:\Program Files\SpywareBlaster
2008-03-01 16:01:02 0 d-------- C:\WINNT\SoftwareDistribution
2008-03-01 14:11:54 44928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-01 13:56:26 0 d-------- C:\WINNT\system32\ActiveScan
2008-02-29 21:04:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-29 21:03:54 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 21:03:54 0 d-------- C:\Documents and Settings\rkerr\Application Data\SUPERAntiSpyware.com
2008-02-29 21:03:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 19:44:47 82496 --a------ C:\WINNT\system32\mprqawvi.dll
2008-02-29 19:41:46 91712 --a------ C:\WINNT\system32\blikxjbd.dll
2008-02-29 19:38:46 199279 --ahs---- C:\WINNT\system32\sssut.ini2
2008-02-29 11:38:57 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4e8.dat
2008-02-29 11:02:40 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_690.dat
2008-02-29 10:35:22 91712 --a------ C:\WINNT\system32\otrixwrt.dll
2008-02-28 17:30:12 0 d-------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-28 17:19:58 0 d-------- C:\WINNT\system32\iDlo01
2008-02-28 17:19:57 0 d-------- C:\Temp
2008-02-27 11:33:59 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_620.dat
2008-02-25 16:23:34 0 d-------- C:\Documents and Settings\rkerr\Application Data\Apple Computer
2008-02-25 16:23:03 0 d-------- C:\Program Files\iPod
2008-02-25 16:22:50 0 d-------- C:\Program Files\iTunes
2008-02-25 16:21:41 0 d-------- C:\Program Files\QuickTime
2008-02-25 16:21:00 0 d-------- C:\Program Files\Apple Software Update
2008-02-25 16:21:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-02-25 16:20:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-23 11:40:59 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_660.dat
2008-02-22 21:19:38 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_64c.dat
2008-02-05 13:21:06 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_628.dat


-- Find3M Report ---------------------------------------------------------------

2008-01-28 14:33:44 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_61c.dat
2008-01-20 10:39:58 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3cc.dat
2008-01-20 10:39:42 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_630.dat
2008-01-09 18:03:00 0 d-------- C:\Documents and Settings\rkerr\Application Data\Google
2008-01-09 18:02:32 0 d-------- C:\Program Files\Google
2008-01-07 19:16:46 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6b8.dat
2008-01-01 13:03:30 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_688.dat
2007-12-27 11:14:30 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_694.dat
2007-12-23 13:36:26 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_578.dat
2007-12-22 22:56:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2007-12-19 11:02:30 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3e0.dat
2007-12-13 20:28:58 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3d4.dat
2007-12-03 10:26:50 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6c4.dat
2007-12-01 10:12:26 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6c8.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/25/02 05:06p]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/25/02 05:04p]
"ATIModeChange"="Ati2mdxx.exe" [09/04/01 01:24p C:\WINNT\system32\Ati2mdxx.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"PRPCMonitor"="PRPCUI.exe" [03/25/02 02:30p C:\WINNT\system32\prpcui.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [06/28/02 03:10p]
"TP4EX"="tp4ex.exe" [02/22/02 01:04a C:\WINNT\system32\TP4EX.exe]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [06/28/02 01:30a]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [06/28/02 01:30a]
"AGRSMMSG"="AGRSMMSG.exe" [06/27/03 08:53a C:\WINNT\AGRSMMSG.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [07/15/02 02:20a]
"UC_SMB"="" []
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/07/01 02:50a]
"ConfigSafe"="C:\CFGSAFE\NTFSCLUP.EXE" [05/18/01 03:17p]
"CSScheduleCheck"="C:\CFGSAFE\SCHWIZEX.exe" [05/03/01 04:03p]
"EPSON Stylus C42 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [07/01/02 03:05a]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [06/28/03 05:10p]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [08/19/03 02:47p]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [05/06/03 09:28a]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [06/25/04 09:12p]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/27/07 09:41a]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [06/07/03 11:32a]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [07/15/02 02:20a]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/07 08:14p]
"bm(1)"="C:\Program Files\Common Files\AVSystemCare\bm.exe" []
"3f3f145f"="C:\WINNT\system32\mprqawvi.dll" [02/29/08 07:44p]
"BM3c0c27c3"="C:\WINNT\system32\blikxjbd.dll" [02/29/08 07:41p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [06/26/01 03:23a]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [08/17/04 05:44p]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [01/27/08 01:40p]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [02/28/08 02:23p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [10/22/1999 1:10:00 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [06/07/02 01:14p 114688]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 12:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 12:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\tusss.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - QAUXFNGBLOOO
*Newly Created Service* - RKPAVPROC
*Newly Created Service* - SDTHOOK



-- End of Deckard's System Scanner: finished at 2008-03-01 16:27:36 ------------
[
Attached Files
File Type: txt extra.txt (13.5 KB, 16 views)
File Type: txt Activescan.txt (79.8 KB, 16 views)
carolineakerr is offline  
Old 03-02-2008, 03:00 PM   #3
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



1. Download & save this file to DESKTOP - https://download.bleepingcomputer.com...+/ComboFix.exe

2. Double click to run it

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

sUBs is offline  
Sponsored Links
Advertisement
 
Old 03-03-2008, 01:10 PM   #4
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



Many thanks - here are the logs

ComboFix 08-03-03.16 - rkerr 03/03/2008 20:57:46.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.233 [GMT 0:00]
Running from: C:\Documents and Settings\rkerr\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
C:\WINNT\cookies.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\ivwaqrpm.ini
C:\WINNT\system32\jueibgbh.ini
C:\WINNT\system32\mprqawvi.dll
C:\WINNT\system32\otrixwrt.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\sssut.ini
C:\WINNT\system32\sssut.ini2
C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://pa
.
((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\WINNT\system32\color
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\KPCMS
2008-03-03 19:20 . 08-03-03 19:20 <DIR> d-------- C:\Program Files\Kodak
2008-03-03 19:20 . 08-03-03 19:20 20 --a------ C:\WINNT\'–¯
2008-03-03 19:18 . 08-03-03 19:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2008-03-01 18:30 . 08-03-01 18:30 <DIR> d-------- C:\Program Files\RegCure
2008-03-01 16:26 . 08-03-01 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 16:20 . 08-03-01 16:20 <DIR> d-------- C:\Deckard
2008-03-01 16:05 . 08-03-01 16:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-01 16:05 . 08-03-01 16:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-01 16:02 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-03-01 16:02 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-03-01 16:02 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-03-01 16:02 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-03-01 16:02 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-03-01 16:02 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-03-01 16:02 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-03-01 16:02 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-03-01 14:11 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-03-01 13:56 . 08-03-01 13:56 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-03-01 13:56 . 08-03-01 13:56 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-03-01 13:56 . 08-03-01 13:56 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-03-01 13:56 . 08-03-01 13:56 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-29 21:04 . 08-02-29 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Documents and Settings\rkerr\Application Data\SUPERAntiSpyware.com
2008-02-28 17:30 . 08-02-28 17:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMon
2008-02-28 17:29 . 04-10-07 13:39 89,088 --a------ C:\WINNT\system32\atl71.dll
2008-02-28 17:25 . 08-02-29 19:19 318 --ahs---- C:\WINNT\system32\uvuvw.ini
2008-02-28 17:19 . 08-02-28 17:20 <DIR> d-------- C:\WINNT\system32\iDlo01
2008-02-28 17:19 . 08-02-28 17:19 <DIR> d-------- C:\Temp\sanR24
2008-02-28 17:19 . 08-02-28 17:19 <DIR> d-------- C:\Temp
2008-02-25 16:25 . 08-02-25 16:25 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-02-25 16:25 . 08-02-25 16:25 1,409 --a------ C:\WINNT\QTFont.for
2008-02-25 16:23 . 08-02-25 16:23 <DIR> d-------- C:\Program Files\iPod
2008-02-25 16:23 . 08-02-25 16:23 <DIR> d-------- C:\Documents and Settings\rkerr\Application Data\Apple Computer
2008-02-25 16:22 . 08-02-25 16:22 <DIR> d-------- C:\Program Files\iTunes
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\Program Files\QuickTime
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-02-25 16:20 . 08-02-25 16:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 18:02 --------- d-----w C:\Program Files\Google
2003-01-23 08:25 271 ---h--w C:\Program Files\desktop.ini
2003-01-23 08:25 21,952 ---h--w C:\Program Files\folder.htt
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [01-06-26 03:23 401493]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [04-08-17 17:44 10039488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-01-27 13:40 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-02-28 14:23 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02-06-25 17:06 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02-06-25 17:04 442368]
