Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Spyware and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> Forum Guidelines

Read this topic before posting a log.


DO NOT post a ComboFix log unless requested to.


Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Torpig Virus, Hidden window at startup
videoguy
post Nov 14 2007, 01:27 PM
Post #1


Member
**

Group: Members
Posts: 43
Joined: 10-September 06
Member No.: 84,592
A little while ago I noticed that as my computer started up a window would appear and then dissapear before I could read what it was. I assumed it was just my antivirus program but now I'm not so sure.

Yesterday when I started up my computer, my firewall notified me that Windows Explorer was trying to access the internet. I denied it but it kept coming up. Today I accidentally clicked yes. When I went to shut off the computer I was notified that there was new software that was to be installed once the computer was to be shut down. I clicked no and so it hasn't been installed yet. Everytime I close my computer though, I have to remember not to install what's been downloaded so I'm a little paranoid about what's going on here.

To be safe I ran spybot to see if anything was on my PC and Torpig came up. It seems to have gone away for now but I'm worried that its still hiding on my system. I had this virus last year, I'm not sure if I should follow the same steps though. So I have a few questions.

1. What is the hidden window at startup and should I be worried about it?
2. What are the updates waiting to be installed on my PC?
3. Is my computer Torpig free?

Thanks I appreciate your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:21 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://falconstor.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 7859 bytes

This post has been edited by videoguy: Nov 14 2007, 05:21 PM
Go to the top of the page
 
+Quote Post
Yourhighness
post Nov 25 2007, 01:31 PM
Post #2


The BSG Malware Fighter
******

Group: HJT Team Coach
Posts: 5,363
Joined: 20-April 06
From: Hamburg
Member No.: 64,788
Hello videoguy and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes


--------------------
- "How did I get infected?" - "Safe-hex" - Member of UNITE -
- The HJT forum is very busy. If I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
- HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason! Thanks-
Go to the top of the page
 
+Quote Post
videoguy
post Nov 27 2007, 10:01 AM
Post #3


Member
**

Group: Members
Posts: 43
Joined: 10-September 06
Member No.: 84,592
QUOTE(Yourhighness @ Nov 25 2007, 01:31 PM) *
Hello videoguy and welcome to BleepingComputer!

Apollogies for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:

Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

Thanks Johannes, I downloaded the Stinger program.

I don't see any trace of the torpig virus but I'm still getting a message from my firewall that Windows Explorer is trying to access the internet on every startup. Any idea what this is? Also, can you tell me if I should be worried about the Torpig problem? I'm hoping that it didn't install itself but you never really know with these things....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:07 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341520781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191341500625
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://falconstor.webex.com/client/T26L/webex/ieatgpc.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8245 bytes
Go to the top of the page
 
+Quote Post
Yourhighness
post Nov 27 2007, 03:21 PM
Post #4


The BSG Malware Fighter
******

Group: HJT Team Coach
Posts: 5,363
Joined: 20-April 06
From: Hamburg
Member No.: 64,788
Hey videoguy,

Please note that you are infected with a trojan (horse).

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  1. Disconnect the infected computer from the internet until the computer can be cleaned.
  2. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

The trojan in question is a variant of this: Torpig-A

Should you have any questions, please feel free to ask.

Now, on to the fix.

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Step #2

It seems you have multiple Antivirus and Firewalls installed (eTrust Internet Security Suite, AVG Antivirus and Zonealarm).

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  1. False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  2. System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either eTrust Internet Security Suite or AVG Antivirus - if you remove eTrust Internet Security please understand you will have to install a new Firewall as the eTrust one will have been uninstalled also.

Same principles apply for two Firewalls and thus I would also suggest to either remove eTrust Internet Security Suite or Zonealarm (again, if you remove eTrust Internet Security please understand you will have to install a new Antivirus programme as the eTrust one will have been uninstalled also).

Step #3

Run HijackThis, press Scan, and put a check mark next to all these entries:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image010.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Close all other windows and browsers, and press the Fix Checked button.


Step #4

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #5

Please download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close ALL applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
The logs can be quite lengthy..use two post if you need to get them all in.

Step #6

Please post back with the Kaspersky Onlinescan log and the main.txt and the extra.txt from DSS.


--------------------
- "How did I get infected?" - "Safe-hex" - Member of UNITE -
- The HJT forum is very busy. If I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
- HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason! Thanks-
Go to the top of the page
 
