FakeMSN8Beta - Another one! [Archive] - Safer-Networking Forums

View Full Version : FakeMSN8Beta - Another one!

Malware Victim

2006-02-28, 20:29

Hello ThereAND THANK YOU!

Attached is the HJT report that I could only run in Safe Mode since otherwise I could not even touch the folder. As soon as I was trying to open the folder, my screen would blink and I'll be sent to where I was before. Amaizingly enough, Symantec has nothing on their site and I have four computers "protected" by Norton Internet Security (NIS), TWO of which fell victim to this malware. I was tottally annoyed that I paid for four annual subscriptions to NIS and two Norton Syetm Works, and their idea of tech support is pay per incident, but they do not have any information on thsir site about this.

So anyway, here's the log. I suspect that the problem lies with the F3 lines, since they perpetually come back in Spybot scans:

Logfile of HijackThis v1.99.1
Scan saved at 12:32:04 AM, on 28/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Vic\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=C:\WINDOWS\system32\eqvylrs\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\eqvylrs\csrss.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Vic"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] "C:\Program Files\iolo\Search and Recover\DiskImageService.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Vic"
O4 - Startup: csrss.lnk = ?
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126482173015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://optionetics.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

illukka

2006-03-01, 10:04

hi

Please download MsnVirRem (http://www.portalsentry.com/msnvirrem.htm) (Either zip or self extracting .exe), and save it to your desktop. Once in place, right click the zip file (or double click the exe), and extract the files to your desktop. It will create another folder called MsnVirRem DO NOT RUN ANYTHING IN IT YET

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

In the new MsnVirRem folder, that you should have on your desktop, double click MsnVir.bat and let it run its course. A DOS window should pop up, Let it run until it disappears. It will take time to scan your machine.
After it disappears, reboot back into normal mode, and post a fresh HijackThis Log.

NOTE: if the link for the removal tool fails, or time out try again
if it is still unavailable the tool is temporarily available (unofficial mirror )
at http://koti.mbnet.fi/illukka/MsnVirRem.zip
the download will be removed soon as things gets sorted out

Malware Victim

2006-03-01, 20:04

Hello Illukka,

Thank you for your reply. I will run the MsnVirRem, probabaly in Safe Mode, since I could not run the HijackThis in real time also. It kept closing my folder before I could even attempt to install HijackThis. My concern is that in Safe Mode the nasty FakeMSN8Beta bastard is not actually running since I scanned with Spybot in Safe mode and Spybot found nothing (which explains whay I was able to install and run HijackThis!),

Any thoughts?

Thank you for your help,

Malware Victim

2006-03-01, 20:07

Hello Illukka, Sorry I forgot to ask about the hot links to web sites I see now posted in the log above. What are they posted for?

Thank you again,

Regards

illukka

2006-03-02, 06:52

hi

the links are pointing to a removal tool that cleans the infection :)

download and run the tool, then post a new hjt log and the report from the tool like instructed above

good luck :bigthumb:

Malware Victim

2006-03-04, 03:12

Hello Illukka,

Thnak youf for your help, juts a couple of questions please:
1.Are you saying that the O16 lines are added by the worm?
2. Some of these files are .cab. Do I use the Extract command from MS-Dos or something else?

Tks,

MV

illukka

2006-03-04, 07:11

hi

did you download and run the tool as instructed ?

can you now post a fresh hijackthis log so we can clean the possible remnants

as far as i can tell all the 016 items in the log are legit

Malware Victim

2006-03-06, 03:47

Hello Illukka,

Yes, I've downloaded the MsnRemVir, ran it as instructed and herre's the latest log.

Biggest problem now is the Norton Internet Security (NIS) as well as Microsoft Windows Defender (MSD) cannot be installed properly, regardless of the number of times that I have uninstalled and reinstalled them. Any ideas other then calling their tech support which likelly does not know as much about this malware as you do!

Again, thank you very much for all your help,

Logfile of HijackThis v1.99.1
Scan saved at 9:30:38 PM, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ABIT\ABITEQ\abiteq.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\iolo\Search and Recover\DiskImageService.exe
D:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\Vic\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theglobeandmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GNRICXPK] C:\PROGRA~1\FLASHC~1\GNRICXPK.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ABITEQ] C:\Program Files\ABIT\ABITEQ\abiteq.exe -M
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] "C:\Program Files\iolo\Search and Recover\DiskImageService.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] C:\DOCUME~1\Vic\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: csrss.lnk = ?
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126482173015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab30149.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://optionetics.webex.com/client/v_mywebex-t20/training/ieatgpc.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE

illukka

2006-03-06, 20:34

thats very odd, because both windows defender and norton seem to be running ok according to the log..