"ATIModeChange"="Ati2mdxx.exe" [01-09-04 13:24 28672 C:\WINNT\system32\Ati2mdxx.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"PRPCMonitor"="PRPCUI.exe" [02-03-25 14:30 43008 C:\WINNT\system32\prpcui.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [02-06-28 15:10 86016]
"TP4EX"="tp4ex.exe" [02-02-22 01:04 40960 C:\WINNT\system32\TP4EX.exe]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [02-06-28 01:30 48640]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [02-06-28 01:30 64000]
"AGRSMMSG"="AGRSMMSG.exe" [03-06-27 08:53 88363 C:\WINNT\AGRSMMSG.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [02-07-15 02:20 49152]
"UC_SMB"="" []
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01-11-07 02:50 1519616]
"ConfigSafe"="C:\CFGSAFE\NTFSCLUP.EXE" [01-05-18 15:17 40960]
"CSScheduleCheck"="C:\CFGSAFE\SCHWIZEX.exe" [01-05-03 16:03 65536]
"EPSON Stylus C42 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02-07-01 03:05 74752]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [03-06-28 17:10 1658965]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [03-08-19 14:47 16384]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [03-05-06 09:28 72192]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04-06-25 21:12 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [03-06-07 11:32 50688]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [02-07-15 02:20 491520]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 01:10:00 217600]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-08-25 17:01:14 614536]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [02-06-07 13:14 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys [01-04-30 04:51 ]
R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS [02-07-15 02:20 ]
R1 NEOFLTR_530_11159;Juniper Networks TDI Filter Driver (NEOFLTR_530_11159);C:\WINNT\system32\Drivers\NEOFLTR_530_11159.SYS [06-09-15 06:10 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [02-06-28 01:30 ]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [01-11-26 16:51 ]
R2 CcmExec;SMS Agent Host;C:\WINNT\system32\CCM\CcmExec.exe [03-10-08 03:08 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-11-28 14:20 ]
R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [03-08-25 16:25 ]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;C:\WINNT\system32\DRIVERS\PCX504.sys [03-02-14 16:15 ]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINNT\system32\DRIVERS\PPPoEWin.SYS [03-09-25 16:52 ]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINNT\system32\DRIVERS\CSVirtA.sys [05-09-16 19:28 ]
S3 dx32cxel;dx32cxel;C:\WINNT\system32\dx32cxel.sys []
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\system32\DRIVERS\el575nd5.sys [99-10-19 14:50 ]
S3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINNT\system32\DRIVERS\glausb.sys [03-08-15 14:56 ]
S3 prepdrvr;SMS Process Event Driver;C:\WINNT\system32\CCM\prepdrv.sys [03-09-07 02:50 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-03-03 21:04:55
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-03-03 2133 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 2130

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:11, on 2008-03-03
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.vmware.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mylearn1.vmware.com;mylearn2.vmware.com;*.emc.com;*.legato.com;*.documentum.com;*.dg.com;emc.com;legato.com;documentum.com;dg.com;vmweb.vmware.com;www.vmware.com;;;<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.supanet.com/
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - https://www6.king.com/ctl/kingcomie.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1204387249090
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - https://download.abacast.com/download...basetup151.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vmware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vmware.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\system32\lxbscoms.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 9339 bytes
carolineakerr is offline  
Old 03-03-2008, 01:22 PM   #5
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
"C:\WINNT\'-_"
Folder::
C:\DOCUME~1\ALLUSE~1\Applic~1\SalesMon
C:\WINNT\system32\uvuvw.ini
C:\WINNT\system32\iDlo01
C:\Temp\sanR24
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UC_SMB"=-
Save this as "CFScript"




Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit https://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

sUBs is offline  
Old 03-04-2008, 07:18 AM   #6
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\Applic~1\SalesMon
C:\Temp\sanR24
C:\WINNT\system32\iDlo01
C:\WINNT\system32\uvuvw.ini\

.
((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 11:20 . 08-03-04 11:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_6c0.dat
2008-03-04 11:20 . 08-03-04 11:20 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_3dc.dat
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\WINNT\system32\color
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\Program Files\Common Files\Kodak
2008-03-03 19:21 . 08-03-03 19:21 <DIR> d-------- C:\KPCMS
2008-03-03 19:20 . 08-03-03 19:20 <DIR> d-------- C:\Program Files\Kodak
2008-03-03 19:20 . 08-03-03 19:20 20 --a------ C:\WINNT\´û»
2008-03-03 19:18 . 08-03-03 19:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2008-03-01 18:30 . 08-03-01 18:30 <DIR> d-------- C:\Program Files\RegCure
2008-03-01 16:26 . 08-03-01 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-01 16:20 . 08-03-01 16:20 <DIR> d-------- C:\Deckard
2008-03-01 16:05 . 08-03-01 16:05 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-01 16:05 . 08-03-01 16:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-03-01 16:02 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-03-01 16:02 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-03-01 16:02 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-03-01 16:02 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-03-01 16:02 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-03-01 16:02 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-03-01 16:02 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-03-01 16:02 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-03-01 14:11 . 07-06-05 10:56 44,928 --a------ C:\WINNT\system32\drivers\SDTHOOK.SYS
2008-03-01 13:56 . 08-03-01 13:56 <DIR> d-------- C:\WINNT\system32\ActiveScan
2008-03-01 13:56 . 08-03-01 13:56 30,590 --a------ C:\WINNT\system32\pavas.ico
2008-03-01 13:56 . 08-03-01 13:56 2,550 --a------ C:\WINNT\system32\Uninstall.ico
2008-03-01 13:56 . 08-03-01 13:56 1,406 --a------ C:\WINNT\system32\Help.ico
2008-02-29 21:04 . 08-02-29 21:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-29 21:03 . 08-02-29 21:03 <DIR> d-------- C:\Documents and Settings\rkerr\Application Data\SUPERAntiSpyware.com
2008-02-28 17:29 . 04-10-07 13:39 89,088 --a------ C:\WINNT\system32\atl71.dll
2008-02-28 17:25 . 08-02-29 19:19 318 --ahs---- C:\WINNT\system32\uvuvw.ini
2008-02-28 17:19 . 08-02-28 17:19 <DIR> d-------- C:\Temp
2008-02-25 16:25 . 08-02-25 16:25 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-02-25 16:25 . 08-02-25 16:25 1,409 --a------ C:\WINNT\QTFont.for
2008-02-25 16:23 . 08-02-25 16:23 <DIR> d-------- C:\Program Files\iPod
2008-02-25 16:23 . 08-02-25 16:23 <DIR> d-------- C:\Documents and Settings\rkerr\Application Data\Apple Computer
2008-02-25 16:22 . 08-02-25 16:22 <DIR> d-------- C:\Program Files\iTunes
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\Program Files\QuickTime
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-25 16:21 . 08-02-25 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-02-25 16:20 . 08-02-25 16:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 18:02 --------- d-----w C:\Program Files\Google
2003-01-23 08:25 271 ---h--w C:\Program Files\desktop.ini
2003-01-23 08:25 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
Files Infected - Win32.Agent.zb