+Quote Post
videoguy
post Nov 27 2007, 05:42 PM
Post #5


Member
**

Group: Members
Posts: 43
Joined: 10-September 06
Member No.: 84,592
Okay, here are the logs, this one is from Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 5:35:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 467137
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 80143
Number of viruses found: 10
Number of infected objects: 84
Number of suspicious objects: 14
Duration of the scan process: 01:08:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-3f551d86-504b015c.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\java.class-4785eec8-2858a01e.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-4070e802.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{F070DAF9-E9AF-40D9-AAD4-D2711F24914E}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2, suspicious - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\6xvliib5.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\spyware tools and info\backups\backup-20060516-170624-494.dll Infected: Trojan-Downloader.Win32.Zlob.ov skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak/[From mattbrady@cogeco.ca][Date Thu, 27 Sep 2007 16:18:35 -0300]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1390067357-884357618-725345543-500\Dc134.bak Mail MS Outlook 5: infected - 2, suspicious - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MATT-1WY6LY0WML.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped
C:\WINDOWS\temp\ZLT01928.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT05808.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\~WRF0409.tmp Infected: Trojan-Downloader.Win32.Zlob.oq skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004 09:09:12 -0500]/UNNAMED/textfile.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pepsieedie@yahoo.ca][Date Thu, 26 Feb 2004 09:09:12 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kimberly_cochrane@hotmail.com][Date Fri, 30 Apr 2004 00:39:51 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED/party.zip/party.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED/party.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From valerie.madill@swchsc.on.ca][Date Wed, 25 Feb 2004 09:29:56 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu, 26 Feb 2004 11:35:16 -0500]/UNNAMED/concert.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jana.mcdougall@scotiabank.com][Date Thu, 26 Feb 2004 11:35:16 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb 2004 10:17:50 -0500]/UNNAMED/aboutyou.doc.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From nellie_van@hotmail.com][Date Fri, 27 Feb 2004 10:17:50 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb 2004 09:03:53 -0500]/UNNAMED/me.exe Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From taramcginn68@hotmail.com][Date Sat, 28 Feb 2004 09:03:53 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1 Mar 2004 08:52:37 -0500]/UNNAMED/friend.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From kevin.vig@weyerhaeuser.com][Date Mon, 1 Mar 2004 08:52:37 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004 10:54:40 -0500]/note.zip/note.doc.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tcamara2000@yahoo.ca][Date Thu, 4 Mar 2004 10:54:40 -0500]/note.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004 10:41:05 -0800]/UNNAMED/all_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tomlyvang@yahoo.com][Date Thu, 4 Mar 2004 10:41:05 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED/message.rtf.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@tomts22-srv.bellnexxia.net][Date Mon, 8 Mar 2004 14:53:24 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004 20:24:36 -0800]/UNNAMED/your_file.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pixelbomb@aol.com][Date Mon, 8 Mar 2004 20:24:36 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar 2004 23:13:27 -0800]/UNNAMED/document_word.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From tiberkirk@pcmagic.net][Date Mon, 8 Mar 2004 23:13:27 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED/attachment.zip/attachment.pif Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED/attachment.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From backandgreer@bmts.com][Date Tue, 9 Mar 2004 15:17:17 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED/message.zip/message.com Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 475958.web01-imail.rogers.com@rogers.com][Date Thu, 11 Mar 2004 11:45:54 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.b skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004 18:56:20 -0800]/UNNAMED/your_picture.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pam@gulfislands.com][Date Wed, 17 Mar 2004 18:56:20 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar 2004 20:53:10 -0800]/UNNAMED/all_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From pita_202@hotmail.com][Date Thu, 18 Mar 2004 20:53:10 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED/UNNAMED/[From brady6131@rogers.com][Date Fri, 19 Mar 2004 18:51:25 -0800]/your_website.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From postoffice@prod.shaw.ca][Date Date header was inserted by l-daemon]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar 2004 19:01:06 -0800]/UNNAMED/your_website.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From dhutchison@sympatico.ca][Date Fri, 19 Mar 2004 19:01:06 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar 2004 13:28:45 -0500]/UNNAMED/TextDocument.pif Infected: Email-Worm.Win32.Bagle.i skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From management@rogers.com][Date Tue, 23 Mar 2004 13:28:45 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.i skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr 2004 10:31:40 -0700]/UNNAMED/mp3music.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From anne_letendre@sd34.bc.ca][Date Tue, 6 Apr 2004 10:31:40 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr 2004 10:41:52 -0700]/UNNAMED/your_document.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From jkhall57@hotmail.com][Date Tue, 13 Apr 2004 10:41:52 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25 Apr 2004 16:37:50 -0700]/UNNAMED/your_picture.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From webmaster@web-detective.com][Date Sun, 25 Apr 2004 16:37:50 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED/message9457.zip/data.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED/message9457.zip Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From wrmxikqihswf@aq.net][Date Thu, 29 Apr 2004 20:58:57 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr 2004 02:13:40 -0400]/UNNAMED/message26267.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From oj.cressman@sympatico.ca][Date Thu, 29 Apr 2004 02:13:40 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From andyarc@rogers.com][Date Thu, 29 Apr 2004 02:15:37 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From 3dcpark@dbf.com][Date Sun, 2 May 2004 20:03:34 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25 -0400]/UNNAMED/msg26793.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From hotmail_member_services_65@hotmail.com][Date Sun, 2 May 2004 19:58:25 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From bobarnold@ees.eesc.com][Date Tue, 4 May 2004 02:02:07 -0400]/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED/msg14008.zip/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED/msg14008.zip Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From rs.com@wordsmith.org][Date Tue, 4 May 2004 02:06:43 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004 10:49:10 -0700]/UNNAMED/my_details.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From vetteplace@shaw.ca][Date Tue, 4 May 2004 10:49:10 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004 16:52:45 -0700]/UNNAMED/application.pif Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From evelinerose@aol.com][Date Tue, 4 May 2004 16:52:45 -0700]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED/message.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From twilightzonec16@aol.com][Date Wed, 5 May 2004 19:42:04 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004 14:22:16 -0400]/UNNAMED/message9144.pif Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx/[From etru4ate@hotmail.com][Date Thu, 6 May 2004 14:22:16 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
D:\Documents and Settings backup\MATT\Application Data\Identities\{0DB9FC00-2FDD-11D8-9444-FCAD35783C7A}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 71, suspicious - 10 skipped

Scan process completed.
Go to the top of the page
 
+Quote Post
videoguy
post Nov 27 2007, 05:44 PM
Post #6


Member
**

Group: Members
Posts: 43
Joined: 10-September 06
Member No.: 84,592
Here are both Deckard logs:


Deckard's System Scanner v20071014.68
Run by Administrator on 2007-11-27 17:38:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-11-27 22:39:00 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:00 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =