Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 26 Posts

·
Registered
Joined
·
15 Posts
Discussion Starter · #1 ·
Hey,

My computer seems to have slowed down a bit and it did restart automatically couple of times. On scanning with Spyware Doctor, the following were detected .

Trojan.downloader.small.CML
Trojan.dumaru
worm.wgavn
2-nd-thought.com

Heres my HIjackThis log

Logfile of HijackThis v1.99.1
Scan saved at 5:42:44 PM, on 7/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\pestpatrol5.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Only Much Louder
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\RunOnce: [eISS_licreg] "C:\Program Files\CA\eTrust Internet Security Suite\licreg.exe" /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1118172865937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144925374187
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Can anyone help with this ?
 

·
Administrator
Joined
·
124,139 Posts
Hi and welcome to TSG,

Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires it becomes freeware with reduced functions but still worth keeping.

  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.

  • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
  • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode.

Run ActiveScan online virus scan: here

When the scan is finished, save the results from the scan!

Come back here and post a new HijackThis log along with the logs from the Ewido and Panda scans.

Before you post your next log, please do this:

Go to Start - Run - type in msconfig - click OK and click on the startup tab. Put a check mark beside everything that's listed there please.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #3 ·
Hey,

Here's the Ewido Log :

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:59:45 AM 7/18/2006

+ Scan result:

C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Nair\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Nair\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Nair\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Nair\Cookies\[email protected]evenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Nair\Application Data\Mozilla\Firefox\Profiles\lcrfkng8.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).

::Report end

Heres the Active Scan Report

Incident Status Location

Adware:adware/powerstrip Not disinfected Windows Registry

And heres the Hijackthis log :

Logfile of HijackThis v1.99.1
Scan saved at 1:31:29 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\DAP\DAP.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Only Much Louder
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1118172865937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144925374187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Thanks. What should i do next ?
 

·
Administrator
Joined
·
124,139 Posts
Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

F2 - REG:system.ini: Shell=

O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)


Reboot and post a new HijackThis log please.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #5 ·
Fixed the entries.

Heres the log after restarting. fyi, every 15-20 mins for the past month or so, theres a pop up window on the task bar that opens a shuts in a second.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:05 AM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Only Much Louder
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1118172865937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144925374187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #7 ·
Hey,

Spyware Doctor still detects :
Trojan.downloader.small.CML
Trojan.dumaru
worm.wgavn

The pop up still keeps coming. Although there is no title in it ... it just comes on for a second on the taskbar every 10-15 mins and disappears. It doesnt even "pop up" per say.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #9 ·
Scan Results:
scan start: 7/19/2006 2:45:21 AM
scan stop: 7/19/2006 2:58:11 AM
scanned items: 123661
found items: 32
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
Possible Website Hijack (0) 127.0.0.1 downloads-eu1.kaspersky-labs.com High
Tracking Cookie(s) C:\Documents and Settings\Nair\Cookies\[email protected][2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Nair\Cookies\[email protected][2].txt Low
Worm.WGAVN C:\WINDOWS\Debug\DCPROMO.LOG High
Trojan.Dumaru C:\WINDOWS\rundlln.sys High
Trojan.Dumaru C:\WINDOWS\Temp\fa4537ef.tmp High
Trojan.Dumaru C:\WINDOWS\Temp\feff35a0.htm High
Advertising cookies.txt - Line #13 Low
Advertising cookies.txt - Line #16 Low
Tracking Cookie(s) cookies.txt - Line #31 Low
Tracking Cookie(s) cookies.txt - Line #32 Low
Tracking Cookie(s) cookies.txt - Line #33 Low
Advertising cookies.txt - Line #36 Low
Advertising cookies.txt - Line #37 Low
Tracking Cookie(s) cookies.txt - Line #57 Low
Advertising cookies.txt - Line #58 Low
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BPTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##OCCUR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Rid High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
 

·
Administrator
Joined
·
124,139 Posts
Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Don’t do anything with it yet!

Click here for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

Reboot back to Normal Mode!

  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Copy and paste WinPFind.txt in your next post here please.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #11 ·
Here it is;

Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 5:30:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 8/10/2005 3:44:00 AM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 8/10/2005 3:44:00 AM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
aspack 7/7/2006 6:51:46 AM 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:26:36 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:26:44 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 5:30:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 5/25/2006 1:23:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 5/25/2006 1:23:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 5/25/2006 1:23:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 5/25/2006 1:23:30 AM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 11:11:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
7/20/2006 1:18:54 AM S 2048 C:\WINDOWS\bootstat.dat
7/19/2006 10:50:18 PM H 54156 C:\WINDOWS\QTFont.qfn
5/29/2006 9:46:00 PM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB916281.cat
6/2/2006 1:58:56 AM S 11043 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918439.cat
7/20/2006 1:18:44 AM H 8192 C:\WINDOWS\system32\config\default.LOG
7/20/2006 1:19:10 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
7/20/2006 1:18:56 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
7/20/2006 1:19:12 AM H 61440 C:\WINDOWS\system32\config\software.LOG
7/20/2006 1:19:04 AM H 1093632 C:\WINDOWS\system32\config\system.LOG
7/15/2006 12:55:26 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/9/2006 8:52:16 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\c01ce680-ecca-4738-8d12-d2ffca95a434
6/9/2006 8:52:16 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/20/2006 1:17:48 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:26:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/6/2003 9:44:30 PM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Ahead Software AG 11/30/2004 12:28:36 PM 86094 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 380416 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 5:30:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 1:26:58 PM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 4/6/2003 9:44:30 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0008\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
6/9/2005 11:12:04 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
6/8/2006 3:28:50 PM 1802 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
6/7/2005 12:07:56 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
6/7/2005 5:27:36 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
4/14/2006 2:12:50 AM 1213 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
6/7/2005 12:07:56 AM HS 84 C:\Documents and Settings\Nair\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...

Items found in C:\Documents and Settings\Nair\Application Data\.googlewebacchosts

5/6/2006 3:21:00 AM 4333 C:\Documents and Settings\Nair\Application Data\.googlewebacchosts
6/7/2005 5:27:36 AM HS 62 C:\Documents and Settings\Nair\Application Data\desktop.ini
6/17/2006 12:35:22 AM 5475 C:\Documents and Settings\Nair\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v7
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69A87B7D-DE56-4136-9655-716BA50C19C7}
&Google Web Accelerator Helper = C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}
PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{62999427-33FC-4baf-9C9C-BCE6BD127F08} = DAP Bar : C:\Program Files\DAP\DAPIEBar.dll
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} = Google Web Accelerator : C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}
ButtonText = Spyware Doctor :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}
ButtonText = Run DAP : C:\PROGRA~1\DAP\DAP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} = Google Web Accelerator : C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
type32 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
Cmaudio RunDll32 cmicnfg.cpl,CMICtrlWnd
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HP Software Update C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
WinampAgent "C:\Program Files\Winamp\Winampa.exe"
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
RealPlayer "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
PlaxoUpdate C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe -a

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoWelcomeScreen 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ComDlg32

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 7/20/2006 1:27:05 AM
 

·
Administrator
Joined
·
124,139 Posts
Download RootkitRevealer from here (link is at the very bottom of the page).
  • Unzip it to your desktop.
  • Open the RootkitRevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File - Save. Choose to save it to your desktop.
  • Open RootkitRevealer.txt on your desktop and copy the entire contents and paste them here.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #13 ·
Heres the rootkit log

C:\System Volume Information\catalog.wci\00010006.ci 7/20/2006 2:39 AM 572.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.dir 7/20/2006 2:39 AM 3.05 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.ci 7/20/2006 2:39 AM 580.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.dir 7/20/2006 2:39 AM 3.25 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.ci 7/20/2006 2:39 AM 572.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.dir 7/20/2006 2:39 AM 3.14 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.ci 7/20/2006 2:39 AM 572.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.dir 7/20/2006 2:39 AM 2.99 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.ci 7/20/2006 2:39 AM 584.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.dir 7/20/2006 2:39 AM 3.19 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000B.ci 7/20/2006 2:39 AM 584.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000B.dir 7/20/2006 2:39 AM 3.15 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000C.ci 7/20/2006 2:39 AM 580.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000C.dir 7/20/2006 2:39 AM 3.18 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000D.ci 7/20/2006 2:39 AM 572.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000D.dir 7/20/2006 2:39 AM 2.96 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000E.ci 7/20/2006 2:43 AM 248.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000E.dir 7/20/2006 2:43 AM 1.54 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 7/20/2006 2:28 AM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 7/20/2006 2:28 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 7/20/2006 2:28 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 7/20/2006 2:43 AM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 7/20/2006 2:43 AM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 7/20/2006 2:43 AM 64.00 KB Hidden from Windows API.
 

·
Administrator
Joined
·
124,139 Posts
Download the Hoster from here UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

I'm attaching a FixMssmgr.zip file to this post. Save it to your desktop but don't do anything with it yet.

Click Here and download Killbox and save it to your desktop but don’t run it yet.

Then boot to safe mode:

How to restart to safe mode

Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\Debug\DCPROMO.LOG

    C:\WINDOWS\rundlln.sys

    C:\WINDOWS\Temp\fa4537ef.tmp

    C:\WINDOWS\Temp\feff35a0.htm

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confirmation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.

While still in safe mode, unzip the FixMssmgr.zip file that you saved to your desktop and double click on the Fix Mssmgr.reg file and all ow it to enter into the registry.

Reboot and rescan with Spyware Doctor and post the results please.
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #17 ·
Its still there !! And the pop-ups as well, spyware dctor had detected it as Adservice Scanner couple of months ago when the problem had started.

Spyware Doc Log.

Infection Name Location Risk
Tracking Cookie(s) C:\Documents and Settings\Nair\Cookies\[email protected][2].txt Low
eXact Advertising cookies.txt - Line #111 Elevated
eXact Advertising cookies.txt - Line #112 Elevated
eXact Advertising cookies.txt - Line #113 Elevated
eXact Advertising cookies.txt - Line #114 Elevated
eXact Advertising cookies.txt - Line #115 Elevated
eXact Advertising cookies.txt - Line #116 Elevated
eXact Advertising cookies.txt - Line #117 Elevated
Advertising cookies.txt - Line #120 Low
Advertising cookies.txt - Line #121 Low
Tracking Cookie(s) cookies.txt - Line #122 Low
Tracking Cookie(s) cookies.txt - Line #123 Low
Advertising cookies.txt - Line #124 Low
Tracking Cookie(s) cookies.txt - Line #125 Low
Advertising cookies.txt - Line #126 Low
Advertising cookies.txt - Line #131 Low
Advertising cookies.txt - Line #132 Low
Advertising cookies.txt - Line #133 Low
Tracking Cookie(s) cookies.txt - Line #134 Low
Tracking Cookie(s) cookies.txt - Line #140 Low
Tracking Cookie(s) cookies.txt - Line #149 Low
Advertising cookies.txt - Line #156 Low
Advertising cookies.txt - Line #18 Low
Advertising cookies.txt - Line #19 Low
Advertising cookies.txt - Line #194 Low
Advertising cookies.txt - Line #20 Low
Advertising cookies.txt - Line #21 Low
Tracking Cookie(s) cookies.txt - Line #23 Low
Tracking Cookie(s) cookies.txt - Line #28 Low
Advertising cookies.txt - Line #31 Low
Advertising cookies.txt - Line #38 Low
Advertising cookies.txt - Line #39 Low
Tracking Cookie(s) cookies.txt - Line #40 Low
Tracking Cookie(s) cookies.txt - Line #41 Low
Tracking Cookie(s) cookies.txt - Line #42 Low
Advertising cookies.txt - Line #43 Low
Advertising cookies.txt - Line #44 Low
Advertising cookies.txt - Line #58 Low
Advertising cookies.txt - Line #64 Low
Advertising cookies.txt - Line #65 Low
Advertising cookies.txt - Line #66 Low
Advertising cookies.txt - Line #67 Low
Tracking Cookie(s) cookies.txt - Line #72 Low
Advertising cookies.txt - Line #77 Low
Advertising cookies.txt - Line #78 Low
Advertising cookies.txt - Line #79 Low
Advertising cookies.txt - Line #80 Low
Advertising cookies.txt - Line #81 Low
Advertising cookies.txt - Line #82 Low
Advertising cookies.txt - Line #83 Low
Advertising cookies.txt - Line #84 Low
Advertising cookies.txt - Line #85 Low
Tracking Cookie(s) cookies.txt - Line #91 Low
Tracking Cookie(s) cookies.txt - Line #94 Low
Tracking Cookie(s) cookies.txt - Line #95 Low
BookedSpace HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping##{669695BC-A811-4A9D-8CDF-BA8C795F261C} Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}## Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\iexplore Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\iexplore## Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\iexplore##Count Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\iexplore##Time Elevated
BookedSpace HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}\iexplore##Type Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C} Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}## Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##ButtonText Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##CLSID Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##Default Visible Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##Exec Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##HotIcon Elevated
BookedSpace HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}##Icon Elevated
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BPTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##BSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Data High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##LSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##MSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##OCCUR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PID High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Rid High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
 

·
Administrator
Joined
·
124,139 Posts
Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #19 ·
this one found many viruses !!! The report is really big, So i will break it up into 2-3 messages.

KASPERSKY ONLINE SCANNER REPORT
Thursday, July 27, 2006 8:52:05 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/07/2006
Kaspersky Anti-Virus database records: 210115
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
J:\
K:\
Z:\
Scan Statistics
Total number of scanned objects 78352
Number of viruses found 7
Number of infected objects 105 / 0
Number of suspicious objects 51
Duration of the scan process 01:11:35

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nair\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Nair\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\hp Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nair\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nair\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Nair\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{37F05884-D7A4-4481-A794-14275F4E281F}\RP307\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\a Infected: Trojan-Downloader.BAT.Ftp.j skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
 

·
Registered
Joined
·
15 Posts
Discussion Starter · #20 ·
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060603-010811.backup Infected: Trojan.Win32.Qhost.a skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Logfiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7f0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
K:\d\MIRC\MIRC32.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.59 skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From ... /[From Smith Barney ][Date Sat, 18 Dec 2004 20:40:57 -0400]/html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Ly ... /[Fro ... ... /[From "Schultz" ][Date Thu, 16 Dec 2004 07:21:36 -0600]/html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Ly ... /[Fro ... /[From "Macy Wade" ][Date Thu, 16 Dec 2004 08:16:38 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Ly ... /[From "Neely Arlie" ][Date Thu, 16 Dec 2004 08:16:19 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Lynette Little" ][Date Thu, 16 Dec 2004 12:07:00 -0200]/text Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Waldo Boyer" Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Waldo Boyer" Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Waldo Boyer" Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Waldo Boyer" ][Date Wed, 22 Dec 2004 09:23:50 -0400]/text Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, 23 Dec 2004 21:36:44 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, 23 Dec 2004 21:36:44 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, 23 Dec 2004 21:36:44 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, ... /[From [email protected]][Date Thu, 23 Dec 2004 21:37: ... /message.pif Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, ... /[From [email protected]][Date Thu, 23 Dec 2004 21:37:12 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, ... /[From [email protected]][Date Thu, 23 Dec 2004 21:37:12 +053 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, ... /[From [email protected]][Date Thu, 23 Dec 2004 21:37:12 +0530]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date ... /[From [email protected]][Date Thu, 23 Dec 2004 21:37:12 +0530]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From [email protected]][Date Thu, 23 Dec 2004 21:36:44 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephanie Yang" < ... /[From [email protected]][Date Fri, 24 Dec 2004 22:30:39 +053 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephanie Yang" < ... /[From [email protected]][Date Fri, 24 Dec 2004 22:30:39 +0530]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephanie Yan ... /[From [email protected]][Date Fri, 24 Dec 2004 22:30:39 +0530]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephani ... /[From "connie james" ][Date Sat, 25 Dec 2004 07:12:01 +050 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephani ... /[From "connie james" ][Date Sat, 25 Dec 2004 07:12:01 +0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Step ... /[From "connie james" ][Date Sat, 25 Dec 2004 07:12:01 +0500]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Steph ... /[From "Megan Dickinson" ][Date Sun, 26 Dec 2004 02:43:10 +000 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Steph ... /[From "Megan Dickinson" ][Date Sun, 26 Dec 2004 02:43:10 +0000]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "S ... /[From "Megan Dickinson" ][Date Sun, 26 Dec 2004 02:43:10 +0000]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html/[From "Stephanie Yang" ][Date Fri, 24 Dec 2004 15:00:42 -0100]/text Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Jamar Hannah" ][Date Thu, 16 Dec 2004 15:54:29 +0000]/html Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From Priscilla Kent ][Date Sun, 26 Dec 2004 17:36:40 -0500]/UNNAMED/[From [email protected]][Date Sun, 26 Dec 2004 08:06:24 +0000]/html Infected: Trojan-Spy.HTML.Bankfraud.bv skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From Priscilla Kent ][Date Sun, 26 Dec 2004 17:36:40 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.bv skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From ENCORE Newsletter ][Date Thu, 27 Jan 2005 19:00:56 ... /[From Smith Barney ][Date Fri, 18 Feb 2005 07:27:01 -0400]/html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From ENCORE Newsletter ][Date Thu, 27 Jan 2005 19:00:56 -0700 (MST)]/UNNAMED/[F ... /[From "Huge P. Ness" ][Date Thu, 17 Feb 2005 23:15:50 +1100]/text Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From ENCORE Newsletter ][Date Thu, 27 Jan 2005 19:00:56 -0700 (MST)]/UNNAMED/[From "Leonard Travis" ][Date Fri, 28 Jan 2005 08:46:11 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From ENCORE Newsletter ][Date Thu, 27 Jan 2005 19:00:56 -0700 (MST)]/UNNAMED Infected: Trojan-Spy.HTML.Smitfraud.c skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16:40:32 -0300]/UNNAMED/[From [email protected]][Date Sat, ... /[From [email protected]][Date Sat, 5 Mar 2005 19:21:42 + .. ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16:40:32 -0300]/UNNAMED/[From [email protected]][Date Sat, ... /[From [email protected]][Date Sat, 5 Mar 2005 19:21:42 + ... /UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16:40:32 -0300]/UNNAMED/[From [email protected]][Date Sat, ... /[From [email protected]][Date Sat, 5 Mar 2005 19:21: ... /message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16: ... /[From "Miracle Heal ... /[From "List Name" ][Date Sat, 05 Mar 2005 09:30:21 -080 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16: ... /[From "Miracle Heal ... /[From "List Name" ][Date Sat, 05 Mar 2005 09:30:21 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16: ... /[From "Miracle ... /[From "List Name" ][Date Sat, 05 Mar 2005 09:30:21 -0800]/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16: ... /[From "Miracle Health Newsletter" ][Date Sat, 05 Mar 2005 07:55:43 -0800]/html Infected: Email-Worm.Win32.NetSky.q skipped
K:\Imp Backup\Thunderbird Mails\Thunderbird\Profiles\5co2zkbj.default\Mail\Local Folders\Inbox/[From AtlasPlugged Newsletter ][Date Wed, 15 Dec 2004 14:26:03 -0800]/UNNAMED/[From "Logan Taylor" ][Date Thu, 16 Dec 2004 12:30:48 +0600]/UNNAMED/[From "Dolores Jimenez" ][Date Thu, 16 Dec 2004 13:01:22 +0100]/UNNAMED/[From "Hollie" ][Date Tue, 22 Feb 2005 16:40:32 -0300]/UNNAMED/[From ... /[From "GreatOffers" ][Date Sat, 05 Mar 2005 06:34:17 -0800]/html
 
1 - 20 of 26 Posts
Status
Not open for further replies.
Top