Torpig Virus

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

Torpig Virus Hidden window at startup

#1 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 14 November 2007 - 01:27 PM

A little while ago I noticed that as my computer started up a window would appear and then dissapear before I could read what it was. I assumed it was just my antivirus program but now I'm not so sure.

Yesterday when I started up my computer, my firewall notified me that Windows Explorer was trying to access the internet. I denied it but it kept coming up. Today I accidentally clicked yes. When I went to shut off the computer I was notified that there was new software that was to be installed once the computer was to be shut down. I clicked no and so it hasn't been installed yet. Everytime I close my computer though, I have to remember not to install what's been downloaded so I'm a little paranoid about what's going on here.

To be safe I ran spybot to see if anything was on my PC and Torpig came up. It seems to have gone away for now but I'm worried that its still hiding on my system. I had this virus last year, I'm not sure if I should follow the same steps though. So I have a few questions.

1. What is the hidden window at startup and should I be worried about it?
2. What are the updates waiting to be installed on my PC?
3. Is my computer Torpig free?

Thanks I appreciate your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:21 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://falconstor.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7859 bytes

This post has been edited by videoguy: 14 November 2007 - 05:21 PM

#2 Yourhighness

The BSG Malware Fighter

Group: Malware Response Team
Posts: 7,925
Joined: 20-April 06
Gender:Male
Location:Hamburg

Posted 25 November 2007 - 01:31 PM

Hello videoguy and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#3 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 27 November 2007 - 10:01 AM

Yourhighness, on Nov 25 2007, 01:31 PM, said:

Thanks Johannes, I downloaded the Stinger program.

I don't see any trace of the torpig virus but I'm still getting a message from my firewall that Windows Explorer is trying to access the internet on every startup. Any idea what this is? Also, can you tell me if I should be worried about the Torpig problem? I'm hoping that it didn't install itself but you never really know with these things....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:07 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://falconstor.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8245 bytes

#4 Yourhighness

The BSG Malware Fighter

Group: Malware Response Team
Posts: 7,925
Joined: 20-April 06
Gender:Male
Location:Hamburg

Posted 27 November 2007 - 03:21 PM

Hey videoguy,

Please note that you are infected with a trojan (horse).

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:

Disconnect the infected computer from the internet until the computer can be cleaned.
From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

The trojan in question is a variant of this: Torpig-A

Should you have any questions, please feel free to ask.

Now, on to the fix.

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

Step #2

It seems you have multiple Antivirus and Firewalls installed (eTrust Internet Security Suite, AVG Antivirus and Zonealarm).

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either eTrust Internet Security Suite or AVG Antivirus - if you remove eTrust Internet Security please understand you will have to install a new Firewall as the eTrust one will have been uninstalled also.

Same principles apply for two Firewalls and thus I would also suggest to either remove eTrust Internet Security Suite or Zonealarm (again, if you remove eTrust Internet Security please understand you will have to install a new Antivirus programme as the eTrust one will have been uninstalled also).

Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Close all other windows and browsers, and press the Fix Checked button.

Step #4

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
Save the file to your desktop.
Copy and paste that information in your next post.

Step #5

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close ALL applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.

The logs can be quite lengthy..use two post if you need to get them all in.

Step #6

Please post back with the Kaspersky Onlinescan log and the main.txt and the extra.txt from DSS.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#5 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 27 November 2007 - 05:42 PM

Okay, here are the logs, this one is from Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 5:35:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 467137
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 80143
Number of viruses found: 10
Number of infected objects: 84
Number of suspicious objects: 14
Duration of the scan process: 01:08:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-3f551d86-504b015c.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4785eec8-2858a01e.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2, suspicious - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\spyware tools and info\backups\backup-20060516-170624-494.dll Infected: Trojan-Downloader.Win32.Zlob.ov skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak Mail MS Outlook 5: infected - 2, suspicious - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MATT-1WY6LY0WML.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped
C:\WINDOWS\temp\ZLT01928.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT05808.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\~WRF0409.tmp Infected: Trojan-Downloader.Win32.Zlob.oq skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004 09:09:12 -0500]/UNNAMED/textfile.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004 09:09:12 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED/party.zip/party.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED/party.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu, 26 Feb 2004 11:35:16 -0500]/UNNAMED/concert.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu, 26 Feb 2004 11:35:16 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb 2004 10:17:50 -0500]/UNNAMED/aboutyou.doc.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb 2004 10:17:50 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb 2004 09:03:53 -0500]/UNNAMED/me.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb 2004 09:03:53 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1 Mar 2004 08:52:37 -0500]/UNNAMED/friend.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1 Mar 2004 08:52:37 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004 10:54:40 -0500]/note.zip/note.doc.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004 10:54:40 -0500]/note.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004 10:41:05 -0800]/UNNAMED/all_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004 10:41:05 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED/message.rtf.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004 20:24:36 -0800]/UNNAMED/your_file.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004 20:24:36 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar 2004 23:13:27 -0800]/UNNAMED/document_word.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar 2004 23:13:27 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED/attachment.zip/attachment.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED/attachment.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED/message.zip/message.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004 18:56:20 -0800]/UNNAMED/your_picture.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004 18:56:20 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar 2004 20:53:10 -0800]/UNNAMED/all_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar 2004 20:53:10 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED/UNNAMED/[From brady6131@rogers.com][Date Fri, 19 Mar 2004 18:51:25 -0800]/your_website.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar 2004 19:01:06 -0800]/UNNAMED/your_website.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar 2004 19:01:06 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar 2004 13:28:45 -0500]/UNNAMED/TextDocument.pif Infected: Email-Worm.Win32.Bagle.i skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar 2004 13:28:45 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.i skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr 2004 10:31:40 -0700]/UNNAMED/mp3music.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr 2004 10:31:40 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr 2004 10:41:52 -0700]/UNNAMED/your_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr 2004 10:41:52 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25 Apr 2004 16:37:50 -0700]/UNNAMED/your_picture.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25 Apr 2004 16:37:50 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED/message9457.zip/data.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED/message9457.zip Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr 2004 02:13:40 -0400]/UNNAMED/message26267.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr 2004 02:13:40 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25 -0400]/UNNAMED/msg26793.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED/msg14008.zip/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED/msg14008.zip Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004 10:49:10 -0700]/UNNAMED/my_details.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004 10:49:10 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004 16:52:45 -0700]/UNNAMED/application.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004 16:52:45 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004 14:22:16 -0400]/UNNAMED/message9144.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004 14:22:16 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 71, suspicious - 10 skipped

Scan process completed.

#6 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 27 November 2007 - 05:44 PM

Here are both Deckard logs:

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-27 17:38:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-11-27 22:39:00 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:00 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8029 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20071127-160410-293 O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
backup-20071127-160410-560 O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 GMSIPCI - e:\install\gmsipci.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 ForcewareWebInterface (Forceware Web Interface) - "c:\program files\nvidia corporation\networkaccessmanager\apache group\apache2\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 nSvcIp (ForceWare IP service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvcip.exe <Not Verified; NVIDIA; NVIDIA nSvcIp>
R2 nSvcLog (ForceWare user log service) - c:\program files\nvidia corporation\networkaccessmanager\bin\nsvclog.exe <Not Verified; NVIDIA; NVIDIA nSvcLog>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\7A14A511D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\7A14A511D800
Service: NIC1394

-- Scheduled Tasks -------------------------------------------------------------

2007-11-27 13:54:00 358 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-11-26 21:32:46 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-10-11 08:55:07 336 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7600#MY34M124N57I.job

-- Files created between 2007-10-27 and 2007-11-27 -----------------------------

2007-11-27 16:05:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-27 16:05:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-27 15:56:39 0 d-------- C:\Program Files\Common Files\Java
2007-11-26 21:32:44 0 d-------- C:\Program Files\Apple Software Update
2007-11-26 21:32:13 0 d-------- C:\Program Files\Common Files\Apple
2007-11-26 21:32:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-21 18:32:07 0 d-------- C:\Program Files\Common Files\SureThing Shared
2007-11-21 18:32:06 0 d-------- C:\WINDOWS\MVUNINST
2007-11-21 18:32:06 0 d-------- C:\Program Files\Memorex exPressit Label Design Studio
2007-11-12 13:20:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Laplink
2007-11-12 13:19:58 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-12 13:19:42 0 d-------- C:\Program Files\Laplink
2007-11-12 12:48:04 0 d-------- C:\Program Files\Microsoft