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [01-06-26 03:23 401493]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [04-08-17 17:44 10039488]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08-01-27 13:40 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [08-03-04 11:22 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [02-06-25 17:06 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [02-06-25 17:04 442368]
"ATIModeChange"="Ati2mdxx.exe" [01-09-04 13:24 28672 C:\WINNT\system32\Ati2mdxx.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"PRPCMonitor"="PRPCUI.exe" [02-03-25 14:30 43008 C:\WINNT\system32\prpcui.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [02-06-28 15:10 86016]
"TP4EX"="tp4ex.exe" [02-02-22 01:04 40960 C:\WINNT\system32\TP4EX.exe]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [02-06-28 01:30 48640]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [02-06-28 01:30 64000]
"AGRSMMSG"="AGRSMMSG.exe" [03-06-27 08:53 88363 C:\WINNT\AGRSMMSG.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [02-07-15 02:20 49152]
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [01-11-07 02:50 1519616]
"ConfigSafe"="C:\CFGSAFE\NTFSCLUP.EXE" [01-05-18 15:17 40960]
"CSScheduleCheck"="C:\CFGSAFE\SCHWIZEX.exe" [01-05-03 16:03 65536]
"EPSON Stylus C42 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02-07-01 03:05 74752]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [03-06-28 17:10 1658965]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [03-08-19 14:47 16384]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [03-05-06 09:28 72192]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [04-06-25 21:12 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [07-04-27 09:41 282624]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [03-06-07 11:32 50688]
"QCTray"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe" [02-07-15 02:20 491520]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07-07-27 20:14 271672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
EPSON Status Monitor 3 Environment Check.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [1999-10-22 01:10:00 217600]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-08-25 17:01:14 614536]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [02-06-07 13:14 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys [01-04-30 04:51 ]
R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS [02-07-15 02:20 ]
R1 NEOFLTR_530_11159;Juniper Networks TDI Filter Driver (NEOFLTR_530_11159);C:\WINNT\system32\Drivers\NEOFLTR_530_11159.SYS [06-09-15 06:10 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [02-06-28 01:30 ]
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe" [01-11-26 16:51 ]
R2 CcmExec;SMS Agent Host;C:\WINNT\system32\CCM\CcmExec.exe [03-10-08 03:08 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-11-28 14:20 ]
R2 ptssvc;ptssvc;C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe [03-08-25 16:25 ]
R3 PCX504;Cisco Systems Wireless LAN Adapter Driver;C:\WINNT\system32\DRIVERS\PCX504.sys [03-02-14 16:15 ]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINNT\system32\DRIVERS\PPPoEWin.SYS [03-09-25 16:52 ]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINNT\system32\DRIVERS\CSVirtA.sys [05-09-16 19:28 ]
S3 dx32cxel;dx32cxel;C:\WINNT\system32\dx32cxel.sys []
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINNT\system32\DRIVERS\el575nd5.sys [99-10-19 14:50 ]
S3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINNT\system32\DRIVERS\glausb.sys [03-08-15 14:56 ]
S3 prepdrvr;SMS Process Event Driver;C:\WINNT\system32\CCM\prepdrv.sys [03-09-07 02:50 ]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-03-04 11:34:23
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-04 11:34:56
ComboFix-quarantined-files.txt 2008-03-04 11:34:54
ComboFix2.txt 2008-03-03 2134


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17, on 2008-03-04
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.vmware.com:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = mylearn1.vmware.com;mylearn2.vmware.com;*.emc.com;*.legato.com;*.documentum.com;*.dg.com;emc.com;legato.com;documentum.com;dg.com;vmweb.vmware.com;www.vmware.com;;;<local>;localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.supanet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - https://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - https://www6.king.com/ctl/kingcomie.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://www.update.microsoft.com/wind...?1204387249090
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - https://download.abacast.com/download...basetup151.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vmware.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vmware.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINNT\system32\lxbscoms.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 10753 bytes


Kapersky scan log

KASPERSKY ONLINE SCANNER REPORT
2008-03-04 15:16
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/03/2008
Kaspersky Anti-Virus database records: 595346
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
S:\

Scan Statistics:
Total number of scanned objects: 73860
Number of viruses found: 3
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:57:11

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\wbem\Repository\CIM.REP Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_3dc.dat Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_6c0.dat Object is locked skipped
C:\WINNT\system32\CCM\Logs\CcmExec.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\StatusAgent.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\LocationServices.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\PolicyAgent.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\mtrmgr.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\Scheduler.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\execmgr.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\DataTransferService.log Object is locked skipped
C:\WINNT\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002M.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002M.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\0000001M.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\0000001M.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0003AV3V.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0003AV3V.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\0000000P.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\0000000P.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000UY.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\000000UY.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000R.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000R.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000APGJ.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\0000APGJ.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\00000002.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000075.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000075.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000019.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000019.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000004.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000004.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000004.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000004.msg Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000002I.que Object is locked skipped
C:\WINNT\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000002I.msg Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{FEC4403A-1B57-4F8A-ACB4-07127FD22190}.bin Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\rkerr\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\rkerr\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\History\History.IE5\MSHist012008030420080305\index.dat Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/21 Feb 2005 23:39 from [email protected]:~*~ Returned mail: see /[email protected]/[email protected] .scr Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/21 Feb 2005 23:39 from [email protected]:~*~ Returned mail: see /[email protected] Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/22 Feb 2005 16:16 from Mail Administrator:MAIL SYSTEM ERROR - RE/vmware.com.zip/vmware.com.htm .scr Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/22 Feb 2005 16:16 from Mail Administrator:MAIL SYSTEM ERROR - RE/vmware.com.zip Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/22 Feb 2005 16:23 from Automatic Email Delivery Software:Status/message.zip/message.html .exe Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost/Offline store/Root - Mailbox/IPM_SUBTREE/Inbox/22 Feb 2005 16:23 from Automatic Email Delivery Software:Status/message.zip Infected: Email-Worm.Win32.Mydoom.am skipped
C:\Documents and Settings\rkerr\Local Settings\Application Data\Microsoft\Outlook\outlook.ost Mail MS Mail: infected - 6 skipped
C:\Documents and Settings\rkerr\Local Settings\Temp\WCESCOMM.LOG Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Temp\me_Jz7P8GNd6qhawGK Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Temp\me_FyTE0PfuYRU1tCU Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Temp\me_baEwLl2XzKQPDGV Object is locked skipped
C:\Documents and Settings\rkerr\Local Settings\Temp\me_31QAKa643IhKVWf Object is locked skipped
C:\Documents and Settings\rkerr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\rkerr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-4-2008( 11-22-33 ).LOG Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\scheddbg.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000001.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\BWLocalWebListener.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\RG.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\FileDL.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\busyprs.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\agent.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Deckard\System Scanner\backup\DOCUME~1\rkerr\LOCALS~1\Temp\~uavsetup.exe/file70 Infected: not-a-virus:Downloader.Win32.WinFixer.cv skipped
C:\Deckard\System Scanner\backup\DOCUME~1\rkerr\LOCALS~1\Temp\~uavsetup.exe Inno: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-03-03_210450.18.zip/otrixwrt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-03_210450.18.zip ZIP: infected - 1 skipped

Scan process completed.


Computer is still running slow and virus messages coming up intermittently. Especially slow online

Thanks
carolineakerr is offline  
Old 03-04-2008, 07:26 AM   #7
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Quote:
virus messages coming up intermittently
What does these messages specifically say?
__________________

sUBs is offline  
Old 03-05-2008, 03:17 AM   #8
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



It says an infected file has been detected - do you want to clean/delete but when I try it says I dont have access rights to delete or clean it. I dont know whether this is connected but I also cant view images on a lot of websites they just come up with crosses instead of the image - not sure if I have removed something I needed to view them?

