View Full Version : Smitfraud-C problems! Assistance needed
RipVanWinkle
2008-03-21, 23:13
I have followed the guidelines on this site to the letter, and am now posting my HJT and KAV scans:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:00 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: GNX Rolex - {F3D1AF65-65C3-4C96-86AE-2A54E481C0D1} - C:\WINDOWS\drnpfdxsmk.dll
O3 - Toolbar: etlrlws - {AD701758-30F6-4425-8F8A-C9E0CC16F59C} - C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4850] command /c del "C:\WINDOWS\etlrlws.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3865] cmd /c del "C:\WINDOWS\etlrlws.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8379] command /c del "C:\WINDOWS\etlrlws.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7206] cmd /c del "C:\WINDOWS\etlrlws.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O21 - SSODL: KernelPrx - {3e68c673-706b-4beb-b703-8a803c17e5ee} - C:\WINDOWS\Installer\{3e68c673-706b-4beb-b703-8a803c17e5ee}\KernelPrx.dll
O21 - SSODL: bokpkov - {2A222797-A2E5-4545-ABDF-351B9F2F6785} - C:\WINDOWS\bokpkov.dll
O21 - SSODL: altvxvm - {2C0542AC-E5A0-4C7C-959E-82514CCD42EF} - C:\WINDOWS\altvxvm.dll
O21 - SSODL: AlrtAlrt - {c5e57d76-9d63-4805-839d-22a08cfa5339} - C:\WINDOWS\Installer\{c5e57d76-9d63-4805-839d-22a08cfa5339}\AlrtAlrt.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 8661 bytes
KAV to follow
RipVanWinkle
2008-03-21, 23:15
Now, the KAV:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 1:12:04 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 651745
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 88503
Number of viruses found: 18
Number of infected objects: 129
Number of suspicious objects: 100
Duration of the scan process: 01:49:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00E81F4F.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\036315FE.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\036315FE.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\036315FE.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03940BC8.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\039A5FC1.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\039A5FC1.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\039A5FC1.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\039A5FC1.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\046940D8.tmp Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\054678E1.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\061A21F8.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\09BF7EE2.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FD40FB2.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FE461A0.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FE461A0.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FE461A0.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0FE461A0.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\10CC06A1.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14C91791.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14C91791.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14C91791.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14F00F66.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14F6635F.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14F6635F.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14F6635F.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\14F6635F.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\17EC5E8D.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18135662.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18135662.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18135662.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18135662.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\19137539.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\197E5EC2.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\197E5EC2.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\197E5EC2.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B9F5E28.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B9F5E28.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B9F5E28.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\200F7146.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20196F3B.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20196F3B.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20196F3B.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\20196F3B.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\242467DB.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\242467DB.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\242467DB.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\322C6D37.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\32C00539.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33B11831.tmp Infected: Email-Worm.Win32.Bagle.fb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34B34170.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\360C4292.def Infected: Trojan-Downloader.Win32.Tibs.mn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\394D7219.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39751333.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39751333.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39751333.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39751333.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39890F1D.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39890F1D.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39890F1D.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CD06F33.tmp Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDC7555.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDC7555.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDC7555.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDC7555.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3ED30DE6.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3ED30DE6.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3ED30DE6.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3ED30DE6.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42013991.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42390354.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\423C2D51.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\423C2D51.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\423C2D51.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\423C2D51.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\453B5771.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\453B5771.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\453B5771.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45EC1969.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45EC1969.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45EC1969.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\468C22B9.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469620AE.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469620AE.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469620AE.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\469620AE.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4729020C.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\473629FE.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\473629FE.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\473629FE.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\473629FE.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\473F27F3.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\492F2470.tmp/document.rtf.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\492F2470.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\492F2470.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B183CB0.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4E2050C2.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52B96EE7.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\530472DA.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\530472DA.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\530472DA.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5348648F.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\534F3888.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\534F3888.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
RipVanWinkle
2008-03-21, 23:17
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\534F3888.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\534F3888.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\595408E5.tmp Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C231DB5.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5DAD5310.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5F1F5637.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\62314C31.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63627721.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\63666E27.tmp Infected: Net-Worm.Win32.Mytob.be skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\648E0400.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\688B506C.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\688B506C.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\688B506C.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68BC4636.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68C5442B.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68C5442B.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68C5442B.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68C5442B.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\696F6350.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6998232D.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A5B43B1.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A5B43B1.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A5B43B1.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A5B43B1.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AA03565.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AAA335B.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AAA335B.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AAA335B.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AAA335B.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB00754.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB00754.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6AB00754.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B320560.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B3C0355.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B3C0355.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B3C0355.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B3C0355.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CD54353.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CF33D32.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CF33D32.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CF33D32.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CF33D32.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CFC3B28.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CFC3B28.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6CFC3B28.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D2432FC.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D275CF9.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D275CF9.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D275CF9.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D275CF9.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D4F2756.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D4F2756.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D4F2756.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D632341.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D6A773A.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D6A773A.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D6A773A.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6D6A773A.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6FB13F9C.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71630772.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71630772.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71630772.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71A1252E.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71AF4D20.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71AF4D20.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71AF4D20.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\71AF4D20.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC47F5.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC47F5.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC47F5.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72AC47F5.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\733F2953.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\733F2953.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\733F2953.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\74676CC9.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\76E97D81.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77077760.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77077760.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77077760.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77077760.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77214744.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77214744.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77214744.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77F23259.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\782C2618.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78305015.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78305015.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78305015.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78305015.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C91F46.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78DE4AEE.tmp Infected: Net-Worm.Win32.Mytob.ba skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\79DB3C15.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A4E564E.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A6E1D73.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A6E1D73.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A6E1D73.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A6E1D73.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A7E6F61.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A8F1E06.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A9671FF.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A9671FF.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A9671FF.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7A9671FF.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F1F5AD3A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
RipVanWinkle
2008-03-21, 23:18
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\cert8.db Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\history.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\key3.db Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\parent.lock Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Authorized User\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Authorized User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Mozilla\Firefox\Profiles\91o4pwo8.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temp\Perflib_Perfdata_8c4.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temp\~DF5CC9.tmp Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22\RADMIN22.EXE Gentee: infected - 3 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Authorized User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Authorized User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131063.exe Infected: Trojan-Downloader.Win32.Zlob.jbe skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131064.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132546.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132547.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132548.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132549.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132583.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP656\change.log Object is locked skipped
C:\WINDOWS\altvxvm.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\bokpkov.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\drnpfdxsmk.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\fmsxwqs.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\Installer\{3e68c673-706b-4beb-b703-8a803c17e5ee}\KernelPrx.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\WINDOWS\Installer\{c5e57d76-9d63-4805-839d-22a08cfa5339}\AlrtAlrt.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Thanks for the help!
pskelley
2008-03-22, 12:20
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
1) C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\ <<< delete the contents of the quarantine folder in red
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506
2) C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22\RADMIN22.EXE
C:\Documents and Settings\Authorized User\My Documents\Downloaded Program Files\radmin22.zip
Scan those file in red with this free online scanner, if they are infected, delete them.
http://virusscan.jotti.org/
Let me know the results.
3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.txt
Thanks
RipVanWinkle
2008-03-22, 15:35
Thank you so much for your help! I followed all the instructions to the letter, and here is the report from Smitfraudfix:
SmitFraudFix v2.306
Scan done at 8:12:23.79, Sat 03/22/2008
Run from C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
(I deleted over one quarter of a MILLION lines that all started with the 127.0.0.1, which, I am assuming, are all related to my smitfraud infection. I did this so the post would fit...let me know if you need that additional information.)
127.0.0.1 zxlinks.com
127.0.0.1 www.zxlinks.com
127.0.0.1 zyban-zocor-levitra.com
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Please let me know what my next steps are. Thanks again!
pskelley
2008-03-22, 16:27
My directions were not followed, return to the instructions for Smitfraudfix and read them. There are no instructions for for entering Safe Mode and the cleaning process which you did. If I am to continue, I must have complete assurance that you will follow directions.
Thank you
RipVanWinkle
2008-03-22, 17:23
I'm very sorry for the error. Here's the new Rapport.txt file:
SmitFraudFix v2.306
Scan done at 10:14:32.70, Sat 03/22/2008
Run from C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Authorized User
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Authorized User\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AUTHOR~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
RipVanWinkle
2008-03-22, 17:31
I re-read your first reply to this, and wanted to let you know that the RADMIN files were indeed infected, and I deleted them.
Except for missing the part about selecting option 1 for the smitfraudfix, I really did follow the rest of your instructions. sorry again for the mistake, and I greatly appreciate your assistance!
pskelley
2008-03-22, 17:51
1) It appears TeaTimer is still running:
Scan done at 10:14:32.70, Sat 03/22/2008
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Read and follow the instructions I posted in my post #5 to
disable TeaTimer and leave TT disabled until we finish
2) The items starting with 127.0.0.1 localhost were a new hosts file put in place by the tool. The new scan still shows
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
I am not sure if the fix being run incorrectly effected the placement of the new hosts file so we will complete that part of the fix again.
3) Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.
4) Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks
RipVanWinkle
2008-03-22, 18:23
I did indeed have TT turned off, prior to running the first "fix", but it appears to have turned itself back on automatically?? I did NOT turn it on. When I checked it just now, it was back on. I unchecked the boxes again, closed Spybot S&D, reopened it and the boxes were still unchecked.
I rebooted in safe mode, ran Smitfraudfix, option 2, the file is below (and I did delete lots of stuff that started with 127.0.0.1)
SmitFraudFix v2.306
Scan done at 11:03:35.96, Sat 03/22/2008
Run from C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
(I deleted lots of stuff here)
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EF91F42-5B84-49B7-999F-BC6662D9F153}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
I was not sure if you wanted me to reboot, but I did so, into normal mode, and here is my latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:20 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6497 bytes
pskelley
2008-03-22, 18:38
Thanks for that feedback, here is information about the hosts file so you know what it does for you.
http://www.mvps.org/winhelp2002/hosts.htm
http://www.bleepingcomputer.com/tutorials/tutorial51.html
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_10\ <<< looks like you are outdated, follow the instructions in the link and keep it up to date.
We have some infected System Restore files to clean, but first run a KOS using these settings so we can make sure nothing else is hiding. Be sure you cleaned the NAV quarantine folder so we don't have to look at those items again.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
RipVanWinkle
2008-03-22, 20:24
I am unable to access the internet on my infected computer!!! It says the network connections folder is not present. At this point, I am unable to run the KOS on the infected computer. Any suggestions?
pskelley
2008-03-22, 20:52
No idea, never had an issue with it before, here is information:
http://www.google.com/search?hl=en&q=network+connections+folder+&btnG=Google+Search
Could you post the exact message you receive word for word. You may want to ask your Internet Service provider also. Is this a wireless connection?
here are the rsults of a search for "network connections folder is not present"
http://www.google.com/search?hl=en&q=network+connections+folder+is+not+present&btnG=Search
Thanks
RipVanWinkle
2008-03-22, 21:28
I looked at the posts you linked to, and did a few of the things they tried, and here's what I think is happening: For some reason, the system THINKS I am in SAFE MODE. When I go to start the Network Connections service, I get the following:
"Could not start the Network Connections service on Local Computer.
Error 1084: The service cannot be started in Safe Mode."
I rebooted, this time hitting F8 until I got the screen that lets me choose Safe Mode or Start Normally, etc., and chose Start Windows Normally. I got the exact same error.
When I look at the list of services, most of them are disabled or not running.
When I look at msconfig>services, there are only a couple of running services, all others say they are stopped.
The computer that is infected is a laptop, which has both a wireless adapter (which has been turned off this entire time but also does not work any more) and an ethernet adapter, which is what I have been using for all of this testing.
I hope this helps. I cannot make the computer spit out the error I first got when I tried to connect, I am sorry. It said something like the Network Connections folder cannot be found.
I hope you are able to help me. I go out of town tomorrow for a week, and need my computer!
pskelley
2008-03-22, 21:43
Try this: Start > Run > type "msconfig" without the quotes, then click on OK.
Click the BOOT.INI tab. Uncheck the box in front of /SAFEBOOT
Click OK, Click: Restart on the prompt that appears
The computer now restarts in Normal Mode
Let's hope that fixes it, the only thing I can think of is that you did something other than this:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)Which were the simple instructions for entering safe mode. Leaving safe mode at that point requires just a reboot.
If the above does not work, you may find something here:
http://www.google.com/search?hl=en&q=Error+1084%3A+The+service+cannot+be+started+in+Safe+Mode&btnG=Google+Search
Thanks
RipVanWinkle
2008-03-22, 22:03
Well, I think I am pretty close to just giving up and reformating.
When I go to MSCONFIG, the safeboot box is not checked.
I just tried doing something else. I rebooted in "SAFE MODE WITH NETWORKING" and my network connections are suddenly present in the folder. However, my LAN connection is not operating, even though the cable is plugged in. I cannot connect to the internet with either wireless or LAN connections.
I am sure I screwed something up while doing all of this, and the time has come to just start fresh.
Thanks a million for all your help, and if you can think of anything else, let me know.
--John
pskelley
2008-03-22, 22:07
John, you have tried powering down all of your equipment. That includes router, modem and computer and then starting them back up. If you have, I really suggest you ask your ISP for some help, they should be able to help reset your LAN settings. Once in a while resetting the system does not work and I have to call Verizon.
I wish you luck, if I can do anything else, let me know.
Thanks...Phil
RipVanWinkle
2008-03-22, 23:08
OK, well, I just couldn't give up that easily...
Somehow, the system is back up and running, although I still think there are some problems. I am running a KOS right now, will post when it's done.
Thanks for checking it...
Oh, by the way, here's what I did to get things running again.: I ran smitfraudfix again, in safe mode, then did a scan, then did a reboot. The reboot still has some issues (sound card not working for example), but the wireless and LAN connections are up and running.
The KOS scan is going to take a long time, I will post when it's done.
Thanks!!!
pskelley
2008-03-22, 23:50
http://home.real.com/product/help/rhapweb/en/TS_Missing_sound_card_drivers.htm
http://www.google.com/search?hl=en&q=troubleshoot+soundcard+problems+&btnG=Google+Search
RipVanWinkle
2008-03-23, 00:49
Wow, this has been an ordeal. Love spending my weekend doing this crap.
I tried to uninstall my Java installations but was unable to because of the following error message:
"The Windows Installer service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."
Yeah, no kidding.
Here, finally, is my KOS scan, in two parts due to its size:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 5:42:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654855
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 89416
Number of viruses found: 19
Number of infected objects: 133
Number of suspicious objects: 100
Duration of the scan process: 01:41:18
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\56C63F0C.TMP Object is locked skipped
C:\Documents and Settings\Authorized User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\History\History.IE5\MSHist012008032220080323\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temp\Perflib_Perfdata_150.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Authorized User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc100.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc102.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc104.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc107.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc108.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc109.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc110.tmp Infected: Net-Worm.Win32.Mytob.ba skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc111.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc113.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc114.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc115.def Infected: Trojan-Downloader.Win32.Tibs.mn skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc116.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc122.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc123.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp/document.rtf.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc126.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc128.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc135.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc136.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc141.tmp Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc143.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc145.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc146.tmp Infected: Net-Worm.Win32.Mytob.be skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc147.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc153.tmp Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc155.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc156.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc157.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc160.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc162.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc163.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc164.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp
RipVanWinkle
2008-03-23, 00:50
ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip ZIP: infected - 4 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE Gentee: infected - 3 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc43.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc44.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc49.tmp Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc52.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc53.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc54.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc55.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc56.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc58.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc64.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc66.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc73.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc75.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc76.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc77.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc79.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc81.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc85.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc86.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc89.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc91.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc93.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc94.tmp Infected: Email-Worm.Win32.Bagle.fb skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc95.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc99.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131063.exe Infected: Trojan-Downloader.Win32.Zlob.jbe skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131064.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132546.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132547.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132548.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132549.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132583.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137654.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137655.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137656.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137657.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137658.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP658\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fmsxwqs.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2008-03-23, 01:23
I can tell you this, the infection we are removing (Smitfraud) is one of the easiest to remove and should not becausing these programs. If you remember the first thing I had you do was clean the NAV quarantine folder. If you look at the first KOS log you will see this computer has been though some major infections that it appears NAV was able to remove. Most of the junk appears to have infected you via email, I see:
Email-Worm.Win32.NetSky.q,
Exploit.HTML.Iframe.FileDownload,
Email-Worm.Win32.Zhelatin.o
Email-Worm.Win32.NetSky.j
Email-Worm.Win32.Bagle.fk
Net-Worm.Win32.Mytob.be
Email-Worm.Win32.Bagle.fk
Email-Worm.Win32.Tanatos.b.dam
And these all occured before the most recent infection which is of the type usually caused by downloading bad codex, see this:
http://forums.spybot.info/showthread.php?t=7344
While I cannot say with absolute certainly, it is likely how this infection was acquired, but you are also lucky you did not pick up a Vundo infection running with out of date Java.
I suggest you establish safe proceedure for handling incoming email, the infections you have been though are some of the worse there are.
It may be that you should do a repair reinstall of your Operating System if not a complete reinstallation. This sytem has been through a lot.
KASPERSKY ONLINE SCANNER REPORT Saturday, March 22, 2008 5:42:53 PM
When you delete stuff, you do realize it goes to the Recycle Bin?
1) C:\WINDOWS\fmsxwqs.exe <<< This is active infection, navigate to it and delete that file in red.
2) C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix\ <<< delete that folder and contents
3) C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe <<< delete that file
4) C:\RECYCLER\ <<< delete the contents of the Recycle Bin on your Desktop
5) Restart the computer
6) Follow these instructions to clean infected System Restore files.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you followed directions , the next KOS scan will be clean, I do not need to see a clean scan, I would like to see a last HJT log.
Thanks
RipVanWinkle
2008-03-23, 05:04
Phil: Here's my latest HJT log. The KOS was clean.
Whew!
I will update my Java immediately after I post this, and will follow your instructions completely. Incidentally, I tried to uninstall Java using the Add/Remove Programs and it gives me an error saying Windows Installer service is not running and the remove cannot continue. Any other suggestions?
Let me know if there is anything else I should do. I will be repairing my OS, if not a complete reinstall, sometime later this week. For now, I will have to live with things the way they are. Thanks for your advice, I will follow it, and I guess I need to figure out how to prevent so many email infections...
I remember getting lots of emails from people with things attached, and NAV just deleting them. I never thought they would still be hanging around.
Take care, have a great Easter weekend--what's left of it anyway--and thanks again for all your help.
--John
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:49 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6462 bytes
pskelley
2008-03-23, 13:50
Any other suggestions?
If I did not mention it before, I must have the error messages word for word, exactly as Windows gives them to you.
http://support.microsoft.com/kb/315353
http://support.microsoft.com/kb/315346
http://support.microsoft.com/kb/319624
http://support.microsoft.com/kb/886630/en-us
Start > Control Panel > Security Center and tell me if all three areas are on (green)
Reason I am asking is even though I see your Symantec items in services, I do not see them in running programs. You should update the antivirus program and run a complete system scan watching carefully that all is functioning as it should be. If not, contact:
http://www.symantec.com/enterprise/support/index.jsp
Beside that I see no malware in the most recent HJT log (9:52:49 PM, on 3/22/2008)
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.