-- Find3M Report ---------------------------------------------------------------

2007-11-27 15:56:56 0 d-------- C:\Program Files\Java
2007-11-27 15:56:39 0 d-------- C:\Program Files\Common Files
2007-11-26 21:34:45 0 d-------- C:\Program Files\iTunes
2007-11-26 21:34:43 0 d-------- C:\Program Files\iPod
2007-11-26 21:33:39 0 d-------- C:\Program Files\QuickTime
2007-11-25 14:44:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-21 18:30:39 18131206 --a------ C:\Program Files\exPressit.zip
2007-11-08 13:38:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\webex
2007-10-25 10:43:45 0 d-------- C:\Program Files\DivX
2007-10-25 09:08:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\DivX
2007-10-15 15:00:57 6712 --a------ C:\WINDOWS\mozver.dat
2007-10-03 11:03:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\Joost
2007-10-03 11:02:58 0 d-------- C:\Program Files\Joost
2007-10-03 10:41:13 0 d-------- C:\Program Files\Messenger
2007-10-03 10:37:25 0 d-------- C:\Program Files\MSXML 4.0
2007-10-03 08:33:12 0 d-------- C:\Program Files\Movie Maker
2007-10-03 08:31:02 0 d-------- C:\Program Files\Windows NT
2007-09-28 11:07:52 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 11:05:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-28 11:05:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-28 11:05:40 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 11:05:40 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 11:05:40 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-28 11:05:08 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [06/15/2005 04:20 AM]
"nwiz"="nwiz.exe" [06/15/2005 04:20 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [06/15/2005 04:20 AM]
"SoundMan"="SOUNDMAN.EXE" [04/14/2005 10:01 PM C:\WINDOWS\SOUNDMAN.EXE]
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [04/29/2005 09:22 PM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [05/07/2003 12:56 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [05/22/2003 08:03 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [12/17/2002 02:40 PM]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [05/22/2003 07:55 AM]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/26/2007 08:18 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 12:02 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [11/14/2007 11:43 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/15/2007 01:11 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2/11/2006 12:57:06 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Joost.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Joost.lnk
backup=C:\WINDOWS\pss\Joost.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

-- End of Deckard's System Scanner: finished at 2007-11-27 17:40:27 ------------

This is Log 2 from the scan

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3200+
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1023.48 MiB / 535 MiB
Pagefile Memory (total/avail): 2460.58 MiB / 2140.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.46 MiB

C: is Fixed (NTFS) - 127.99 GiB total, 92.98 GiB free.
D: is Fixed (FAT32) - 74.54 GiB total, 45.25 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6Y160P0 - 152.66 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 127.99 GiB - C:

\\.\PHYSICALDRIVE1 - SAMSUNG SP0802N - 74.56 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 74.56 GiB - D:

\\.\PHYSICALDRIVE2 - HP photosmart 7600 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.0.337.000 (Check Point, LTD.)
FW: NVIDIA Firewall v1.0 (NVIDIA Corporation) Disabled
AV: AVG 7.5.503 v7.5.503 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"="C:\\Program Files\\Laplink\\PCsync\\SFTHost.exe:*:Enabled:PCsync Host Module"
"C:\\Program Files\\Laplink\\PCsync\\PCsync.exe"="C:\\Program Files\\Laplink\\PCsync\\PCsync.exe:*:Enabled:Laplink PCsync"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATT-1WY6LY0WML
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\MATT-1WY6LY0WML
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 63 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=3f02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=MATT-1WY6LY0WML
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABC (remove only) --> C:\Program Files\ABC\Uninstall.exe
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Apple Mobile Device Support --> MsiExec.exe /I{B5C209B1-8DDB-4642-A573-375B951514CB}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Atari: The 80 Classic Games --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Atari\The 80 Classic Games\Uninst.isu"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Cool Edit Pro --> C:\WINDOWS\cep1unin.exe
Creative Memories StoryBook Creator --> MsiExec.exe /I{431C29DE-AC4A-4D0F-B8D2-0D94BE9EEAFE}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
HijackThis 2.0.2 --> "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.563\HijackThis.exe" /uninstall
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
ImageMixer for Sony --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B4AA674-F5CA-4BB5-831A-CD37B4021959}\setup.exe"
iPod for Windows 2005-10-12 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{D9F4A9F8-92C5-4289-9D04-F0F8F02D580A} /l1033
iTunes --> MsiExec.exe /I{4F5CE18C-D97D-48FF-A510-A0D90C918294}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Joost ™ Beta 1.0 --> C:\Program Files\Joost\uninst.exe
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.10.5 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Memorex exPressit Label Design Studio --> C:\WINDOWS\mvuninst\App1\mvuninst.exe "Memorex exPressit Label Design Studio"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft WinUsb 1.0 --> "C:\WINDOWS\$NtUninstallwinusb0100$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.2) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
NVIDIA Drivers --> C:\WINDOWS\System32\NVUNINST.EXE UninstallGUI
NVIDIA ForceWare Network Access Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{1F6423DE-7959-4178-80E0-023C7EAA5347} /l1033
Palm Desktop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0F44C2-A883-11D1-AD0A-006097D15E2C}\setup.exe" Uninstall
PartyPoker --> "C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{9763E36A-08E9-4228-BBCE-12989A4EB1A8}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Roguescanfix 1.3 --> "C:\Program Files\Roguescanfix\unins000.exe"
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type2773 / Warning
Event Submitted/Written: 11/26/2007 08:48:26 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{446DBFFA-4088-48E3-8932-74316BA4CAE4}', feature 'iTunes' failed during request for component '{E8A1D3E2-F5D3-4B24-AB93-52F7E602A235}'

