My browser (Firefox) keeps getting unpredictably hijacked by PCTurboPro popup ad and a redirect to their website.

SpyScan has turned up nothing, nor AdAware nor TrendMicro antivirus.

This form won't accept the Kapersky and HijackThis logs because they're too long, so I'm going to add them as attachments.

Hi and welcome to the Forums :)

OK let's do some research...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply or attach the file if it is too big.

Warning ! Please, do not select the "Show all" checkbox during the scan.

GMER log attached, in 2 parts

Hi :)

Ok nothing bad there...little more research..


To generate a HijackThis Startup list:

1. Open HijackThis by double-clicking the desktop shortcut or HijackThis.exe
2. Click on "Open the Misc Tools Section"
3. Make sure that both boxes to the right of "Generate StartupList Log" are checked:

* List also minor sections (Full)
* List empty sections (Complete)

4. Click "Generate StartupListLog"
5. Click "Yes" at the prompt.
6. A Notepad window will open with the contents of the HijackThis Startup list displayed
7. Copy & Paste that log to here

Once again, too large to post except as attachments.

Think I should call an exorcist? :-^)

Hello :)

Are you still getting those popups?
Do those always appear on some specific site?
What version of FireFox are you using?

:bigthumb:

Yes, they're still happening, intermittently. Your question made me wonder "gee did they stop?" since I haven't seen one in a while, but I just managed to elicit one again.

There is only one site at which I recall having gotten them: Pogo.

(Why do I hear a "Doctor, it hurts when I do this" joke coming?)

I'm running Firefox 4.0.0.7.

Hi again :)


There is only one site at which I recall having gotten them: Pogo.Hmm ok it is possible that the site has by mistake allowed a suspicious program to advertise itself. This has happened at some sites. Also as you don't get them at any other sites and your pc looks clean - I don't think that you're infected.

We may run an additional scanner jsut to be sure.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

I did run the program on one my two drives, the system drive. It took hours! And what tagged included files that I'm pretty sure are not only harmless but necessary, like files for my printer.

With some hesitation I told the program to move them. But it didn't tell me where it moved them to! I had to search my hard drive to find them.

Here's the result of scanning the system drive. When I have a few more hours that I don't need my computer I can have it search my secondary drive and then do the Hijack scan as you requested.

BRFSend2.dll;C:\Program Files\Brother\BRAdmin Professional;Trojan.Proxy.origin;Incurable.Moved.;
_PREV_GoogleDesktopIndex.exe;C:\Program Files\Google\Google Desktop Search\temp;Probably DLOADER.Trojan;Moved.;
_PREV_GoogleDesktopSearchSetup.exe\data002;C:\Program Files\Google\Google Desktop Search\temp\_PREV_GoogleDesktopSearchSetup.exe;Probably DLOADER.Trojan;;
_PREV_GoogleDesktopSearchSetup.exe;C:\Program Files\Google\Google Desktop Search\temp;Archive contains infected objects;Moved.;
nppopcaploader.dll;C:\Program Files\Mozilla Firefox\plugins;Program.PopcapLoader.origin;Moved.;
nppopcaploader.dll;C:\Program Files\Netscape\Netscape\plugins;Program.PopcapLoader.origin;Moved.;
Uninstall.exe;C:\Program Files\PopCap Games\PopCap Browser Plugin;Program.PopcapLoader.origin;Moved.;
vncconfig.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
vncviewer.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
winvnc4.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
wm_hooks.dll;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin;Moved.;
uninstall.exe;C:\Program Files\TrustWatch;Adware.Xbarre;Moved.;
popcaploader.dll;C:\WINNT\Downloaded Program Files;Program.PopcapLoader;Moved.;

How is it going Skipjack. :)

Discouraged. I was hoping I'd get an answer here, but it doesn't seem to be going anywhere. Which hasn't given me much a lot of motivation to go back dedicating my computer for another several hours for a scan.

