Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something is disabling my McAfee On Access Scanner and Outlook Mobile Access (OMA) in exchange 2003


  • Please log in to reply
1 reply to this topic

#1 netcon

netcon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 18 December 2008 - 08:51 AM

Recently a SBS network of a friend got a virus on a workstation that most likely came from opening a bogus attachment in an email. The most obvious problems are that the On access scanner of both Mcafee total protection and mcafee virusscan enterprise 8.5.0i will disable themselves indefinitely even if you reenable AND the OMA portion of exchange will not run which means no synching wireless devices with exchange accounts :thumbsup: I have tried scanning, all sorts of removers and cannot find anything that seems to explain the source. Maybe my log will show something obvious that Im overlooking

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:16 AM, on 12/18/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\dns.exe
C:\Data\efilecabinet\efilecabinet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\Program Files\Alchemy Network Monitor\netmon.exe
C:\WINDOWS\system32\ntfrs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\RD1000\Service\RDXmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE
C:\WINDOWS\System32\wins.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1718958340-2513891546-1139723326-1149\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser17')
O4 - HKUS\S-1-5-21-1718958340-2513891546-1139723326-1151\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser')
O4 - HKUS\S-1-5-21-1718958340-2513891546-1139723326-1158\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'QBDataServiceUser18')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O15 - Trusted Zone: http://www.eset.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.networkconcern.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = kdomain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{13A087B4-7ED0-46AE-9A33-08064EB5D114}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kdomain.local
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec Storage Manager\StorServ.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: efilecabinet (eFileCabinet) - Unknown owner - C:\Data\efilecabinet\service\srvany.exe
O23 - Service: EngineServer - Unknown owner - C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Alchemy Network Monitor (NetMon) - M.I.S. Helpers - C:\Program Files\Alchemy Network Monitor\netmon.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: QuickBooksDB18 - iAnywhere Solutions, Inc. - C:\PROGRA~1\Intuit\QUICKB~2.0\QBDBMgrN.exe
O23 - Service: QuickBooksDB19 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~3.0\QBDBMgrN.exe
O23 - Service: RDXmon 1.12 (RDXmon) - Unknown owner - C:\Program Files\RD1000\Service\RDXmon.exe

--
End of file - 9998 bytes

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:55 AM

Posted 27 December 2008 - 09:35 AM

Hello netcon

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users