Event Record #/Type2772 / Warning
Event Submitted/Written: 11/26/2007 08:48:26 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{446DBFFA-4088-48E3-8932-74316BA4CAE4}', feature 'iTunes', component '{CE803705-51F3-43A9-8901-5514E4A2B690}' failed. The resource 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D719897A-B07A-4C0C-AEA9-9B663A28DFCB}\' does not exist.

Event Record #/Type2742 / Error
Event Submitted/Written: 11/22/2007 10:05:04 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20070.21917, faulting module nppl3260.dll, version 6.0.11.2536, fault address 0x00004341.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type2737 / Error
Event Submitted/Written: 11/22/2007 05:45:54 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application firefox.exe, version 1.8.20070.21917, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2605 / Error
Event Submitted/Written: 11/12/2007 09:34:21 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20070.21917, faulting module npdivx32.dll, version 1.3.1.10, fault address 0x000d80f1.
Processing media-specific event for [firefox.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type16061 / Warning
Event Submitted/Written: 11/26/2007 10:34:32 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type16041 / Error
Event Submitted/Written: 11/26/2007 09:36:19 PM
Event ID/Source: 19 / Print
Event Description:
Sharing printer failed + 1722, Printer Microsoft Office Document Image Writer share name Printer.

Event Record #/Type15873 / Error
Event Submitted/Written: 11/23/2007 00:47:14 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.100.11 on the
Network Card with network address 0015F24E0C1A.

Event Record #/Type15872 / Warning
Event Submitted/Written: 11/23/2007 00:47:14 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0015F24E0C1A. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type15850 / Error
Event Submitted/Written: 11/23/2007 00:46:24 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 24.141.218.121 for the Network Card with network address 0015F24E0C1A has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

-- End of Deckard's System Scanner: finished at 2007-11-27 17:40:27 ------------

This post has been edited by videoguy: 27 November 2007 - 05:45 PM

#7 Yourhighness

The BSG Malware Fighter

Group: Malware Response Team
Posts: 7,925
Joined: 20-April 06
Gender:Male
Location:Hamburg

Posted 28 November 2007 - 11:49 AM

Hey videoguy,

I see you have Roguescanfix on your PC. Did you run it and did you get a log? Please post it in your next reply.

Step #1

a.) To Clear the Java Runtime Environment (JRE) cache, do this:

Click Start > Settings > Control Panel.
Double-click the Java icon.
-The Java Control Panel appears.
Click "Settings" under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
Click "Delete Files".
-The Delete Temporary Files dialog box appears.
-There are three options on this window to clear the cache.
- Delete Files
- View Applications
- View Applets
Click "OK" on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
Click "OK" on Temporary Files Settings window.
Close the Java Control Panel.

You can also view these instructions along with screenshots here.

b.)
* Clean your Cache and Cookies in InternetExplorer:

Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

c.) Right-click your recycle bin and chose "Empty Recycle Bin".

Step #2

There are some spam mails in your Deleted Items folder of Outlook which you should delete. Here is a bit of info: "empty the Deleted Items"

Step #3

The most current version of Limewire is reported to include spyware. LimeWire 4.9.28 is clean(Older and newer version may not be). Chances are junk was bundled with this product even if you paid for it. If you are going to use p2p file sharing, I suggest you choose a safe program from here: http://p2p.malwareremoval.com/.

If you use P2P software, make sure you are careful about what you open and what P2P program you install. Malware is all over the P2P networks and the programs often come bundled with Adware and Spyware.

Further readings of interest in regards to the p2p "issue" are: http://pcpitstop.com/spycheck/p2p.asp and this: http://pcpitstop.com/spycheck/badtorrent.asp

Step #4

Please download SmitfraudFix (by S!Ri), alternate (with instructions as well) and extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step #5

Please post back with a fresh HijackThis log, the Roguescanfix log (if still available), and the log from SmitfraudFix. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#8 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 01:06 PM

Here is the Roguescanfix log:

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon

Edit: Whoops, I just noticed you want me to clear the cache, I'll do this and run it again.

This post has been edited by videoguy: 28 November 2007 - 01:07 PM

#9 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 01:26 PM

Here is the Smitfraudfix log:

SmitFraudFix v2.256

Scan done at 13:25:25.00, Wed 11/28/2007
Run from
C:\Documents and Settings\Administrator\Desktop\AV & spyware programs\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 24.226.10.193
DNS Server Search Order: 24.226.1.93
DNS Server Search Order: 24.226.10.194
DNS Server Search Order: 24.226.1.94

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5CC726D0-784E-49C7-A18D-811C00F8E97F}: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5CC726D0-784E-49C7-A18D-811C00F8E97F}: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5CC726D0-784E-49C7-A18D-811C00F8E97F}: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5CC726D0-784E-49C7-A18D-811C00F8E97F}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.226.10.193 24.226.1.93 24.226.10.194 24.226.1.94
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

#10 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 01:27 PM

Here is the Hijack this log. I've deleted Limewire, thanks for the tip.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:20 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7656 bytes

#11 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 01:31 PM

I re-did the Roguescanfix log but I have a question. During the logging process my firewall told me that Windows Explorer was trying to access the internet. I denied it permission twice. This is the same thing that happens when I startup my computer. Hopefully I didn't interfere with the scan.

Here is the new Roguescan fix log.

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

#12 Yourhighness

The BSG Malware Fighter

Group: Malware Response Team
Posts: 7,925
Joined: 20-April 06
Gender:Male
Location:Hamburg

Posted 28 November 2007 - 04:27 PM

Hi Videoguy,

well I didn't ask you to run it again, but rather whether you did previously and if that was the case, just post the old log :thumbsup:

.

Step #1

Please download TCPView from here and run it.

Navigate to Windows Explorer under the first column (Processes) and note down what is recorded in the other columns available (ie.: protocol, local address, remote address, state).

Step #2

To be on the safe side, you should run another Kaspersky Onlinescan.

Step #3

Please post back with the log from Kaspersky Onlinescanner and the results you noted down from TCPView. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

#13 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 05:41 PM

Okay, I downloaded TCP and tried to find the 'Windows Explorer' under processes but couldn't find it. I had it produce the following log:

firefox.exe:3232 TCP matt-1wy6ly0wml:3588 d221-80-239.commercial.cgocable.net:http ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3581 wwwtk2test1.microsoft.com:http ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3593 d221-80-239.commercial.cgocable.net:http ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3571 localhost:3570 ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3572 localhost:3573 ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3570 localhost:3571 ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3573 localhost:3572 ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3582 wwwtk2test1.microsoft.com:http ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3583 d221-80-239.commercial.cgocable.net:http ESTABLISHED
firefox.exe:3232 TCP matt-1wy6ly0wml:3587 d221-80-239.commercial.cgocable.net:http ESTABLISHED
lsass.exe:732 UDP matt-1wy6ly0wml:isakmp *:*
lsass.exe:732 UDP matt-1wy6ly0wml:4500 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:2986 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:1110 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:1649 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:1060 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:1650 *:*
svchost.exe:1028 UDP matt-1wy6ly0wml:1135 *:*
svchost.exe:1076 UDP matt-1wy6ly0wml:1900 *:*
svchost.exe:1076 UDP matt-1wy6ly0wml:1900 *:*
svchost.exe:980 UDP matt-1wy6ly0wml:ntp *:*
svchost.exe:980 UDP matt-1wy6ly0wml:ntp *:*
System:4 TCP matt-1wy6ly0wml:microsoft-ds matt-1wy6ly0wml:0 LISTENING
System:4 TCP matt-1wy6ly0wml:netbios-ssn matt-1wy6ly0wml:0 LISTENING
System:4 UDP matt-1wy6ly0wml:netbios-ns *:*
System:4 UDP matt-1wy6ly0wml:netbios-dgm *:*
System:4 UDP matt-1wy6ly0wml:microsoft-ds *:*

I'll run the Kaspersky Onlinescan and post that when its complete. Thanks again for your help.