lets do an online virus scan:

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/service?chapter=161739400)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

also post a new hjt log

NOTE: you seem to be running hijackthis from a temporary directory

before we can fix anything with it it must be unzippped into a permanent folder, like c:\hijackthis

Malware Victim

2006-03-07, 22:30

Hello Illukka,

Here's the scan and new location HJT log. I cannot use NIS to scan since it is not installed properly. Everything work OK until the product activation point where the software hangs for ever, repeatedly!
Thank you for your help,

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, March 07, 2006 06:01:53
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/03/2006
Kaspersky Anti-Virus database records: 180584
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 129136
Number of viruses found: 37
Number of infected objects: 186
Number of suspicious objects: 37
Duration of the scan process: 3822 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00387EF8 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004526EA/[From dadaker@aol.com][Date Fri, 6 Aug 2004 08:54:35 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004526EA/[From dadaker@aol.com][Date Fri, 6 Aug 2004 08:54:35 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\004526EA Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01622A89/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01622A89 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\01785070 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08105254 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08234E3E/[From chehab_wissam@hotmail.com][Date Sun, 8 Aug 2004 10:59:18 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08234E3E/[From chehab_wissam@hotmail.com][Date Sun, 8 Aug 2004 10:59:18 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\08234E3E Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\091912C7.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B927028 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BE733CB/[From kathclose@aol.com][Date Wed, 11 Aug 2004 20:51:24 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BE733CB/[From kathclose@aol.com][Date Wed, 11 Aug 2004 20:51:24 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BE733CB Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BF705B9 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0C157F99/[From sankrot@hotmail.com][Date Wed, 11 Aug 2004 23:19:37 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0C157F99/[From sankrot@hotmail.com][Date Wed, 11 Aug 2004 23:19:37 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0C157F99 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0EC500A0/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0EC500A0 Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15C14D41/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15C14D41 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\160968F2 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\162D458F/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\162D458F Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18903D29 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18A10F17/[From ehab.el-raheb@vodafone.com.eg][Date Tue, 19 Oct 2004 19:28:06 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18A10F17/[From ehab.el-raheb@vodafone.com.eg][Date Tue, 19 Oct 2004 19:28:06 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18A10F17 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A9B4178.rar Infected: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1B4B27F6.class Infected: Trojan.Java.ClassLoader.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21882EDF Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21AC7CB7/[From kneville11@msn.com][Date Thu, 11 Nov 2004 08:01:06 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21AC7CB7/[From kneville11@msn.com][Date Thu, 11 Nov 2004 08:01:06 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\21AC7CB7 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DA37862/[From mlh2fk@better.supersizeunit.com][Date Fri, 7 May 2004 23:49:39 +0430]/letter.txt.zlq Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DA37862 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DAD7657/[From contact@sel.sony.com][Date Fri, 7 May 2004 19:07:50 -0400]/old_photos.doc.zlo Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DAD7657 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2F620FE3.class Infected: Trojan.Java.ClassLoader.k
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\309F3C23/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\309F3C23 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B466CB7 Infected: not-a-virus:AdWare.Win32.Cydoor
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B7C4624 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BC461D5/[From xscast@bpthosp.org][Date Sun, 5 Sep 2004 17:40:32 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BC461D5/[From xscast@bpthosp.org][Date Sun, 5 Sep 2004 17:40:32 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BC461D5 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3C46409D.class Infected: Trojan.Java.ClassLoader.i
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CFD6FD4.class Infected: Trojan.Java.ClassLoader.i
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D96252B.class Infected: Trojan.Java.ClassLoader.f
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D9A4F27.zip Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417700E6.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\417A2AE3.zip Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\418B7CD1.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\418E26CD.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42F53142.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\440D7691.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A4E7FE7/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A4E7FE7 Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B466923/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B466923 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4BDB76A1 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4C8B5C60.zm9/lorjrbt.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4C8B5C60.zm9 Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50C958E5 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50D931F3.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50ED26BE/[From nardakani@pol.net][Date Fri, 17 Dec 2004 21:59:27 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50ED26BE/[From nardakani@pol.net][Date Fri, 17 Dec 2004 21:59:27 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\50ED26BE Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51B963BE/Textfile.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\51B963BE Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\626F41C8.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\634A2C62/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\634A2C62 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64AC30A4/[From mjsylvstr@aol.com][Date Fri, 14 May 2004 15:36:03 -0400]/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64AC30A4/[From mjsylvstr@aol.com][Date Fri, 14 May 2004 15:36:03 -0400]/document.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64AC30A4 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66685ECB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66685ECB.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66685ECB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66685ECB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66685ECB.zip Infected: Trojan-Downloader.Java.OpenConnection.

Continued in next post due to length

Malware Victim

2006-03-07, 22:30

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\689754D5 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68A152CA/[From walidsfeile@hotmail.com][Date Fri, 3 Dec 2004 19:49:39 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68A152CA/[From walidsfeile@hotmail.com][Date Fri, 3 Dec 2004 19:49:39 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68A152CA Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\691170A4/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\691170A4 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\693E3C72 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69695E43/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\69695E43 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699535CF/[From noreply@akermani][Date Fri, 14 May 2004 12:24:50 -0400]/account.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699535CF/[From noreply@akermani][Date Fri, 14 May 2004 12:24:50 -0400]/account.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\699535CF Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A976477/[From support@quickenloans.com][Date Wed, 5 May 2004 22:22:30 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A976477/[From support@quickenloans.com][Date Wed, 5 May 2004 22:22:30 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A976477/[From support@quickenloans.com][Date Wed, 5 May 2004 22:22:30 -0400]/message.zlq Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6A976477 Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B5B686E Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B6B3A5C/[From marchaaoukar@hotmail.com][Date Tue, 5 Oct 2004 20:47:28 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B6B3A5C/[From marchaaoukar@hotmail.com][Date Tue, 5 Oct 2004 20:47:28 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B6B3A5C Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6BAB7DD2/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6BAB7DD2 Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6BEF6F87/Part-2.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6BEF6F87 Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\732C1FBD.class Infected: Trojan.Java.ClassLoader.k
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\734D36D5/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\734D36D5 Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\735206A2.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\74055F3A Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\740B3333/[From lroshankashani@aol.com][Date Tue, 10 Aug 2004 17:50:32 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\740B3333/[From lroshankashani@aol.com][Date Tue, 10 Aug 2004 17:50:32 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\740B3333 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\756D36CF.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\77931532.class Infected: Trojan.Java.ClassLoader.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C1C3C4A/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7C1C3C4A Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7F025766.class Infected: Trojan-Downloader.Java.OpenStream.c
C:\Documents and Settings\Vic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-45030a30-3e427a29.class Infected: Exploit.JS.ScriptSrc.a
C:\Documents and Settings\Vic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-71ba3716-410860b9.class Infected: Exploit.JS.ScriptSrc.a
C:\Documents and Settings\Vic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-1201f915-74d57b50.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\Vic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.jar-1201f915-74d57b50.zip Infected: Trojan-Downloader.Java.OpenStream.d
C:\Documents and Settings\Vic\Local Settings\Application Data\Identities\{00223A33-3F90-4742-838B-4DBEE00D6B5A}\Microsoft\Outlook Express\Inbox.dbx/[From "Akermani" <akermani@razorusa.com>][Date Wed, 23 Nov 2005 17:47:42 +0100]/Jeffrye.zip Infected: Trojan-Downloader.Win32.Bagle.e
C:\Documents and Settings\Vic\Local Settings\Application Data\Identities\{00223A33-3F90-4742-838B-4DBEE00D6B5A}\Microsoft\Outlook Express\Inbox.dbx/[From "Akermani" <akermani@razorusa.com>][Date Fri, 23 Dec 2005 19:11:15 +0000]/UNNAMED/Jeffrye.zip Infected: Trojan-Downloader.Win32.Bagle.o
C:\Documents and Settings\Vic\Local Settings\Application Data\Identities\{00223A33-3F90-4742-838B-4DBEE00D6B5A}\Microsoft\Outlook Express\Inbox.dbx/[From "Akermani" <akermani@razorusa.com>][Date Fri, 23 Dec 2005 19:11:15 +0000]/UNNAMED Infected: Trojan-Downloader.Win32.Bagle.o
C:\Documents and Settings\Vic\Local Settings\Application Data\Identities\{00223A33-3F90-4742-838B-4DBEE00D6B5A}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Downloader.Win32.Bagle.o
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b
D:\Internet Downloads\blubstersetup250.exe/WISE0013.BIN/data0142 Infected: not-a-virus:AdWare.Win32.HelpExpress
D:\Internet Downloads\blubstersetup250.exe/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.HelpExpress
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\blubstersetup250.exe/WISE0015.BIN/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor
D:\Internet Downloads\blubstersetup250.exe/WISE0015.BIN/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor
D:\Internet Downloads\blubstersetup250.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Cydoor
D:\Internet Downloads\blubstersetup250.exe Infected: not-a-virus:AdWare.Win32.Cydoor
D:\Internet Downloads\iMeshV4.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.MyWay.k
D:\Internet Downloads\iMeshV4.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet.d
D:\Internet Downloads\iMeshV4.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.EZula.ac
D:\Internet Downloads\iMeshV4.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Gator.4104
D:\Internet Downloads\iMeshV4.exe Infected: not-a-virus:AdWare.Win32.Gator.4104
D:\Internet Downloads\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
D:\Internet Downloads\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0022.BIN Infected: not-a-virus:AdWare.Win32.180Solutions
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0024.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0024.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0024.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bx
D:\Internet Downloads\P2P Stuff\2findmp3free.exe/WISE0026.BIN Infected: not-a-virus:AdWare.Win32.EZula.bc
D:\Internet Downloads\P2P Stuff\2findmp3free.exe Infected: not-a-virus:AdWare.Win32.EZula.bc
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0015.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0015.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0015.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.180Solutions
D:\Internet Downloads\P2P Stuff\kiwialphafree.exe Infected: not-a-virus:AdWare.Win32.180Solutions
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe/data0016/data0002 Infected: not-a-virus:AdWare.Win32.StickyPops.a
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe/data0016/data0003 Infected: not-a-virus:AdWare.Win32.StickyPops.a
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe/data0016/data0005 Infected: Trojan-Downloader.Win32.Lookme.g
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe/data0016/data0006 Infected: Trojan-Dropper.Win32.Agent.og
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe/data0016 Infected: Trojan-Dropper.Win32.Agent.og
D:\Internet Downloads\P2P Stuff\torrent-2.0.1.exe Infected: Trojan-Dropper.Win32.Agent.og
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.WebHancer
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bx
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0020.BIN/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0020.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0020.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.Exact.a
D:\Internet Downloads\P2P Stuff\twisterfree.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.180Solutions
D:\Internet Downloads\P2P Stuff\twisterfree.exe Infected: not-a-virus:AdWare.Win32.180Solutions
D:\Internet Downloads\P2P Stuff\WarezP2P.exe/data0004/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b
D:\Internet Downloads\P2P Stuff\WarezP2P.exe/data0004/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b
D:\Internet Downloads\P2P Stuff\WarezP2P.exe/data0004/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar.b
D:\Internet Downloads\P2P Stuff\WarezP2P.exe/data0004 Infected: not-a-virus:AdWare.Win32.HyperBar.b
D:\Internet Downloads\P2P Stuff\WarezP2P.exe Infected: not-a-virus:AdWare.Win32.HyperBar.b
D:\Internet Downloads\rockxp.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
D:\Internet Downloads\rockxp.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
D:\Internet Downloads\rockxp.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
D:\Internet Downloads\rockxp.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a
D:\Internet Downloads\rockxp.exe Infected: not-a-virus:PSWTool.Win32.RAS.a
D:\Program Files\Torrent Search\Data\CISVCS.EXE/data0002 Infected: not-a-virus:AdWare.Win32.StickyPops.a
D:\Program Files\Torrent Search\Data\CISVCS.EXE/data0003 Infected: not-a-virus:AdWare.Win32.StickyPops.a
D:\Program Files\Torrent Search\Data\CISVCS.EXE/data0005 Infected: Trojan-Downloader.Win32.Lookme.g
D:\Program Files\Torrent Search\Data\CISVCS.EXE/data0006 Infected: Trojan-Dropper.Win32.Agent.og
D:\Program Files\Torrent Search\Data\CISVCS.EXE Infected: Trojan-Dropper.Win32.Agent.og

illukka

2006-03-08, 19:43

hi

thats a lot of infected files :o

you might want to delete those
also empty norton's quarantine

empty JAVA's cache:

1. Go to Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked:

1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Your scan showed one of more viruses in your Sun Java Runtime Environment (JRE) cache. Delete those by clearing the JRE cache.
To clear the Java Runtime Environment (JRE) cache:
Click Start > Control Panel.
Double-click the Java icon in the control panel.
-The Java Control Panel appears.
Click Settings under Temporary Internet Files.
-The Temporary Files Settings dialog box appears.
Click Delete Files.
-The Delete Temporary Files dialog box appears.
-There are three options on this window to clear the cache.
Delete Files
View Applications
View Applets
Click OK on Delete Temporary Files window.
-Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on Temporary Files Settings window.
Close the Java Control Panel
You can view those instructions along with graphics Here (http://www.java.com/en/download/help/5000020300.xml)

post a fresh hjt log when ready

tashi

2006-03-13, 22:34

How is it going Malware Victim?

tashi

2006-03-18, 20:42

Due to lack of a response this topic will be archived.