Computer suddenly running slowly

My computer is suddenly running slowly. At the login prompt the text display slows terribly and othe software takes a while to start.

I have done the following:

1. Ran McAfee in Safe Mode - this did not find any viruses
2. Ran Spybot: removed whatever it found to be malicious code
3. Ran Adware: This did not find any critical issues. I still deleted whatever minor issues that were reported.
4. Ran Kaspersky Online Scan: This found one (1) virus. I have attached the Kaspersky report. I have also atached the HijackThis log too.
5. Ran Panda Online Scan: This found several malicious items. I have attached the Panda report and the HijackThis log.

 

Hi abnewallo

Please do this.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run Kaspersky scan again.

Please copy and paste the log here.

Thanks
Geri

 

Geri,

Thank you for your assistance.

I have done as instructed.

You will find scan reports for Kaspersky and Panda attached. I have also atached HijackThis logs after running each one of the virus scanners.

Andrew

 

Hi abnewallo

OK your Kaspersky scan came back clean.

Any other problems?

Just for future reference it makes it easier if you would just Copy and Paste the log here with out using attachments.

If you are not sure how to do this, we would be happy to instruct you on it.

Let me know if there are any other problems.

Thanks
Geri

 

Did you notice the spyware that was discovered under the Panda scan?

 

Hi abnewallo

OK lets see if it will show up.

Please do the following.

Please download Deckard's System Scanner (dss.exe) and save it to your Desktop.
Note: You must be logged onto an account with administrator privileges to complete the following.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy and then paste the contents of main.txt and extra.txt in your next reply.

Please post the "main.txt" log only for now.

Thanks
Geri

 

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-03-14 08:27:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
56: 2008-03-14 12:27:11 UTC - RP130 - Deckard's System Scanner Restore Point
55: 2008-03-13 16:05:30 UTC - RP129 - Installed HP PrecisionScan Pro 3.0
54: 2008-03-13 12:08:34 UTC - RP128 - Removed HP PrecisionScan Pro 3.0
53: 2008-03-12 22:07:38 UTC - RP127 - System Checkpoint
52: 2008-03-09 20:20:31 UTC - RP126 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-12-27 14:40:38 UTC - RP75 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-14 08:28:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSVC01A.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\Bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" /configfileeachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186446669825
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = mti.gov
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = mti.gov
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = mti.gov
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = mti.gov
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\BRSVC01A.EXE
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pervasive.SQL Workgroup Engine - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\system32\QCONSVC.EXE


--
End of file - 9906 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 BrPar - c:\windows\system32\drivers\brpar.sys <Not Verified; Brother Industries Ltd.; Brother Parallel Class Driver>
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>

S3 PCASp50 (PCASp50 NDIS Protocol Driver) - c:\windows\system32\drivers\pcasp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 QCONSVC - system32\qconsvc.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-06 19:53:46 314 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-02-14 and 2008-03-14 -----------------------------

2008-03-13 12:05:32 0 d-------- C:\Program Files\Hewlett-Packard
2008-03-10 06:40:18 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-09 21:43:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 15:38:32 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-09 15:36:56 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-09 12:42:52 0 d-------- C:\Program Files\Common Files\Zeepe Framework 7
2008-03-09 12:42:49 0 d-------- C:\Program Files\Novatel Wireless
2008-03-09 10:26:40 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-08 22:04:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-03-08 21:04:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 21:04:02 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-08 20:13:48 0 d-------- C:\ie-spyad_zo
2008-03-08 20:05:30 0 d-------- C:\Program Files\SpywareGuard
2008-03-08 19:57:51 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-08 16:29:23 0 d-------- C:\Program Files\Lavasoft
2008-03-08 16:29:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-08 16:28:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-08 15:20:51 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 09:48:13 0 d-------- C:\Downloads
2008-03-08 09:47:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-03-08 09:47:26 0 d-------- C:\Program Files\Free Download Manager


