PDA

View Full Version : HELP! Infected with PC-AntiSpyware - logs posted


msc12
2008-04-01, 19:26
Somehow, i got the PC-AntiSpyware BS...arggg...bogging down my system, and constant pop-up, "security threat", and a yellow badge with an "!" in the middle appearing in my systray - which when you select it, it takes you to PCAntispywares web site to buy....what a scam...

I ran Spybot to no avail, I checked Nortons web site, most all the files they say to remove do not exist on my PC. Obviously this virus changes its methods and names quite frequently to evade cookie-cutter deletion attempts by the masses (my guess here) In a previous thread, I noticed the Security Expert suggested the user run SmitFraudFix and post the rapport file. I have done that below...any help would be greatly appreciated!

SmitFraudFix v2.309

Scan done at 9:59:11.85, Tue 04/01/2008
Run from C:\Documents and Settings\Bill Glickman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\nmfkzupi\bkvsdkzg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Contour\Config32.exe
C:\WINDOWS\Contour\PageIcon.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Contour\xpoint32.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dirmfyju.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Liebermans\Art Explorer\Firebird\bin\ibserver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Glickman


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Bill Glickman\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILLGL~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler Miniport
DNS Server Search Order: 192.168.50.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-04-02, 14:42
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Do not run and post the Kaspersky scan now until I request it.

http://forums.spybot.info/showthread.php?t=16806

Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans
Since you have chosen not to follow directions I will do what I can. Please read and follow them from this point on!

1) Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file
(items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from
the C:\rapport.txt before you post it.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

2) Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Post the C:\rapport.txt and a that HJT log.

Thanks
msc12
2008-04-02, 17:09
Hi Kelly, sorry for not following directions better, i was just trying to expedite...

I can't get the PC to boot up in Safe Mode... I keep hitting F8 the moment I turn on the PC from power off state.....but to no avail, it boots up in normal mode every time?
pskelley
2008-04-02, 17:47
Have a look at this tutorial:
http://spyware-free.us/tutorials/safemode/

If that does not work then run Smitfraudfix in normal mode and we will see what happens.

Thanks
msc12
2008-04-02, 17:53
OK, I figured out MSCONFIG to force SAFE MODE start-up.... sorry, I am a newb...

I followed your instructions, and am posting the rapport.txt with 127.0... junk deleted...

SmitFraudFix v2.309

Scan done at 8:24:40.78, Wed 04/02/2008
Run from C:\Documents and Settings\Bill Glickman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{18ABCF7E-5832-4307-A762-303626C7FAA9}: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.50.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Next post will be HJ log...
msc12
2008-04-02, 17:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:44 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\nmfkzupi\bkvsdkzg.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Contour\Config32.exe
C:\WINDOWS\Contour\PageIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\Contour\xpoint32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dirmfyju.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Liebermans\Art Explorer\Firebird\bin\ibserver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Contour.Config32] C:\WINDOWS\Contour\Config32.exe Perfit Optical Mouse (USB)
O4 - HKLM\..\Run: [Contour.PageIcon] C:\WINDOWS\Contour\PageIcon.exe Software\LCS\{90C3F540-5485-11D1-AC67-00000500480A}
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [islnketc] C:\WINDOWS\system32\dirmfyju.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [pYKd9H28DX] C:\Documents and Settings\All Users\Application Data\nmfkzupi\bkvsdkzg.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {495DEA80-49C2-4891-94CD-C2016615D16F} (ProductView Control) - http://216.235.87.77/spx/servlet/websearch/pvcadview.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: sxfnewqb - {DBB99EDB-9BC7-46F0-9AD9-20F44A19F791} - (no file)
O21 - SSODL: fkdnrwsv - b{582ee063-4ec0-4672-9561-fbc7f10b9f52} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 15529 bytes
pskelley
2008-04-02, 18:17
Thanks for that feedback and I hope you have no problems. We have been told by folks who know, never to force Safe Mode on an infected computer:
http://www.dslreports.com/forum/remark,18150258

Is this item: O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe
this: http://www.castlecops.com/o23list-476.html
you are aware of this service running.

1) You are running System Configuration Utility (MSConfig) in Selective Startup mode, return it to Normal Mode until we finish. I have no idea if you have malware turned off?

2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Windows Defender: Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Make sure to turn your protection back on when you finish.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)
O4 - HKCU\..\Run: [islnketc] C:\WINDOWS\system32\dirmfyju.exe
O4 - HKLM\..\Policies\Explorer\Run: [pYKd9H28DX] C:\Documents and Settings\All Users\Application Data\nmfkzupi\bkvsdkzg.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: sxfnewqb - {DBB99EDB-9BC7-46F0-9AD9-20F44A19F791} - (no file)
O21 - SSODL: fkdnrwsv - b{582ee063-4ec0-4672-9561-fbc7f10b9f52} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\dirmfyju.exe <<< delete that file

C:\Documents and Settings\All Users\Application Data\nmfkzupi\ <<< delete that folder and contents

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log with MSConfig running in normal mode and tell me how the computer is running now.

Thanks
msc12
2008-04-02, 18:58
Hi Kelly.... I followed your instructions perfectly... thanks for the AOL tip, I removed it... Below is the HJK file with MSCONFIG running in NORMAL mode. Luckily I did not have any problems bringing it from Safe to Normal mode, I just hope it does not effect the malware removal... here is the HJK file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:53 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Contour\Config32.exe
C:\WINDOWS\Contour\PageIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Contour\xpoint32.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Liebermans\Art Explorer\Firebird\bin\ibserver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PatentHunter - {BCB2344B-3D5B-46d7-861B-A8F27E4FE602} - C:\Program Files\PatentWizard, LLC\PatentHunter3\PHToolBand.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Contour.Config32] C:\WINDOWS\Contour\Config32.exe Perfit Optical Mouse (USB)
O4 - HKLM\..\Run: [Contour.PageIcon] C:\WINDOWS\Contour\PageIcon.exe Software\LCS\{90C3F540-5485-11D1-AC67-00000500480A}
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {495DEA80-49C2-4891-94CD-C2016615D16F} (ProductView Control) - http://216.235.87.77/spx/servlet/websearch/pvcadview.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 14374 bytes
msc12
2008-04-02, 19:05
Kelly a few other things....

I did read the "NO MSCONFIG" links... but, it seemed no matter what I did, I could not get F8 to work.... fast beat, slow beat, etc. not sure if its timing, or it just doesn't work, hence why I had to use MSCONFIG. I suspect from reading one of your links, that one of the malwares turned off my ability to use F8...sheeeeesh...

> Is this item: O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe
this: http://www.castlecops.com/o23list-476.html
you are aware of this service running.


I do run Firefox, so i assume this is OK? Not sure what your question meant, or if its something you reccomend I remove?


1) You are running System Configuration Utility (MSConfig) in Selective Startup mode, return it to Normal Mode until we finish. I have no idea if you have malware turned off?

What do you mean, do I have malware turned off?

Thanks
pskelley
2008-04-02, 19:25
That item running in your services has nothing to do with Firefox, have a look here:
http://www.firebirdnews.org/docs/fb2min.html and here:
http://www.destructor.de/firebird/index.htm
Probably related to this program:
http://www.liebermans.net/ProductandServices/Products/artexplorer.aspx
C:\Program Files\Liebermans\Art Explorer\Firebird\bin\ibserver.exe

What do you mean, do I have malware turned off?Hey, I don't know, a lot of folks think they can turn malware off in MSConfig and it is gone...not true.

Remove Smitfraudfix from your computer.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
msc12
2008-04-02, 21:50
Kelley, over an hour of scanning, and only 10% done, wow....but whatever it takes... i will report back as soon as its finished...

this Scan is finding lots of infections though :-( 12 viruses so far...arggggg...


The good news is, so far, i have not seen the SCAN INTEGRITY pop-up again, so your good instructions "might" be paying off.... (gotta be cautious in what I write..... with viruses, time will tell....

Thanks Again
pskelley
2008-04-02, 21:56
A scan on my Dell with XP Pro takes a little over an hour, it does not seem right that it took one hour to get to 10% If you want to stop the scan and try another one, let me know. Kaspersky is one of the best free scans there is but that seems unusual?

Thanks
msc12
2008-04-02, 22:14
Kelley, so far the scan found....

12 viruses found

43 infected objects.

I re-started the scan based on your comments, it was really doggin...way to slow... I noticed a pop-up atop the window of Active X that was blocked... I allowed that to go through, and restarted scan. It starts out very fast, then at 1% complete, it starts going slow again?



Since after all we have done, this KASpersky scanner is STILL identifying more viruses, so it makes sense to let it go, right? It's obviously pretty good.

BTW, I get the impression, all these spyware / virus scanners, it seems they all find problems that the other ones missed, is this right? I would think the ones with the biggest budgets like Norton / McAfee would have the biggest and best R&D teams, which would produce the most thorough and up-to- date intelligence on what to look for....but I am starting to think - that is not the case....would you agree?

Is there a "best" scanner you would recommend? After we are done this, I better jump ship from Norton and move onto something better?

Thanks again for your help...

Scan may take an hour still, I have 800k files.
pskelley
2008-04-02, 22:45
If you really have 800K files, you have ten times as many as most computers? Why so many?

I can not comment on what Kaspersky is finding until I see the scan, they could be junk in quarantine of your antivirus program or even in infected System Restore files. The number of infected items is not unusual. I will post comments from experts in the field when we are finished. You would think if you paid a lot of $$$ for the program, it should work, but I personally use a free antivirus program. Hackers have learned how to exploit programs and infect you by bypassing your security programs. There is much more to security than the programs you run. If you do use safe online habits, you will get infected, have a look at a little of what is going on:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/
http://en.wikipedia.org/wiki/Russian_Business_Network

It is all about the $$$ and organized crime. The days of being able to randomly wonder are gone. Even basics like MySpace, etc. are no longer safe.

Thanks
msc12
2008-04-02, 23:46
Kelley... i will go review those links later, thanks... this was one hell of a lesson..

AFter an hour and half, KAS is only at 10%, it slowed down drastically again...we could just let it go and see what happens. Since you are on the East Coast, you maybe cutting out for the night, so no harm and let it go overnight?

I do have a lot of files, lots of software I guess... I never looked to find out why... but the other spy scanners, such as Norton, PC Tools, Spybot, etc. all take from 15 - 30 minutes total, none of them have ever taken this long?
pskelley
2008-04-03, 00:04
Sounds good to me, if you wish to try an alternate scan, you can try this one:

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post that log...Thanks
msc12
2008-04-03, 00:09
Kelley, those link blew me away!!! I had no idea how easy it was for hackers to infect everything.... even web pages!! No wonder these $29 Anti - "Whatever" programs don't have a chance against these well organized hackers who can make huge dollars infecting everyone with spam and other more malicious malware.... They stand to make more than the Anti-whatever sellers of software (my guess) I will be extra cautious what sites I visit after this experience....

2 hours, and still only 10% done with KAS? If you are signing off for the night, I assume I should let it go overnight? Or stop it and run the other one you just posted?
msc12
2008-04-03, 05:38
Kelley, here is the KASP report...it only took 6 hours in the end :-)

I await your instructions...

Thanks



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 02, 2008 8:36:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 609247
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan Statistics:
Total number of scanned objects: 305594
Number of viruses found: 13
Number of infected objects: 33
Number of suspicious objects: 2
Duration of the scan process: 05:32:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03182008-134148.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1436311D.exe Infected: Email-Worm.Win32.Bagle.eh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3F810D81.tmp Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B207E86.wmf Infected: Exploit.Win32.IMG-WMF.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51284458.dll Infected: Email-Worm.Win32.Bagle.ei skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51284458.exe Infected: Email-Worm.Win32.Bagle.eh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5EFC3E70.tmp Infected: Email-Worm.Win32.Bagle.bq skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E49760E.exe Infected: Email-Worm.Win32.Bagle.eh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732067FE.zip CryptFF: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\780D538B.dll Infected: Email-Worm.Win32.Bagle.eh skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C660AF.tmp Infected: Trojan.Java.ClassLoader.z skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78C90AAB.zip CryptFF: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\57359068.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\873DE286.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\history.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\key3.db Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\abook.mab Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\key3.db Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\articles of interest.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Drafts.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\family emails.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\funny.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Hi Rez 3d.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Ron Landucci" <ron@proformasystems.com>][Date Fri, 9 Aug 2002 08:47:55 -0600]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Fri, 16 Aug 2002 19:14:33 -0500]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Sat, 17 Aug 2002 13:05:21 -0500]/UNNAMED/[From Sam Smith <sam3d@telus.net>][Date Sun, 18 Aug 2002 14:03:41 -0600]/setup.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Ron Landucci" <ron@proformasystems.com>][Date Fri, 9 Aug 2002 08:47:55 -0600]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Fri, 16 Aug 2002 19:14:33 -0500]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Sat, 17 Aug 2002 13:05:21 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Ron Landucci" <ron@proformasystems.com>][Date Fri, 9 Aug 2002 08:47:55 -0600]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Fri, 16 Aug 2002 19:14:33 -0500]/text Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Ron Landucci" <ron@proformasystems.com>][Date Fri, 9 Aug 2002 08:47:55 -0600]/text Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED/[From customer service <customerservice@unitedmfrs.com>][Date Mon, 16 Aug 2004 12:41:59 -0400]/UNNAMED/[From "Michael K. Davis" <zilch0@globalcrossing.net>][Date Tue, 17 Aug 2004 01:08:22 -0500]/text/[From BobKrist@aol.co ... /[From "Security@eBay.com" <Security@eBay.com>][Date Tue, 17 Aug 2004 18:25:20 -0400]/html Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED/[From customer service <customerservice@unitedmfrs.com>][Date Mon, 16 Aug 2004 12:41:59 -0400]/UNNAMED/[From "Michael K. Davis" <zilch0@globalcrossing.net>][Date Tue, 17 Aug 2004 01:08:22 -0500]/text/[From BobKrist@aol.com][Date Tue, 17 Aug 2004 18:03:40 EDT]/text Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED/[From customer service <customerservice@unitedmfrs.com>][Date Mon, 16 Aug 2004 12:41:59 -0400]/UNNAMED/[From "Michael K. Davis" <zilch0@globalcrossing.net>][Date Tue, 17 Aug 2004 01:08:22 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED/[From customer service <customerservice@unitedmfrs.com>][Date Mon, 16 Aug 2004 12:41:59 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.b skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old Mail Berkeley mbox: infected - 10 skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old.msf Object is locked skipped
msc12
2008-04-03, 05:40
part II


C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\Afocal.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\CanonWideFormat.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\MiniMax.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\Panoramic.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\PRODIG.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\Refractors.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\1Yahoo groups.sbd\[6x17].msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\20d.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\astronomy.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\custom blades.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\photo.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\photoshop.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\recipes.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\regist.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\stereo.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox.sbd\template.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Sent.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\useful info.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\very old inbox.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\mail.rconnects-1.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\mail.rconnects-1.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\panacea.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bill Glickman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbdam Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbdao Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbeam Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbeao Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbm Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\fii.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\hp Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Google\Google Desktop\f4e94529cb26\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Identities\{D6FF64C8-3D57-4056-AFAE-86636C80E41D}\Microsoft\Outlook Express\Inbox.dbx/[From Suntrust Bank <sales@suntrust.com>][Date Wed, 08 Dec 2004 01:03:17 -0600]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Identities\{D6FF64C8-3D57-4056-AFAE-86636C80E41D}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: suspicious - 1 skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Mozilla\Firefox\Profiles\hc6n17yi.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\History\History.IE5\MSHist012008040220080403\index.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temp\fla20.tmp Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temp\fla21.tmp Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temp\newmsg Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temp\~DF8F52.tmp Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bill Glickman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bill Glickman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Spyware Doctor\quarantine\EB3F903B-865B-47BB-A08F-B7F9B02259EF.sfs Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{02FBF4F9-EC35-4AE4-AEF5-E9CBC66B34F2}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Amazon Digital Video\Servicelog.adv Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_c04.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
pskelley
2008-04-03, 13:29
KASPERSKY ONLINE SCANNER REPORT Wednesday, April 02, 2008 8:36:13 PM

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\ <<< delete the contents of the NAV quarantine folder
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506

You are storing infected email, these are harder to show but I will give it a try. I will red what I believe you must delete and the worm:

C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Ron Landucci" <ron@proformasystems.com>][Date Fri, 9 Aug 2002 08:47:55 -0600]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Fri, 16 Aug 2002 19:14:33 -0500]/text/[From "Michael K. Davis" <zilch0@primenet.com>][Date Sat, 17 Aug 2002 13:05:21 -0500]/UNNAMED/[From Sam Smith <sam3d@telus.net>][Date Sun, 18 Aug 2002 14:03:41 -0600]/setup.exe ------> Email-Worm.Win32.Klez.h

C:\Documents and Settings\Bill Glickman\Application Data\Thunderbird\Profiles\umqs6n15.default\Mail\Local Folders\Inbox old/[From "Oleg Vorobyoff" <olegv@ix.netcom.com>][Date Sat, 7 Aug 2004 07:49:32 -0700]/text/[From "Eric Cooper" <eric@evolution-1.com>][Date Sun, 8 Aug 2004 20:17:39 -0500]/UNNAMED/[From customer service <customerservice@unitedmfrs.com>][Date Mon, 16 Aug 2004 12:41:59 -0400]/UNNAMED/[From "Michael K. Davis" <zilch0@globalcrossing.net>][Date Tue, 17 Aug 2004 01:08:22 -0500]/text/[From ... /[From "Security@eBay.com" <Security@eBay.com>][Date Tue, 17 Aug 2004 18:25:20 -0400]/html ------> Trojan-Spy.HTML.Bayfraud.b

C:\Documents and Settings\Bill Glickman\Local Settings\Application Data\Identities\{D6FF64C8-3D57-4056-AFAE-86636C80E41D}\Microsoft\Outlook Express\Inbox.dbx/[From Suntrust Bank <sales@suntrust.com>][Date Wed, 08 Dec 2004 01:03:17 -0600]/html <------Trojan-Spy.HTML.Fraud.gen

I will attach a file with the infected email information if you wish to view it.

Once the above instructions are followed, your KOS should be clean.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
msc12
2008-04-03, 15:52
Kelley.... thanks again...

A few questions

> C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\ <<< delete the contents of the NAV quarantine folder
http://service1.symantec.com/SUPPORT...00041213443506

i could not delete these files, many are "in use" ???? I tried turning Notron off, but can't find an "off button" for it... argggg..
I assume this is important...

The infected emails, I had to go into the programs themselves and delete them, as they were no accessable through windows explorer.... I assume that is OK?

Can you explain how this old email from 02 was still causing problems today? What was it doing?

I will begin reading the "what to do from here links" you were so kind to offer. I will be taking this much more seriously.... but from the sounds of things, there is no easy solution.

BTW, was this INTEGRITY SCAN WIZARD virus an unusual virus to rid? It seems the steps to go through was extreme, i.e. vs. running a program that squashed it?

Thanks again..
pskelley
2008-04-03, 16:21
1) I don't use their product, problems like that are why. Contact tech support: http://www.symantec.com/enterprise/support/index.jsp
They are in quarantine for a reason, they are malware. They can do you no harm quarantined but do you really want them on your computer?

2) Email worms: however you got it done, I wonder why you were storing infected email to start with. Unless you choose to search email with the KOS you would not know they were there. Same situation, do you really want to store infected email on your computer?

3) Some of the infection is fairly new and seems to be something the hackers who spread Smitfraud "operative word is fraud"
have added recently.
http://en.wikipedia.org/wiki/Spyware_Quake
http://www.google.com/search?hl=en&q=Smitfraud&btnG=Google+Search
http://forums.spybot.info/showthread.php?t=7344

Keep in mind we had to manually remove some junk which is probably so randomly named it is not worth adding it to the fix. It may also have been bundled with the infection and actually no part of the infection we use Smitfraudfix for. Seems the hackers have plenty of time and money to work with and we in malware removal are at a disadvantage.

Thanks
msc12
2008-04-03, 17:20
Kelley.... it seems the original virus problem has been solved, so once again, thank you for your kind diligent help.... I am glad we went the extra mile to get some of the other junk off...

I am curious.... why do you do this? Is this a personal quest, or is this your line of work and you just do this on the side to help others?