#14 videoguy

Member

Group: Members
Posts: 61
Joined: 10-September 06

Posted 28 November 2007 - 08:15 PM

Here's the report. One thing I noticed here is that some of this seems to be in my D drive. Right now my computer has a second hard drive from my old PC. I figured it would be useful to have the 2nd drive. Are there files that I need to clean there or am I okay? The C drive is the drive that is active.

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Wednesday, November 28, 2007 8:09:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/11/2007
Kaspersky Anti-Virus database records: 467914

Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects80010
Number of viruses found10
Number of infected objects81
Number of suspicious objects10
Duration of the scan process01:07:24

Infected Object NameVirus NameLast Action
C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-3f551d86-504b015c.class
Infected: Exploit.Java.Gimsh.a skipped

C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4785eec8-2858a01e.class
Infected: Exploit.Java.Gimsh.a skipped

C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip/vmain.class
Infected: Exploit.Java.Gimsh.b skipped

C:\Documents and Settings\Administrator\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip
ZIP: infected - 1 skipped

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\Administrator\Desktop\AV & spyware
programs\SmitfraudFix\Reboot.exe Infected:
not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local
Settings\History\History.IE5\MSHist012007112820071129\index.dat Object is
locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is
locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\My Documents\spyware tools and
info\backups\backup-20060516-170624-494.dll Infected:
Trojan-Downloader.Win32.Zlob.ov skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log
Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache
Group\Apache2\logs\access_log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache
Group\Apache2\logs\error.log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache
Group\Apache2\logs\error_log Object is locked skipped

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache
Group\Apache2\logs\ssl_request_log Object is locked skipped

C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc3.zip/SmitfraudFix/Reboot.exe
Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc3.zip ZIP:
infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{FFB49E2C-E351-4A68-A1FA-533688BDF26E}\RP1\change.log
Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MATT-1WY6LY0WML.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped

C:\WINDOWS\temp\ZLT02423.TMP Object is locked skipped

C:\WINDOWS\temp\ZLT06f43.TMP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\~WRF0409.tmp Infected: Trojan-Downloader.Win32.Zlob.oq skipped