-- Find3M Report ---------------------------------------------------------------

2008-03-09 12:42:52 0 d-------- C:\Program Files\Common Files
2008-03-08 22:04:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-02-13 11:17:48 0 d-------- C:\Program Files\iSPM_Suite
2008-02-08 15:25:37 0 d-------- C:\Program Files\MCITCSA
2008-02-01 15:54:46 0 d-------- C:\Program Files\GPLGS
2008-02-01 15:54:10 0 d-------- C:\Program Files\Acro Software
2008-01-30 15:50:48 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-30 15:49:42 0 d-------- C:\Program Files\Windows Live
2008-01-30 09:40:53 0 d-------- C:\Program Files\Microsoft SQL Server
2008-01-25 14:13:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2 "= "S3Tray2.exe" [10/12/2001 01:32 AM C:\WINDOWS\system32\S3Tray2.exe]
"SynTPLpr "= "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/11/2007 01:30 AM]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/11/2007 01:30 AM]
"BluetoothAuthenticationAgent "= "irprops.cpl" [08/04/2004 03:56 AM C:\WINDOWS\system32\irprops.cpl]
"TPHOTKEY "= "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [01/24/2003 08:37 PM]
"BMMGAG "= "C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [01/17/2003 04:32 AM]
"BMMLREF "= "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [01/17/2003 04:32 AM]
"QCWLICON "= "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [02/24/2003 05:06 AM]
"TPKMAPMN "= "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [02/17/2003 03:30 AM]
"TP4EX "= "tp4ex.exe" [09/04/2002 04:05 AM C:\WINDOWS\system32\TP4EX.exe]
"EZEJMNAP "= "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [12/24/2002 05:01 AM]
"AGRSMMSG "= "AGRSMMSG.exe" [06/27/2003 08:53 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA "= "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/16/2003 02:52 PM]
"UC_SMB "=" " []
"tgcmd "= "C:\Program Files\Support.com\bin\tgcmd.exe" [10/16/2002 04:59 AM]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [01/07/2003 05:52 PM]
"StorageGuard "= "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [06/18/2002 03:01 AM]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [01/10/2003 06:50 AM]
"PeachtreePrefetcher.exe "= "C:\PROGRA~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [05/16/2007 12:12 PM]
"ShStatEXE "= "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [11/30/2006 08:50 AM]
"McAfeeUpdaterUI "= "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages "= "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [01/07/2003 05:52 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 5:23:32 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1123561945-299502267-839522115-2592\Scripts\Logon\0\0]
"Script "=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-484061587-839522115-1245\Scripts\Logon\0\0]
"Script "=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-484061587-839522115-1245\Scripts\Logon\1\0]
"Script "=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-484061587-839522115-1248\Scripts\Logon\0\0]
"Script "=logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-484061587-839522115-1248\Scripts\Logon\1\0]
"Script "=logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\IsInstallPending.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8004 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-03-14 08:29:15 ------------

 

Hi abnewallo

I'm not seeing that in the dss log either.

Does Panda give any other information...File path, location?

I see you have AdAware, when did you last update and run it?

If it's been a while please do so, Quarantine anything it finds then delete the quarantined files.

Run panda again and see if you still get the warning. note the file path if one is given.

Thanks
Geri

 

I am resending the panda scan report for you to see the location of the file. Please se below:

I would have run the adware program about four days ago.

-------------------------------------


Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils

 

Hi abnewallo

OK well I seen that some people have had problems after deleting the folder SBUtils
So we need to see what is inside the folder.

Please go here and open the folder SBUtils

c:\windows\system32\SBUtils

Make note of the files inside and let me know what they are.

Thanks
Geri

 

Hi Geri,

I have attached a screen dump of the listing in the sbutils folder for you.

Thanks

Andrew

 

Hi abnewallo

The company (Softbank) is into several legit internet based holdings.

"Today, Softbank offers high-speed broadband, Internet-based phone service, and super-fast data communications for corporate clients. Next up, in 2007, Softbank will be one of three new licensees to launch a mobile phone network. "

The dun files are related to dial-up networking, in general, which tells me the files are definitely communications based.

So I don't want to delete that folder.

noahdfear had this to say, and he knows his stuff.
"I see Panda tagged it as WindowEnhancer, as do several Google hits, but I have my doubts. Maybe just see what happens with an antispyware app rather than take action on it yourself. "

So here is what I'd like you to do..

Please follow these instructions exactly as given.

Now download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the "Update now" link.
   • The update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen
6. Now click on "Recommended actions" and then select "Quarantine ".
7. Under "Reports "
   • Select " Do Not Automatically generate reports "
8. Now click on the Shield icon under the "Resident shield is" click it to show inactive

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Save Reports"
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post the AVG AS log.

Thanks
Geri

 

Please find the results of the AVG Anti-spyware scan below.

----------------------------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:52:34 PM 3/19/2008

+ Scan result:



C:\Documents and Settings\Administrator\Cookies\administrator@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.


::Report end

 

Hi abnewallo

OK AVG AS did not show it, and I believe it would have if you were infected by it.
AdAware would also have picked it up.

I believe this is a false/positive by Panda.

I do believe that your system is clean and deleting that folder would not be a good idea.

If you would like you can run another scan on some of the files in that folder.

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • SBWebTools.dll
    SBWebCtl.dll
    SBWebHost.exe
• Click on the submit button
  
• Please post the results in your next reply.

Lets see what the majority of them say.

Geri

 

Ok. I finally got through with the jotti site.

Please find results attached. The name of files indicate the submission.

Thank you for your patience.

 

Hi abnewallo

OK those all came back clean.
This seems to be a case of a false/positive with Panda.

How are things running now?

Geri

 

It seems to be okay, but I cannot be sure.

I will monitor it for now.

Thanks a lot.

 

Hi abnewallo

OK let me know.

Geri