Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old March 11th, 2005, 05:27 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
w32.kelvir.a

My norton antivirus 05 keeps saying "virus deleted" to a virus called w32.kelvir.a. the problem is that it constantly pops up. I cannot get rid of it. It keeps coming back. What do I do?? I've done what the symantec security response site told me but I still can't get rid of it! Help me plz. Its getting very annoying.
Reply With Quote
  #2  
Old March 11th, 2005, 05:42 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Hi hp-p00nst3r, lets see what is running on your PC. Go here and download the latest version of Hijack This. Unzip it and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.

Transferring to the Cyber Safety Forum.
Reply With Quote
  #3  
Old March 11th, 2005, 05:56 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
Here is the log

Logfile of HijackThis v1.99.1
Scan saved at 8:54:10 PM, on 10/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspn et_admin.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\FireDaemon\FireDaemon.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\HLServer\hlds.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex...te/sdkinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FireDaemon Service: HLDS (HLDS) - Sublime Solutions Pty Ltd - C:\Program Files\FireDaemon\FireDaemon.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~1\SPEEDD~1\SIREGSRV.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Reply With Quote
  #4  
Old March 11th, 2005, 06:59 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
A couple of questions. Did you install the FireDaemon Service hp-p00nst3r? What is E:\HLServer\hlds.exe?

I would like to see some more logs please. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Download/Save this zipped file to your desktop http://skads.org/special/rkfiles.zip and unzip it to it's own folder. When you run the utility, it will generate a log listing suspicious files. This utility must be run in Safe Mode to work correctly.

Boot into Safe Mode (restart your PC and tap F8 as it restarts) and doubleclick on RKFILES.BAT to run it. It will take quite a while (10 minutes or more so be patient). When it has finished a text file will open, save the log and post it in this thread. Do not attempt to delete any files, wait for me to check them.

Still in Safe Run, run Hijack This again, save the log, reboot and post the new log.
Reply With Quote
  #5  
Old March 12th, 2005, 01:42 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
yes I did in fact install a firedaemon service HLDS. It is a Half-Life Dedicated Server, a game server.

the log from the rkfiles.bat program
C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2
C:\WINDOWS\system32\MFC42.PDB: dwProvSpec2
C:\WINDOWS\system32\MFC42D.PDB: dwProvSpec2
C:\WINDOWS\system32\MFCD42D.PDB: dwProvSpec2
C:\WINDOWS\system32\MFCN42D.PDB: dwProvSpec2
C:\WINDOWS\system32\MFCO42D.PDB: dwProvSpec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

Here is the log from another hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 4:35:54 PM, on 11/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows NT\Pinball\PINBALL.EXE
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\progra~1\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex...te/sdkinst.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FireDaemon Service: HLDS (HLDS) - Sublime Solutions Pty Ltd - C:\Program Files\FireDaemon\FireDaemon.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: siregsrv - Symantec, Peter Norton Group - C:\PROGRA~1\NORTON~1\SPEEDD~1\SIREGSRV.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

one more thing: everytime i start up my comp Sophos AV keep saying its deleting the virus. kelvirA and B. and theres hundreds of messages about that. The virus keeps comign!
I hope this will shed some light on why this is happening. Thank you for your help.
Reply With Quote
  #6  
Old March 12th, 2005, 06:39 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
I cannot see a problem in your logs. Can you post a Sophos log please. Perhaps if we can see which files it is detecting, we might be able to find the files.
Reply With Quote
  #7  
Old March 12th, 2005, 07:18 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
the sophos log is way too long. i've looked at it. I starts from when i nstalled it to find a virus. It deleted a vrius lol Troj/borobt.gen. 2 days later the kelvir virus came. everytime i turn on the comp it'd say kelvir virus deleted. but i did see something weird in the log. It says some files in the temp folder could not be accessed. Every single file it detects as kelvir is located in C:\WINDOWS\Temp as tmp<something>.tmp
Heres a portion of the log:
20050312 054750 The on-access driver failed to perform a user action on file \Device\HarddiskVolume1\WINDOWS\TEMP\tmpC2.tmp.
20050312 055750 The on-access driver failed to perform a user action on file \Device\HarddiskVolume1\WINDOWS\TEMP\tmpC2.tmp.
20050312 055750 Scanning "C:\WINDOWS\Temp\tmpC2.tmp" returned SAVI error 0xa0040210: The file could not be accessed.
20050312 055750 Scanning "C:\WINDOWS\Temp\tmpC2.tmp" returned SAVI error 0xa0040210: The file could not be accessed.
20050312 055750 Scanning "C:\WINDOWS\Temp\tmpC2.tmp" returned SAVI error 0xa0040210: The file could not be accessed.
20050312 055750 Scanning "C:\WINDOWS\Temp\tmpC2.tmp" returned SAVI error 0xa0040210: The file could not be accessed.
20050312 060750 The on-access driver failed to perform a user action on file \Device\HarddiskVolume1\WINDOWS\TEMP\tmpD3.tmp

I also scanned my comp with NAV2005. It detected a adware called Adware.CDT. Norton itself could not delete it. When i tried to do it myself, i could not find the registry keys it modified. Last night I scanned for viruses using NAV and Sophos respectively in safe mode. NAV detected 5 viruses, all kelvir. Sophos did not find any. As I kept using the comp, virus came back AGAIN.

Sometimes when i turn on the comp, i cant even access the start menu, everytime i move my mouse down there my mouse pointer turns into an hourglass. when nrton comes out with virus deleted the start menu is accessilbe again.

Last edited by hp-p00nst3r; March 12th, 2005 at 08:01 PM.
Reply With Quote
  #8  
Old March 12th, 2005, 11:52 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Try cleaning our your Temp Files and Temporary Internet Files with CCleaner and see if it helps. Were the files deleted?
Reply With Quote
  #9  
Old March 13th, 2005, 03:33 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
Angry

the files were deleted, but its still coming.
I had to run it in safe mode becuase in normal mode the program wouldnt respond.
during normal mode when i scan the temp folding with norton, the scan hangs at MSVCP71.dll

Last edited by hp-p00nst3r; March 13th, 2005 at 03:37 AM.
Reply With Quote
  #10  
Old March 13th, 2005, 04:12 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Are you online when you are running the removal tools? If so, download any updates, disconnect and run them again. Have you run the Trend Micro Damage cleanup Template? If so, try downloading the latest pattern file and running it again but make sure you are offline when you do this.
Reply With Quote
  #11  
Old March 13th, 2005, 05:04 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
all the removal tools are up to date.
i've run the trend micro thing, i dl'ed the sysclean one since im not a trend micro customer. it'd scan a bunch of stuff and when the dos window opens up, a bunch of errors come up saying it couldnt access some of the files. there were a lotta of those errors. then it hanged at one of the files at the temp folder. it didn't move for a long time, so i cancelled the operation.
Reply With Quote
  #12  
Old March 13th, 2005, 10:13 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
i tried sysclean again, but this time in safe mode
heres the log for it:

2005-03-12, 22:31:50, Auto-clean mode specified.
2005-03-12, 22:31:50, Running scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\TSC.BIN"...
2005-03-12, 22:33:29, Scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\TSC.BIN" has finished running.
2005-03-12, 22:33:29, TSC Log:
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-12, 22:35:39, An error was detected on "C:\Documents and Settings\Mom & Dad\*.*": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-03-12, 22:35:39, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-12, 22:35:40, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-12, 22:35:40, An error occurred while scanning file "C:\Documents and Settings\Poon\NTUSER.DAT": Access is denied.
2005-03-12, 22:35:40, An error occurred while scanning file "C:\Documents and Settings\Poon\ntuser.dat.LOG": Access is denied.
2005-03-12, 22:35:59, An error occurred while scanning file "C:\Documents and Settings\Poon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-03-12, 22:35:59, An error occurred while scanning file "C:\Documents and Settings\Poon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-03-12, 23:15:43, Could not set file for reading on "C:\RECYCLER\NPROTECT\00315051.TXT": Access is denied.
2005-03-12, 23:15:43, Could not set file for reading on "C:\RECYCLER\NPROTECT\00315052.TXT": Access is denied.
2005-03-12, 23:15:43, Could not set file for reading on "C:\RECYCLER\NPROTECT\00315053.TXT": Access is denied.
2005-03-12, 23:16:13, Could not set file for reading on "C:\RECYCLER\NPROTECT\00317574.MOZ": Access is denied.
2005-03-12, 23:16:13, Could not set file for reading on "C:\RECYCLER\NPROTECT\00317584.MOZ": Access is denied.
2005-03-12, 23:16:13, Could not set file for reading on "C:\RECYCLER\NPROTECT\00317587.MOZ": Access is denied.
2005-03-12, 23:16:13, Could not set file for reading on "C:\RECYCLER\NPROTECT\00317589.MOZ": Access is denied.
2005-03-12, 23:16:13, Could not set file for reading on "C:\RECYCLER\NPROTECT\00317590.MOZ": Access is denied.
2005-03-12, 23:16:26, Could not set file for reading on "C:\RECYCLER\NPROTECT\00318437.LNK": Access is denied.
2005-03-12, 23:16:26, Could not set file for reading on "C:\RECYCLER\NPROTECT\00318438.LNK": Access is denied.
2005-03-12, 23:16:26, Could not set file for reading on "C:\RECYCLER\NPROTECT\00318452.LNK": Access is denied.
2005-03-12, 23:16:26, Could not set file for reading on "C:\RECYCLER\NPROTECT\00318453.LNK": Access is denied.
2005-03-12, 23:18:01, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-13285B88.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-013EA364.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-2ED3360E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AGENTSVR.EXE-002E45AB.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AIM.EXE-061FD532.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ALCOHOL.EXE-23D345C3.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ALG.EXE-0F138680.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ALMON.EXE-0ED3E27C.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ALUPDATE.EXE-38DF4AFD.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ATI2EVXX.EXE-19D16EB9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-2253CB60.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTORUN.EXE-055703AF.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTORUN.EXE-3684E09A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\BATTLEFIELD_1942_INCREMEN TAL_-1B7FD5D2.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\BATTLEFIELD_1942_PATCH_V1 .6.1-002C44A4.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\BF1942.EXE-20253D28.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\BF1942_NOCD_LOADER.EXE-2E375CE7.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\BLACKSCREEN.EXE-18447873.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CACLS.EXE-25504E4A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CCAPP.EXE-1207B2A5.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLEANER.EXE-0BCE437C.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLGVIEW.EXE-084E7031.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CCSETUP117.EXE-0F700959.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CFGWIZ.EXE-17240409.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CKA.EXE-0842EF2D.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CLI.EXE-20D5A08B.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CLONECDTRAY.EXE-1E92F8D7.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CODMP.EXE-2798D94C.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CODUOSP.EXE-18229366.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CSRSS.EXE-12B63473.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\CTFMON.EXE-0E17969B.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\DAEMON.EXE-19CAC371.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\DAEMONTOOLSV3.47.EXE-01B8E344.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\FLASHGET.EXE-0B8880BB.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\FLASHGOT.EXE-0166B28E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HH.EXE-2D1A70B3.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-29A03A76.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2AF68D7A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HL.EXE-28A0F17E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HLDS.EXE-3470D92A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HLSW.EXE-0005D400.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HPZENG09.EXE-21FF5F4F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\HPZSTC09.EXE-3AFDDA16.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\IKERNEL.EXE-078AA887.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\IRALRSHL.EXE-0CF0BBE1.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\ITOUCH.EXE-0DDF2B56.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\LAUNCHER.EXE-054C7C8A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\LUALL.EXE-30AC8E48.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-02DB5950.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MATRIX.EXE-19D65BE2.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MIRC.EXE-0661EC22.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MSGPLUS.EXE-38B1CE07.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-2F8A8CAE.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIMN.EXE-38BA891D.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-2B6052DE.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\MSNMSGR.EXE-366A1A81.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVSTUB.EXE-0C1B3317.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-24F56911.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-25047607.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NDETECT.EXE-16E64095.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NF.EXE-10E0296E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NMAIN.EXE-2BA406E0.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NSWCFG.EXE-2CF94E55.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\OBC.EXE-2E42DAAF.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\OPSCAN.EXE-1D42E8EC.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\OSA9.EXE-27CD7DB8.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\PINBALL.EXE-1233165F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\QDCSFS.EXE-1BE93C49.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RSVP.EXE-04E70CF3.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-14BFE4E6.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-188DF14E.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-19DD028A.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-1B3538BE.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2576181F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2E42CC5F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-341DD2A4.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-356812D3.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SAVMAIN.EXE-039DEA8B.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SAVPROGRESS.EXE-05ADB090.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-01258076.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-1B83E575.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-39639817.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SG.EXE-32933AD6.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SGBFMPATCHV0.1TOV0.1B.EXE-1A9E9C41.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDMON.EXE-0A6C21A2.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SPIDER.EXE-2D998CA6.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\STARGATEBFMV0.1PUBLICCLIE NTFU-01FEBA51.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\STEAM.EXE-08093C6F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\STEAM.EXE-3A35EC78.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SYMUNDO.EXE-0E475A78.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SYNCOR.EXE-08E7996C.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-206260CA.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-0DA62C00.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-0922CAC9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\TW_IM_2004.EXE-2B4917C4.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\VENTRILO-2.2.0-WINDOWS-I386.E-04B6A948.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\VSCANTM.BIN-0C44DC9F.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WDFMGR.EXE-2CF4013B.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WINDOC.EXE-2B7257C0.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WINRAR.EXE-39C6DAD9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-10D55173.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WISPTIS.EXE-0C21B942.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9D.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\~E5D141.TMP-05B42746.pf": Access is denied.
2005-03-12, 23:20:15, Could not set file for reading on "C:\WINDOWS\Prefetch\~E5D141.TMP-0BE3B61A.pf": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file
Reply With Quote
  #13  
Old March 13th, 2005, 10:15 AM
hp-p00nst3r's Avatar
hp-p00nst3r hp-p00nst3r is offline
Member
 