Many thanks for all your help

Did the logs show that I still have a virus?
carolineakerr is offline  
Old 03-05-2008, 03:48 AM   #9
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Quote:
It says an infected file has been detected - do you want to clean/delete but when I try it says I dont have access rights to delete or clean it.
Caroline, you have to tell me the name of the file & it's location; as reported by the program.
Quote:
cant view images on a lot of websites they just come up with crosses instead of the image
That's a setting on Internet Explorer.
Right click on the IE icon from your Desktop & select "Properties".
When the new window opens, select the "Advanced" tab, then tick the option to "Show Pictures".
__________________

sUBs is offline  
Old 03-06-2008, 06:40 AM   #10
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



hi

It hasnt shown the virus message today or yesterday but from what I can remember it looked like a windows grey box which popped up and it had a moving icon in the corner which looked like an insect. It wasn't in a program it just came up looking like a windows grey box. Im sorry I cant be more specific as it hasnt happened since.

On the images issue - I have done as you suggested but it has made no difference. On websites where I can see images - it takes a while to load too - it is not instant. It even took about 15 seconds to load the smiley images on the right of this text box which it never used to before. On other websites - I just get the crosses and no images - on the progress bar at the bottom it looks like it is trying to download them from this https://s7v1.scene7.com - i am not sure if this has any relevance but it seems to be the same for all websites I cant see the images on. Could it be that I have some sort of firewall preventing me from seeing them after I have downloaded a lot of free security programs over the last week or so?

Many thanks

Caroline
carolineakerr is offline  
Old 03-06-2008, 06:51 AM   #11
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Download this tool - https://www.majorgeeks.com/download.php?det=5198
  • Extract the contents of the zipped file to desktop.
  • Disconnect from internet and close all running programs.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...say NO.
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and uncheck the Registry box.
  • Then click the Scan button & wait for it to finish.
  • Once done click the Save button & save the log to your desktop. Post it in your next reply
__________________

sUBs is offline  
Old 03-07-2008, 04:07 AM   #12
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



Hi there

Please find log attached.

I am also getting a windows box on start up and when connected to the internet which says webscanx.exe has encountered an error on iexplorer.exe and will close. THen it closes the internet


Still cannot see product images on some websites

Many thanks

Caroline
Attached Files
File Type: txt gmer.txt (245.1 KB, 16 views)
carolineakerr is offline  
Old 03-07-2008, 05:45 AM   #13
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



webscanx.exe is related to McAfee. The program probably got corrupted by the infection. Uninstalling, rebooting & then reinstalling McAfee should fix it. Judging by your comments, the inability to view web images is probably due to restrictions by one of your security apps; something that pertains to Network security/firewall. Try uninstalling/reinstalling McAfee first.

Aslo tell me about this program you have installed - "Juniper Networks Secure Application Manager". Which Juniper product do you have? And what does it do?
__________________

sUBs is offline  
Old 03-08-2008, 04:49 AM   #14
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



Hi there

I am having difficulty uninstalling mcafee. It doesnt give me an uninstall option and when i go to add/remove programs it just stalls and wont load the programs list- i have tried several times - it just freezes. Not sure how to get round this?

As for the juniper software - I have no idea what it is as it is an old company laptop - should I uninstall it - this does have an uninstall option?

Many thanks for your continued support

Caroline
carolineakerr is offline  
Old 03-08-2008, 05:32 AM   #15
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



Let's try uninstalling it using McAfee's uninstall string.


Go to Start > Run - copy/paste the following line in & click OK

MsiExec.exe /I{87AEFD84-BC0D-11D4-B885-00508B022A51}
__________________

sUBs is offline  
Old 03-08-2008, 05:39 AM   #16
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A



If the above doesn't work, try this ...

Download VSCleanupTool >> https://download.mcafee.com/products/...leanupTool.exe

Double click on VSCleanupTool.exe to run it. It should begin removal of McAfee within one minute. During removal several icons will appear on your desktop, this is normal. When prompted to reboot press Y.
__________________

sUBs is offline  
Old 03-09-2008, 05:09 AM   #17
Guest
 
Join Date: Mar 2008
Posts: 9
OS:



Many thanks - the 1st option worked and uninstalled it.

However I still have problem with product images on certain websites and it is quite slow both on start up and generally. I also still cant access add/remove programs on control panel because it just freezes when the window is launched

Many thanks

Caroline
carolineakerr is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:08 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts