Smitfraud-C problems! Assistance needed

[RipVanWinkle]

KOS scan

Wow, this has been an ordeal. Love spending my weekend doing this crap.

I tried to uninstall my Java installations but was unable to because of the following error message:

"The Windows Installer service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

Yeah, no kidding.

Here, finally, is my KOS scan, in two parts due to its size:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 5:42:53 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654855
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 89416
Number of viruses found: 19
Number of infected objects: 133
Number of suspicious objects: 100
Duration of the scan process: 01:41:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\56C63F0C.TMP Object is locked skipped
C:\Documents and Settings\Authorized User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\History\History.IE5\MSHist012008032220080323\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temp\Perflib_Perfdata_150.dat Object is locked skipped
C:\Documents and Settings\Authorized User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Authorized User\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Authorized User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc100.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc102.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp/[From kienstraconcrete@prodigy.net][Date Mon, 17 Oct 2005 07:50:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc103.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc104.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp/[From info@csacw.org][Date Thu, 15 Sep 2005 07:04:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc105.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp/[From greatcustomer@msn.com][Date Wed, 28 Sep 2005 07:00:04 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc106.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc107.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc108.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc109.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc110.tmp Infected: Net-Worm.Win32.Mytob.ba skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc111.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc112.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc113.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc114.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc115.def Infected: Trojan-Downloader.Win32.Tibs.mn skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc116.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp/[From rneath@ch2m.com][Date Mon, 19 Sep 2005 07:07:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc119.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc120.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc122.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc123.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp/document.rtf.scr Infected: Email-Worm.Win32.NetSky.c skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc124.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp/[From dickp@repedrotti.com][Date Fri, 16 Sep 2005 06:50:27 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc125.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc126.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc127.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc128.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc130.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc135.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc136.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp/[From rlyrdymix1@aol.com][Date Wed, 26 Oct 2005 07:33:05 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc138.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc139.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc140.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc141.tmp Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc143.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc145.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc146.tmp Infected: Net-Worm.Win32.Mytob.be skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc147.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc148.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp/[From glc77@earthlink.net][Date Mon, 10 Oct 2005 22:01:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc149.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp/[From mark@weaversteel.com][Date Tue, 11 Oct 2005 06:55:25 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc150.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc151.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc153.tmp Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc155.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc156.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc157.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp/[From cjones@acmegc.com][Date Wed, 31 Aug 2005 09:29:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc159.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc160.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp/[From info@csacw.org][Date Thu, 29 Sep 2005 07:07:28 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc161.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc162.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc163.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc164.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc165.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp/[From jrobertson@alberici.com][Date Mon, 10 Oct 2005 08:02:12 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc166.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp

 

[RipVanWinkle]

KOS scan, part 2

ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc167.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp/[From cmvengin@earthlink.net][Date Thu, 13 Oct 2005 08:58:21 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc168.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip/RADMIN22.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc169.zip ZIP: infected - 4 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc170\RADMIN22.EXE Gentee: infected - 3 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc43.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc44.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp/[From info@csacw.org][Date Fri, 28 Oct 2005 09:59:20 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc45.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc46.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc49.tmp Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp/[From ong@ch2m.com][Date Wed, 19 Oct 2005 13:49:40 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc50.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp/[From slyon@lifeway.com][Date Thu, 22 Sep 2005 21:10:47 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc51.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc52.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc53.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc54.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc55.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc56.tmp Infected: Email-Worm.Win32.NetSky.j skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc57.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc58.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp/[From sbourque@flooringsystemsinc.net][Date Mon, 26 Sep 2005 07:15:55 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc59.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc60.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp/[From mwatson1@ch2m.com][Date Tue, 20 Sep 2005 06:57:09 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc63.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc64.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc66.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp/[From info@oldworldstoneworks.com][Date Wed, 14 Sep 2005 07:43:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc67.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc68.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc70.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp/[From webmaster@asylumnet.com][Date Mon, 19 Sep 2005 15:28:36 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc71.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp/[From postmaster@mosley-stl.com][Date Wed, 14 Sep 2005 08:04:58 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc72.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc73.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc75.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc76.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc77.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp/[From ong@ch2m.com][Date Fri, 23 Sep 2005 10:32:02 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc78.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc79.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc81.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp/[From asfai@bankofamerica.co][Date Sun, 16 Oct 2005 19:42:23 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc82.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc85.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc86.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc87.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc89.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp/[From greatcustomer@msn.com][Date Tue, 27 Sep 2005 15:27:18 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc90.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc91.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc93.tmp Infected: Email-Worm.Win32.Bagle.fj skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc94.tmp Infected: Email-Worm.Win32.Bagle.fb skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc95.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp/[From bwesttoo@juno.com][Date Sat, 22 Oct 2005 03:18:38 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp Mail: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc97.tmp CryptFF: suspicious - 2 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc98.tmp CryptFF: infected - 1 skipped
C:\RECYCLER\S-1-5-21-507921405-1532298954-839522115-1004\Dc99.tmp Infected: Email-Worm.Win32.Bagle.fk skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131063.exe Infected: Trojan-Downloader.Win32.Zlob.jbe skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP654\A0131064.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132546.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132547.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132548.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132549.exe Infected: Trojan-Downloader.Win32.Small.ivo skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP655\A0132583.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137654.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137655.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137656.dll Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137657.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP657\A0137658.dll Infected: Trojan-Downloader.Win32.Agent.lsw skipped
C:\System Volume Information\_restore{64086DA3-F892-45AA-82EA-324BDAE16704}\RP658\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\fmsxwqs.exe Infected: not-a-virus:AdWare.Win32.Vapsup.cul skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

[pskelley]

I can tell you this, the infection we are removing (Smitfraud) is one of the easiest to remove and should not becausing these programs. If you remember the first thing I had you do was clean the NAV quarantine folder. If you look at the first KOS log you will see this computer has been though some major infections that it appears NAV was able to remove. Most of the junk appears to have infected you via email, I see:
Email-Worm.Win32.NetSky.q,
Exploit.HTML.Iframe.FileDownload,
Email-Worm.Win32.Zhelatin.o
Email-Worm.Win32.NetSky.j
Email-Worm.Win32.Bagle.fk
Net-Worm.Win32.Mytob.be
Email-Worm.Win32.Bagle.fk
Email-Worm.Win32.Tanatos.b.dam

And these all occured before the most recent infection which is of the type usually caused by downloading bad codex, see this:
http://forums.spybot.info/showthread.php?t=7344
While I cannot say with absolute certainly, it is likely how this infection was acquired, but you are also lucky you did not pick up a Vundo infection running with out of date Java.
I suggest you establish safe proceedure for handling incoming email, the infections you have been though are some of the worse there are.
It may be that you should do a repair reinstall of your Operating System if not a complete reinstallation. This sytem has been through a lot.

KASPERSKY ONLINE SCANNER REPORT Saturday, March 22, 2008 5:42:53 PM

When you delete stuff, you do realize it goes to the Recycle Bin?

1) C:\WINDOWS\fmsxwqs.exe <<< This is active infection, navigate to it and delete that file in red.

2) C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix\ <<< delete that folder and contents

3) C:\Documents and Settings\Authorized User\Desktop\SmitfraudFix.exe <<< delete that file

4) C:\RECYCLER\ <<< delete the contents of the Recycle Bin on your Desktop

5) Restart the computer

6) Follow these instructions to clean infected System Restore files.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

If you followed directions , the next KOS scan will be clean, I do not need to see a clean scan, I would like to see a last HJT log.

Thanks

 

[RipVanWinkle]

KOS Clean!

Phil: Here's my latest HJT log. The KOS was clean.

Whew!

I will update my Java immediately after I post this, and will follow your instructions completely. Incidentally, I tried to uninstall Java using the Add/Remove Programs and it gives me an error saying Windows Installer service is not running and the remove cannot continue. Any other suggestions?

Let me know if there is anything else I should do. I will be repairing my OS, if not a complete reinstall, sometime later this week. For now, I will have to live with things the way they are. Thanks for your advice, I will follow it, and I guess I need to figure out how to prevent so many email infections...

I remember getting lots of emails from people with things attached, and NAV just deleting them. I never thought they would still be hanging around.

Take care, have a great Easter weekend--what's left of it anyway--and thanks again for all your help.

--John


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:52:49 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DCS Loader (DCSLoader) - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHALDCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6462 bytes

 

[pskelley]

Any other suggestions?

If I did not mention it before, I must have the error messages word for word, exactly as Windows gives them to you.
http://support.microsoft.com/kb/315353
http://support.microsoft.com/kb/315346
http://support.microsoft.com/kb/319624
http://support.microsoft.com/kb/886630/en-us

Start > Control Panel > Security Center and tell me if all three areas are on (green)

Reason I am asking is even though I see your Symantec items in services, I do not see them in running programs. You should update the antivirus program and run a complete system scan watching carefully that all is functioning as it should be. If not, contact:
http://www.symantec.com/enterprise/support/index.jsp

Beside that I see no malware in the most recent HJT log (9:52:49 PM, on 3/22/2008)

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.