D:\System Volume
Information\_restore{FFB49E2C-E351-4A68-A1FA-533688BDF26E}\RP1\change.log
Object is locked skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004
09:09:12 -0500]/UNNAMED/textfile.pif Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004
09:09:12 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri,
30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED/html Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri,
30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri,
30 Apr 2004 00:39:51 -0400]/UNNAMED/message.pif Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri,
30 Apr 2004 00:39:51 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25
Feb 2004 09:29:56 -0500]/UNNAMED/party.zip/party.pif Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25
Feb 2004 09:29:56 -0500]/UNNAMED/party.zip Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25
Feb 2004 09:29:56 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu,
26 Feb 2004 11:35:16 -0500]/UNNAMED/concert.exe Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu,
26 Feb 2004 11:35:16 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb
2004 10:17:50 -0500]/UNNAMED/aboutyou.doc.exe Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb
2004 10:17:50 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb
2004 09:03:53 -0500]/UNNAMED/me.exe Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb
2004 09:03:53 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1
Mar 2004 08:52:37 -0500]/UNNAMED/friend.com Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1
Mar 2004 08:52:37 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004
10:54:40 -0500]/note.zip/note.doc.pif Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004
10:54:40 -0500]/note.zip Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004
10:41:05 -0800]/UNNAMED/all_document.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004
10:41:05 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date
Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED/message.rtf.com Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date
Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004
20:24:36 -0800]/UNNAMED/your_file.pif Infected: Email-Worm.Win32.NetSky.d
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004
20:24:36 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar
2004 23:13:27 -0800]/UNNAMED/document_word.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar
2004 23:13:27 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar
2004 15:17:17 -0500]/UNNAMED/attachment.zip/attachment.pif Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar
2004 15:17:17 -0500]/UNNAMED/attachment.zip Infected:
Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar
2004 15:17:17 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From
475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54
-0500]/UNNAMED/message.zip/message.com Infected: Email-Worm.Win32.NetSky.b
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From
475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54
-0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From
475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54
-0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004
18:56:20 -0800]/UNNAMED/your_picture.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004
18:56:20 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar
2004 20:53:10 -0800]/UNNAMED/all_document.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar
2004 20:53:10 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header
was inserted by l-daemon]/UNNAMED/UNNAMED/[From brady6131@rogers.com][Date
Fri, 19 Mar 2004 18:51:25 -0800]/your_website.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header
was inserted by l-daemon]/UNNAMED/UNNAMED Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header
was inserted by l-daemon]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar
2004 19:01:06 -0800]/UNNAMED/your_website.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar
2004 19:01:06 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar
2004 13:28:45 -0500]/UNNAMED/TextDocument.pif Infected:
Email-Worm.Win32.Bagle.i skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar
2004 13:28:45 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.i skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr
2004 10:31:40 -0700]/UNNAMED/mp3music.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr
2004 10:31:40 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr
2004 10:41:52 -0700]/UNNAMED/your_document.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr
2004 10:41:52 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25
Apr 2004 16:37:50 -0700]/UNNAMED/your_picture.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25
Apr 2004 16:37:50 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004
20:58:57 -0400]/UNNAMED/message9457.zip/data.eml .scr Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004
20:58:57 -0400]/UNNAMED/message9457.zip Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004
20:58:57 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr
2004 02:13:40 -0400]/UNNAMED/message26267.pif Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr
2004 02:13:40 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004
02:15:37 -0400]/UNNAMED/UNNAMED/html Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004
02:15:37 -0400]/UNNAMED/UNNAMED Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004
02:15:37 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004
02:15:37 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004
20:03:34 -0400]/UNNAMED/UNNAMED/html Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004
20:03:34 -0400]/UNNAMED/UNNAMED Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004
20:03:34 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004
20:03:34 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From
hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25
-0400]/UNNAMED/msg26793.pif Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From
hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25
-0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May
2004 02:02:07 -0400]/UNNAMED/html Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May
2004 02:02:07 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May
2004 02:02:07 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004
02:06:43 -0400]/UNNAMED/msg14008.zip/msg.eml .scr Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004
02:06:43 -0400]/UNNAMED/msg14008.zip Infected: Email-Worm.Win32.NetSky.r
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004
02:06:43 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004
10:49:10 -0700]/UNNAMED/my_details.pif Infected: Email-Worm.Win32.NetSky.d
skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004
10:49:10 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004
16:52:45 -0700]/UNNAMED/application.pif Infected:
Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004
16:52:45 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May
2004 19:42:04 -0400]/UNNAMED/UNNAMED/html Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May
2004 19:42:04 -0400]/UNNAMED/UNNAMED Suspicious:
Exploit.HTML.Iframe.FileDownload skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May
2004 19:42:04 -0400]/UNNAMED/message.pif Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May
2004 19:42:04 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004
14:22:16 -0400]/UNNAMED/message9144.pif Infected:
Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004
14:22:16 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped

D:\Documents and Settings backup\MATT\Application
Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook
Express\Deleted Items.dbx Mail MS Outlook 5: infected - 71, suspicious -
10 skipped

Scan process completed.

#15 Yourhighness

The BSG Malware Fighter

Group: Malware Response Team
Posts: 7,925
Joined: 20-April 06
Gender:Male
Location:Hamburg

Posted 29 November 2007 - 04:00 AM

Hey Videoguy,

unfortunately the report will not help us in regards to you Explorer issue then. Does it still occur?

The Items under D Drive are backups of deleted spam emails which contain crapware and you should delete those files.

Step #1

Please repeat step 1a) from post 7.

You can double-check by navigating to Start >> Run... >> type: C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\ and hit enter.

If this folder is empty, your cache has been emptied properly. Otherwise please delete the contents of this folder.

Step #2

Please delete the SmitfraudFix folder, as we will not need it anymore. And while you are at it, please navigate to and delete:
C:\~WRF0409.tmp <-- this file.

Step #3

Please have the above steps done and see if Kaspersky detects anything after that. You only need to report back with the Kaspersky log if it finds anything.

How are the symptoms of your pc? Let me know and we will go from there. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image