Join Date: Dec 2004
Posts: 92
i couldnt fit the rest of the log so here it is

"C:\WINDOWS\system32\config\SAM": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-03-12, 23:21:14, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-03-12, 23:21:15, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-03-12, 23:21:15, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-03-12, 23:21:43, An error occurred while scanning file "C:\WINDOWS\system32\drivers\atapi.sys": Access is denied.
2005-03-12, 23:22:04, Running scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN"...
2005-03-13, 00:01:42, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 16:10:16
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 23:22:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
C:\WINDOWS\Temp\tmp96.tmp [WORM_KELVIR.A]
C:\WINDOWS\Temp\tmpDA.tmp [WORM_KELVIR.A]
105570 files have been read.
105570 files have been checked.
86477 files have been scanned.
186093 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:01:42
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:01:43, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 16:10:16
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 23:22:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
Success Clean [ WORM_KELVIR.A]( 1) from C:\WINDOWS\Temp\tmp96.tmp
Success Clean [ WORM_KELVIR.A]( 1) from C:\WINDOWS\Temp\tmpDA.tmp
105570 files have been read.
105570 files have been checked.
86477 files have been scanned.
186093 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:01:42 39 minutes 37 seconds (2376.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:01:43, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 16:10:16
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/12/2005 23:22:05
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
105570 files have been read.
105570 files have been checked.
86477 files have been scanned.
186093 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:01:42 39 minutes 37 seconds (2376.91 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:01:43, Scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN" has finished running.
2005-03-13, 00:02:39, Could not set file for reading on "E:\RECYCLER\NPROTECT\NPROTECT.LOG": Access is denied.
2005-03-13, 00:02:39, An error was detected on "E:\System Volume Information\*.*": Access is denied.
2005-03-13, 00:02:39, Running scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN"...
2005-03-13, 00:02:55, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/13/2005 00:02:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
4050 files have been read.
4050 files have been checked.
2965 files have been scanned.
2965 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:02:55
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:02:55, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/13/2005 00:02:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
4050 files have been read.
4050 files have been checked.
2965 files have been scanned.
2965 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:02:55 15 seconds (15.33 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:02:55, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 3/13/2005 00:02:40
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 488 (93409 Patterns) (2005/03/11) (248800)
Command Line: C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 E:\*.* /P=C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean
4050 files have been read.
4050 files have been checked.
2965 files have been scanned.
2965 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 3/13/2005 00:02:55 15 seconds (15.33 seconds) has elapsed.
---------*---------*---------*---------*---------*---------*---------*---------*
2005-03-13, 00:02:55, Scanner "C:\Documents and Settings\Poon\My Documents\P00nstaz Stuff\Apps\sysclean\VSCANTM.BIN" has finished running.
Reply With Quote
  #14  
Old March 13th, 2005, 10:25 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
I have uploaded a file to this post. Unzip it to your Desktop and doublelclick on Cleanup.bat to run it. A DOS prompt will open, OK all the prompts (Y and enter) then reboot.
Attached Files
File Type: zip Cleanup 2K_XP.zip (244 Bytes, 14 views)
Reply With Quote
  #15  
Old March 13th, 2005, 10:31 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Ah I didnt see your posts when I posted. It looks like the Trend Micro utility may have fixed the problem. What happens when you reboot now?
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
W32.Kelvir Tainted Malware Removal 0 October 21st, 2006 12:57 PM
W32.Kelvir.AH leoleoleoleo Malware Removal 1 April 23rd, 2005 07:50 AM


All times are GMT +1. The time now is 10:43 AM.