Hi Skipjack. I was waiting for you to post that log from the second scan.

If you still need help; please post a fresh HijackThis log :bigthumb:

Here's a new Hijack log, then. I haven't run the second Dr. Cure It scan on my secondary drive.

I'm suspecting at this point that this has been pogo's ad being f'ed. Haven't seen it in a while, but it was intermittent anyway so how do ya know...?

Ok I can see only one leftover...

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - Default URLSearchHook is missing


We may run an online scanner, this should be faster...

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 18, 2007 7:23:08 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/10/2007
Kaspersky Anti-Virus database records: 437505
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 123650
Number of viruses found: 8
Number of infected objects: 28
Number of suspicious objects: 34
Duration of the scan process: 06:45:06

Infected Object Name / Virus Name / Last Action
C:\Archives\Eudora.zip/Comm/Eudora/The dark side.fol/Spam.mbx/[From Mountain Systems - EdDixon <EdDixon@mtnsys.com>][Date Wed, 19 Sep 2001 18:32:13 -0400]/text/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text/ASD.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Archives\Eudora.zip/Comm/Eudora/The dark side.fol/Spam.mbx/[From Mountain Systems - EdDixon <EdDixon@mtnsys.com>][Date Wed, 19 Sep 2001 18:32:13 -0400]/text/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Archives\Eudora.zip/Comm/Eudora/The dark side.fol/Spam.mbx/[From Mountain Systems - EdDixon <EdDixon@mtnsys.com>][Date Wed, 19 Sep 2001 18:32:13 -0400]/text/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Archives\Eudora.zip/Comm/Eudora/The dark side.fol/Spam.mbx/[From Mountain Systems - EdDixon <EdDixon@mtnsys.com>][Date Wed, 19 Sep 2001 18:32:13 -0400]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Archives\Eudora.zip/Comm/Eudora/The dark side.fol/Spam.mbx Infected: Email-Worm.Win32.Magistr.a skipped
C:\Archives\Eudora.zip ZIP: infected - 5 skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Microsoft\Outlook\Microsoft Outlook Internet Settings.NICK Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\cert8.db Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\history.dat Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\key3.db Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\parent.lock Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\search.sqlite Object is locked skipped
C:\Documents and Settings\pmailman\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\pmailman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\pmailman\DoctorWeb\Quarantine\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\pmailman\DoctorWeb\Quarantine\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\pmailman\DoctorWeb\Quarantine\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\pmailman\DoctorWeb\Quarantine\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\pmailman\DoctorWeb\Quarantine\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Application Data\Mozilla\Firefox\Profiles\wemripwy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pmailman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\pmailman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\pmailman\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Cobian Backup 6\log.txt Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\28.tmp Infected: Trojan.Win32.VB.vc skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\38.tmp/data0002 Infected: not-a-virus:AdWare.Win32.MediaBack.d skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\38.tmp/data0003 Infected: Trojan-Clicker.Win32.VB.dn skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\38.tmp NSIS: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\38.tmp CryptFF.b: infected - 2 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\ACEEvent.evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_294.dat Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\{00000000-00000000-0000000B-00001102-00000004-10071102}.CDF Object is locked skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text/ASD.EXE Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:25 from Microsoft Net Mail Delivery System:Bug Le.eml/[From "Microsoft Net Mail Delivery System" <pmailrobot@freemail.net>][Date Thu, 18 Sep 2003 23:37:48 +0000 (GMT)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:25 from Microsoft Net Mail Delivery System:Bug Le.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:38 from MS Internet Email Storage System:report/19 Sep 2003 06:23 from MS Internet Email Storage System:report.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 08:30 from Microsoft Internet Mail Service:Abort Not/19 Sep 2003 03:33 from Microsoft Internet Mail Service:Abort Not.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 10:18 from System:Undelivered Mail User unknown.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 10:33 from Inet Storage Service:Error Advice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 12:30 from Network Delivery System:message/19 Sep 2003 06:15 from Network Delivery System:message.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 12:40 from microsoft network mail service:/19 Sep 2003 06:19 from microsoft network mail service:.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 14:52 from Internet Message Delivery Service:Returne.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 16:56 from Microsoft Internet Storage Service:Error / from Microsoft Internet Storage Service:Error Message.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:14 from Network Mail Delivery System:notice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:22 from MS Net Storage Service:bug letter.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:51 from Mail Storage System:returned message retu/ from Mail Storage System:returned message returned to sender.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 18:00 from Microsoft Inet Mail System:undelivered ma.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 20:55 from inet mail delivery system:Advice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 21:08 from Inet Email Delivery System:Abort Announce.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 23:44 from network mail storage system:failure notic.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\backup.pst/Personal Folders/The dark side/Scams/27 Nov 2004 00:45 from SunTrust:Confirm Your SunTrust Online Ban.html Infected: Trojan-Spy.HTML.Bankfraud.ah skipped
F:\Backups\Outlook\backup.pst Mail MS Mail: infected - 5, suspicious - 17 skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text/ASD.EXE Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED/text Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml/[From t steinberg <tsteinberg@si.rr.com>][Date 16 Sep 2001 09:31:35 -0400]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/Spam/16 Sep 2001 16:15 from abuse@rr.com:[Automatic Reply] Email abus.eml Infected: Email-Worm.Win32.Magistr.a skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:25 from Microsoft Net Mail Delivery System:Bug Le.eml/[From "Microsoft Net Mail Delivery System" <pmailrobot@freemail.net>][Date Thu, 18 Sep 2003 23:37:48 +0000 (GMT)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:25 from Microsoft Net Mail Delivery System:Bug Le.eml Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 07:38 from MS Internet Email Storage System:report/19 Sep 2003 06:23 from MS Internet Email Storage System:report.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 08:30 from Microsoft Internet Mail Service:Abort Not/19 Sep 2003 03:33 from Microsoft Internet Mail Service:Abort Not.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 10:18 from System:Undelivered Mail User unknown.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 10:33 from Inet Storage Service:Error Advice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 12:30 from Network Delivery System:message/19 Sep 2003 06:15 from Network Delivery System:message.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 12:40 from microsoft network mail service:/19 Sep 2003 06:19 from microsoft network mail service:.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 14:52 from Internet Message Delivery Service:Returne.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 16:56 from Microsoft Internet Storage Service:Error / from Microsoft Internet Storage Service:Error Message.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:14 from Network Mail Delivery System:notice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:22 from MS Net Storage Service:bug letter.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 17:51 from Mail Storage System:returned message retu/ from Mail Storage System:returned message returned to sender.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 18:00 from Microsoft Inet Mail System:undelivered ma.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 20:55 from inet mail delivery system:Advice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 21:08 from Inet Email Delivery System:Abort Announce.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/VirusOrSpam/19 Sep 2003 23:44 from network mail storage system:failure notic.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Backups\Outlook\scheduled outlook backup.pst/Personal Folders/The dark side/Scams/27 Nov 2004 00:45 from SunTrust:Confirm Your SunTrust Online Ban.html Infected: Trojan-Spy.HTML.Bankfraud.ah skipped
F:\Backups\Outlook\scheduled outlook backup.pst Mail MS Mail: infected - 5, suspicious - 17 skipped

Scan process completed.

HI :)

The scanner only found some infections from your email archives. How is the computer running now?

:bigthumb:

Well, it was always an intermittent problem, and it hasn't happened recently. So who knows, ya know?

Nice to know the scan looks clean, though. Maybe we say maybe it's ok.

Hi :)


You can remove the tools we used.

Then you should update your Java to the latest version (6u3) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 6.0 Update 2

Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it


Also be careful if you ever use the email backups as there are infected mail too.
=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)