1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

My laptop has a virus!

Discussion in 'Malware and Virus Removal Archive' started by chocotiger, 2006/03/27.

  1. 2006/03/27
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    Ok, I'm on a IBM R51 laptop with windows sp2 and I was surfing the net when everything suddenly forze for a few minutes.

    Some of the symptoms are...

    1. My itunes and windows media player cant play music anymore
    2. i get a weird grey/black area around some icons and sometimes my mouse cusor
    3. IE crashes more than usual


    I ran McAfee VirusScan 7.1.0 and it detected one infected file, here what it said:

    name - qz.sys
    in folder - C:\QUARATINE\
    detected as - New Malware.z
    detection type - Trojan
    status - Clean failed, moved

    I also ran Ad-Ware SE and it also found 1 "critical" object, Heres the Scan Log (I'll post this in two posts because it is too long for one):

    Ad-Aware SE Build 1.06r1
    Logfile Created on:Monday, March 27, 2006 10:34:38 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R101 27.03.2006
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    MRU List(TAC index:0):5 total references
    Tracking Cookie(TAC index:3):1 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for negligible risk entries
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    3-27-2006 10:34:38 PM - Scan started. (Full System Scan)

    MRU List Object Recognized!
    Location: : software\microsoft\directdraw\mostrecentapplication
    Description : most recent application to use microsoft directdraw


    MRU List Object Recognized!
    Location: : S-1-5-21-3673306871-635867431-3712349741-1005\software\microsoft\internet explorer\typedurls
    Description : list of recently entered addresses in microsoft internet explorer


    MRU List Object Recognized!
    Location: : S-1-5-21-3673306871-635867431-3712349741-1005\software\microsoft\mediaplayer\preferences
    Description : last playlist index loaded in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-3673306871-635867431-3712349741-1005\software\microsoft\mediaplayer\preferences
    Description : last playlist loaded in microsoft windows media player


    MRU List Object Recognized!
    Location: : S-1-5-21-3673306871-635867431-3712349741-1005\software\microsoft\windows media\wmsdk\general
    Description : windows media sdk


    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 836
    ThreadCreationTime : 3-28-2006 2:26:43 AM
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 964
    ThreadCreationTime : 3-28-2006 2:26:44 AM
    BasePriority : Normal


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1048
    ThreadCreationTime : 3-28-2006 2:26:49 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1060
    ThreadCreationTime : 3-28-2006 2:26:49 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:5 [ibmpmsvc.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1240
    ThreadCreationTime : 3-28-2006 2:26:49 AM
    BasePriority : Normal


    #:6 [ati2evxx.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1316
    ThreadCreationTime : 3-28-2006 2:26:51 AM
    BasePriority : Normal
    FileVersion : 6.14.10.4114
    ProductVersion : 6.14.10.4114.01
    ProductName : ATI External Event Utility for WindowsNT and Windows9X
    CompanyName : ATI Technologies Inc.
    FileDescription : ATI External Event Utility EXE Module
    InternalName : ATI2EVXX.EXE
    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
    OriginalFilename : ATI2EVXX.EXE

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1328
    ThreadCreationTime : 3-28-2006 2:26:51 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1440
    ThreadCreationTime : 3-28-2006 2:26:51 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1564
    ThreadCreationTime : 3-28-2006 2:26:52 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [s24evmon.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1712
    ThreadCreationTime : 3-28-2006 2:26:53 AM
    BasePriority : Normal
    FileVersion : 8, 0, 0, 164
    ProductVersion : 8, 0, 0, 164
    ProductName : Mobile Unit Support Service
    CompanyName : Intel Corporation
    FileDescription : Event Monitor - Supports driver extensions to NIC Driver for wireless adapters.
    InternalName : S24EvMon
    LegalCopyright : Copyright © 2001 - 2003 Intel Corporation, 1997 - 2001 Symbol Technologies, Inc. Portions Copyright © MIT
    OriginalFilename : S24EvMon.exe

    #:11 [ati2evxx.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1844
    ThreadCreationTime : 3-28-2006 2:26:54 AM
    BasePriority : Normal
    FileVersion : 6.14.10.4114
    ProductVersion : 6.14.10.4114.01
    ProductName : ATI External Event Utility for WindowsNT and Windows9X
    CompanyName : ATI Technologies Inc.
    FileDescription : ATI External Event Utility EXE Module
    InternalName : ATI2EVXX.EXE
    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
    OriginalFilename : ATI2EVXX.EXE

    #:12 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1904
    ThreadCreationTime : 3-28-2006 2:26:54 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:13 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 2004
    ThreadCreationTime : 3-28-2006 2:26:54 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:14 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 588
    ThreadCreationTime : 3-28-2006 2:26:55 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion : 5.1.2600.2696
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:15 [cvpnd.exe]
    FilePath : C:\Program Files\Cisco Systems\VPN Client\
    ProcessID : 856
    ThreadCreationTime : 3-28-2006 2:26:58 AM
    BasePriority : Normal
    FileVersion : 4.0.5 (Rel)
    ProductVersion : 4.0.5 (Rel)
    ProductName : Cisco Systems VPN Client
    CompanyName : Cisco Systems, Inc.
    FileDescription : Cisco Systems VPN Client
    InternalName : cvpnd
    LegalCopyright : Copyright © 1998-2003 Cisco Systems, Inc.
    OriginalFilename : CVPND.EXE

    #:16 [rrpcsb.exe]
    FilePath : C:\Program Files\IBM\IBM Rapid Restore Ultra\
    ProcessID : 892
    ThreadCreationTime : 3-28-2006 2:26:58 AM
    BasePriority : Normal
    FileVersion : 4,0,0,4026
    ProductVersion : 4,0,0,4026
    ProductName : rrpcsb Module
    FileDescription : rrpcsb Module
    InternalName : rrpcsb
    LegalCopyright : Copyright 2002
    OriginalFilename : rrpcsb.EXE

    #:17 [frameworkservice.exe]
    FilePath : C:\Program Files\Network Associates\Common Framework\
    ProcessID : 916
    ThreadCreationTime : 3-28-2006 2:26:58 AM
    BasePriority : Normal
    FileVersion : 3.1.1.184
    ProductName : McAfee Common Framework
    CompanyName : Network Associates, Inc.
    FileDescription : Framework Service
    InternalName : Framework
    LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
    OriginalFilename : Framework.exe

    #:18 [mcshield.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ProcessID : 1000
    ThreadCreationTime : 3-28-2006 2:26:58 AM
    BasePriority : High


    #:19 [vstskmgr.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ProcessID : 1188
    ThreadCreationTime : 3-28-2006 2:26:58 AM
    BasePriority : Normal


    #:20 [naprdmgr.exe]
    FilePath : C:\PROGRA~1\NETWOR~1\COMMON~1\
    ProcessID : 1480
    ThreadCreationTime : 3-28-2006 2:26:59 AM
    BasePriority : Normal
    FileVersion : 3.1.1.184
    ProductName : McAfee Common Framework
    CompanyName : Network Associates, Inc.
    FileDescription : NAI Product Manager
    InternalName : Product Manager
    LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
    OriginalFilename : naPrdMgr.exe

    #:21 [qconsvc.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1668
    ThreadCreationTime : 3-28-2006 2:26:59 AM
    BasePriority : Normal
    FileVersion : 3, 1, 0, 0
    ProductVersion : 3, 1, 0, 0
    ProductName : IBM ThinkPad Utility
    CompanyName : IBM Corp.
    FileDescription : IBM Access Connections - Service Component.
    InternalName : QConSvc
    LegalCopyright : Copyright (C) IBM Corp. 2001, 2004
    OriginalFilename : QConSvc.Exe
    Comments : IBM Access Connections Component.

    #:22 [regsrvc.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1804
    ThreadCreationTime : 3-28-2006 2:27:00 AM
    BasePriority : Normal
    FileVersion : 8, 0, 0, 164
    ProductVersion : 8, 0, 0, 164
    ProductName : RegSrvc Module
    CompanyName : Intel Corporation
    FileDescription : RegSrvc Module
    InternalName : RegSrvc
    LegalCopyright : Copyright © 2002 - 2003 Intel Corporation
    OriginalFilename : RegSrvc.EXE

    #:23 [tpkmpsvc.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1960
    ThreadCreationTime : 3-28-2006 2:27:00 AM
    BasePriority : Normal


    #:24 [wdfmgr.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 184
    ThreadCreationTime : 3-28-2006 2:27:00 AM
    BasePriority : Normal
    FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
    ProductVersion : 5.2.3790.1230
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows User Mode Driver Manager
    InternalName : WdfMgr
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : WdfMgr.exe
     
    chocotiger,
    #1
  2. 2006/03/27
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    Here's the rest of the ad-aware log file:

    #:25 [syntplpr.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ProcessID : 2524
    ThreadCreationTime : 3-28-2006 2:27:07 AM
    BasePriority : Normal
    FileVersion : 7.5.17.8 19Nov03
    ProductVersion : 7.5.17.8 19Nov03
    ProductName : Progressive Touch
    CompanyName : Synaptics, Inc.
    FileDescription : TouchPad Driver Helper Application
    InternalName : SynTPLpr
    LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2003
    OriginalFilename : SynTPLpr.exe

    #:26 [syntpenh.exe]
    FilePath : C:\Program Files\Synaptics\SynTP\
    ProcessID : 2588
    ThreadCreationTime : 3-28-2006 2:27:07 AM
    BasePriority : Normal
    FileVersion : 7.5.17.8 19Nov03
    ProductVersion : 7.5.17.8 19Nov03
    ProductName : Progressive Touch
    CompanyName : Synaptics, Inc.
    FileDescription : Synaptics TouchPad Enhancements
    InternalName : Scrolleroo
    LegalCopyright : Copyright (C) Synaptics, Inc. 1996-2003
    OriginalFilename : SynTPEnh.exe

    #:27 [tpshocks.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 2604
    ThreadCreationTime : 3-28-2006 2:27:07 AM
    BasePriority : Normal
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    ProductName : n/a TpShocks
    CompanyName : IBM Corp.
    FileDescription : IBM Active Protection System
    InternalName : TpShocks
    LegalCopyright : Copyright (C) IBM Corp. 2003-2004
    OriginalFilename : TpShocks.exe

    #:28 [tphkmgr.exe]
    FilePath : C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\
    ProcessID : 2620
    ThreadCreationTime : 3-28-2006 2:27:07 AM
    BasePriority : Normal


    #:29 [rundll32.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 2640
    ThreadCreationTime : 3-28-2006 2:27:08 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : RUNDLL.EXE

    #:30 [ezejmnap.exe]
    FilePath : C:\PROGRA~1\ThinkPad\UTILIT~1\
    ProcessID : 2668
    ThreadCreationTime : 3-28-2006 2:27:08 AM
    BasePriority : Normal
    FileVersion : 1, 0, 0, 0
    ProductVersion : 1, 0, 0, 0
    ProductName : IBM ThinkPad EasyEject Support Application
    CompanyName : IBM Corp.
    FileDescription : IBM ThinkPad EasyEject Support Application
    InternalName : IBM ThinkPad EasyEject Support Application
    LegalCopyright : Copyright (C) IBM Corp. 2002,2004.
    OriginalFilename : EzEjMnAp.EXE

    #:31 [tfswctrl.exe]
    FilePath : C:\WINDOWS\system32\dla\
    ProcessID : 2756
    ThreadCreationTime : 3-28-2006 2:27:09 AM
    BasePriority : Normal
    FileVersion : 1.04.07a
    CompanyName : Sonic Solutions
    FileDescription : Drive Letter Access Component
    LegalCopyright : Copyright © 2003 Sonic Solutions

    #:32 [ibmprc.exe]
    FilePath : C:\IBMTOOLS\UTILS\
    ProcessID : 2764
    ThreadCreationTime : 3-28-2006 2:27:09 AM
    BasePriority : Normal
    FileVersion : 1, 0, 0, 3
    ProductVersion : 1, 0, 0, 1
    ProductName : ibmprc Application
    CompanyName : IBM Corp.
    FileDescription : ibmprc Application
    InternalName : ibmprc
    LegalCopyright : Copyright (C) 2004 IBM
    OriginalFilename : ibmprc.exe

    #:33 [rundll32.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 2780
    ThreadCreationTime : 3-28-2006 2:27:09 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : RUNDLL.EXE

    #:34 [shstat.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ProcessID : 2788
    ThreadCreationTime : 3-28-2006 2:27:09 AM
    BasePriority : Normal


    #:35 [updaterui.exe]
    FilePath : C:\Program Files\Network Associates\Common Framework\
    ProcessID : 2800
    ThreadCreationTime : 3-28-2006 2:27:09 AM
    BasePriority : Normal
    FileVersion : 3.1.1.184
    ProductName : McAfee Common Framework
    CompanyName : Network Associates, Inc.
    FileDescription : Common User Interface
    InternalName : UpdaterUI
    LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
    OriginalFilename : UpdaterUI.exe

    #:36 [digstream.exe]
    FilePath : C:\Program Files\DIGStream\
    ProcessID : 2832
    ThreadCreationTime : 3-28-2006 2:27:10 AM
    BasePriority : Normal
    FileVersion : 2.3.0.0003
    ProductVersion : 2.3.0.0003
    ProductName : DIGStream
    CompanyName : Walt Disney Internet Group
    FileDescription : DIGStream Cache Manager
    InternalName : DIGStream.exe
    LegalCopyright : Copyright (c) 2002-2005 Walt Disney Internet Group.
    OriginalFilename : digstream.exe
    Comments : none

    #:37 [jusched.exe]
    FilePath : C:\Program Files\Java\jre1.5.0_04\bin\
    ProcessID : 2868
    ThreadCreationTime : 3-28-2006 2:27:10 AM
    BasePriority : Normal


    #:38 [rainlendar.exe]
    FilePath : C:\Program Files\Rainlendar\
    ProcessID : 3088
    ThreadCreationTime : 3-28-2006 2:27:11 AM
    BasePriority : Normal


    #:39 [trillian.exe]
    FilePath : C:\Program Files\Trillian\
    ProcessID : 3176
    ThreadCreationTime : 3-28-2006 2:27:12 AM
    BasePriority : Normal
    FileVersion : 3.1.0.121
    ProductVersion : 3.1.0.121
    ProductName : Trillian
    CompanyName : Cerulean Studios
    FileDescription : Trillian
    InternalName : Trillian
    LegalCopyright : © Cerulean Studios, LLC. All rights reserved.
    OriginalFilename : Trillian.exe

    #:40 [tponscr.exe]
    FilePath : C:\Program Files\ThinkPad\PkgMgr\HOTKEY\
    ProcessID : 3356
    ThreadCreationTime : 3-28-2006 2:27:13 AM
    BasePriority : Normal


    #:41 [tpscrex.exe]
    FilePath : C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\
    ProcessID : 3404
    ThreadCreationTime : 3-28-2006 2:27:13 AM
    BasePriority : Normal
    FileVersion : 1.06
    ProductVersion : 1.06
    ProductName : ThinkPad UltraZoom
    CompanyName : IBM Corporation
    FileDescription : ThinkPad UltraZoom
    InternalName : TPSCREX
    LegalCopyright : Copyright (c) 2000, IBM Corporation
    OriginalFilename : TpScrEx.exe

    #:42 [scan32.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ProcessID : 3632
    ThreadCreationTime : 3-28-2006 2:30:15 AM
    BasePriority : Normal


    #:43 [ipodservice.exe]
    FilePath : C:\Program Files\iPod\bin\
    ProcessID : 3940
    ThreadCreationTime : 3-28-2006 2:31:36 AM
    BasePriority : Normal
    FileVersion : 6.0.4.2
    ProductVersion : 6.0.4.2
    ProductName : iTunes
    CompanyName : Apple Computer, Inc.
    FileDescription : iPodService Module
    InternalName : iPodService
    LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename : iPodService.exe

    #:44 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ProcessID : 4024
    ThreadCreationTime : 3-28-2006 3:17:26 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:45 [mcupdate.exe]
    FilePath : C:\Program Files\Network Associates\VirusScan\
    ProcessID : 2224
    ThreadCreationTime : 3-28-2006 3:20:08 AM
    BasePriority : Normal


    #:46 [mcscript_inuse.exe]
    FilePath : C:\Program Files\Network Associates\Common Framework\
    ProcessID : 3336
    ThreadCreationTime : 3-28-2006 3:20:11 AM
    BasePriority : Normal
    FileVersion : 2.0.0.150
    ProductName : McAfee Common Script Engine
    CompanyName : Network Associates, Inc.
    FileDescription : McAfee Script Engine
    InternalName : McScript
    LegalCopyright : Copyright© 2000-2002 Networks Associates Technology, Inc. All Rights Reserved.
    OriginalFilename : McScript.exe
    Comments : This component parses and executes predefined known format scripts

    #:47 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID : 804
    ThreadCreationTime : 3-28-2006 3:34:04 AM
    BasePriority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 5


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 5


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 5


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : henry@doubleclick[1].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:3
    Value : Cookie:henry@doubleclick.net/
    Expires : 3-26-2009 10:07:36 PM
    LastSync : Hits:3
    UseCount : 0
    Hits : 3

    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 6



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 6


    Scanning Hosts file......
    Hosts file location: "C:\WINDOWS\system32\drivers\etc\hosts ".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 6




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 6

    10:52:04 PM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:17:26.316
    Objects scanned:137443
    Objects identified:1
    Objects ignored:0
    New critical objects:1
     
    chocotiger,
    #2


  3. to hide this advert.

  4. 2006/03/28
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    download HijackThis from www.merjin.org and post the scan log here.
     
    TonyT,
    #3
  5. 2006/03/28
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    thanks for your help, here's the log file


    Logfile of HijackThis v1.99.1
    Scan saved at 10:07:17 AM, on 3/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\Weather Watcher\ww.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Antispyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
     
    chocotiger,
    #4
  6. 2006/03/28
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    HJT Log looks clean, but the virus you have is a bad one. It's a backdoor trojan that gives remote access to your computer and can log keystrokes, syeal passwords and basically gives the remote user almost full control of your computer. The bad part is that the trojan installs a rootkit, which is why your antivirus cannot remove it. Follow the manual removal instructions here:
    http://www.symantec.com/avcenter/venc/data/pf/backdoor.haxdoor.h.html

    The adaware critical object found is a tracking cookie, no worries there.

    Post bak results after doing any manual cleaning.

    McAfee is supposed to be able to detect & remove that particular virus using bnewest antivirus updates. It is possible that the virus already downloaded other newer malicious files that prevented McAfee from removing it completely.
     
    TonyT,
    #5
  7. 2006/03/28
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    TonyT,

    thanks for the reply. I dont have a windowsXP cd (my laptop didnt come with one) so i cant complete the first step.

    I know someone else with a windowsXP cd, will that one work? Also, I wont be able to get it for a few days. My laptop has to be ON for the virus to do damage right? Can i just leave it off until i get my hands on a cd? thanks in advance
     
    Last edited: 2006/03/28
    chocotiger,
    #6
  8. 2006/03/29
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    yes, nothing can happen if the comp is turned off.
     
    TonyT,
    #7
  9. 2006/03/29
    dmcquay

    dmcquay Inactive

    Joined:
    2006/03/29
    Messages:
    1
    Likes Received:
    0
    make sure while working to uninfect your self from this nasty virus to disconnect your laptop from the internet. as to not cause your self any more damage.
     
    dmcquay,
    #8
  10. 2006/04/08
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    ok, i've got my hands on a windows-xp cd and i've gotten into the Recovery Console screen...but when it tells me to type in my administrator password, it keeps on telling me that my password is invald...and i'm 100% sure i typed it in right.

    At first i didnt have a password so i created one, but it keeps on telling me that i have a invalid password. Can someone please help?
     
    chocotiger,
    #9
  11. 2006/04/10
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    markp62,
    #10
  12. 2006/04/10
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    thanks alot for everybody's help...but i still encountered a billion problems trying to get into the recovery console. First with the password thing...then a windowsxp cd version problem...then the cd wont copy properly...then alot of other stuff ect ect.

    I used the system restore feature...and now everything's fine, all the symptoms are gone. I ran updated adaware and MacAfee virus scan again and it found this:

    A0070761.sys BackDoor-BAC.sys trojan deleted
    A0070762.sys BackDoor-BAC.sys trojan deleted

    Am i safe now? everything seems fine...
     
    chocotiger,
    #11
  13. 2006/04/11
    TonyT

    TonyT SuperGeek Staff

    Joined:
    2002/01/18
    Messages:
    9,072
    Likes Received:
    400
    Post a new HijackThis log in a day or two along w/ your observations of how the system is doing as a result of removing that trojan.
     
    TonyT,
    #12
  14. 2006/04/13
    chocotiger

    chocotiger Inactive Thread Starter

    Joined:
    2006/03/27
    Messages:
    7
    Likes Received:
    0
    here it is. Maybe my problems are not over...i used adaware again and it found about 20 tracking cookies (thats the most ive ever seen). I my just reformat soon. anyway heres my hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:31:28 AM, on 4/14/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Antispyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
     
    chocotiger,
    #13
  15. 2006/04/15
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    Your log looks clean to me. These tracking cookies can be controlled by this program, SpywareBlaster. Install it, update it, then allow it to Enable All Protections. When done, you only need to update it, and enable the protections. It doesn't need to run any other time for what it does to be in effect.
     
    markp62,
    #14

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...