Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32.TrojanSpy.Goldun, TagASaurus and Coolwebsearch

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win32.TrojanSpy.Goldun, TagASaurus and Coolwebsearch

Unread postby Bstuff » July 12th, 2007, 1:30 am

Great forum here... love the concept of teaching people to help themselves.

My XP(sp2) pc rebooted itself for no reason 2 days ago... I ran AdaWare and Spybot Search Destroy and both found half a dozen or more items that looked dangerous. I'm not prone to picking up a lot of viruses usually and this was unusual.

I let both programs auto clean and spybot wanted to run again on bootup.

I rebooted and ran both programs again... Spybot still picked up TagASaurus but adaware showed up clear. I was busy at the time and possibly stupidly decided to work it out later... then forgot.

Today the PC rebooted for no apparent reason again (I dont have any MS or other autoupdates activated that might reboot the pc themselves, that I am aware of)

I ran both adaware and spybot again and this time there was maybe a dozen items... including one I know that I REALLY dont want to have, Win32.TrojanSpy.Goldun, which is designed to steal e-gold (which I use)

Anyway... better not make this story too long... after running those two they dont seem to be able to get rid of Win32.TrojanSpy.Goldun or TagASaurus or Coolwebsearch.

I did a bit of a search around the forum and found 2 threads where people got some help with a similar Goldun trojan before:
http://www.malwareremoval.com/forum/viewtopic.php?t=14728
and
http://www.malwareremoval.com/forum/viewtopic.php?t=14033

and tried to follow those instructions... but sadly the HaxFix utility mentioned in them doesnt pick up this version of Goldun :(

anyway... here is the logfile from HaxFix;

HAXFIX logfile - by Marckie

version 4.47
Thu 12/07/2007 14:30:18.29

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-12 14:30:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\setupact.log:cvnlxj 9728 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\OEWABLog.txt:tlzcmb 9728 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.1:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.10:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.11:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.2:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.3:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.4:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.5:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.6:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.7:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.8:ongqso 11336 bytes executable
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.9:ongqso 11336 bytes executable
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\QV0TMR2L\search[1].: 7324 bytes hidden from API
C:\Documents and Settings\Default\Local Settings\Temporary Internet Files\Content.IE5\S52Z4T2J\search[1].: 7001 bytes hidden from API
C:\serv.txt

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 17


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!



and here is the HijackThis logfile

Logfile of HijackThis v1.99.1
Scan saved at 3:18:31 PM, on 12/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
F:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.optusnet.com.au/ho.op/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080
R3 - URLSearchHook: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Image: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Link: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Page: Show TABLE, FORM and DIV Borders - C:\Program Files\IE Booster\page-show-table-structure.htm
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.indirectlinking.com
O15 - Trusted Zone: *.indirectlinking.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.bank.com.au/wtpbs/wtBala ... agerwt.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: UQLBGFKXT - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\UQLBGFKXT.exe (file missing)

Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am
Advertisement
Register to Remove

Unread postby Bstuff » July 12th, 2007, 2:48 am

sorry for replying to myself.. but I think I just realised the Goldun trojan may be gone.. adaware only seems to picking it up in a restore point now.

Adaware Log from first time it was detected

WIN32.TROJANSPY.GOLDUN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[37]=Regkey : clsid\{00534b55-3155-ca4f-b41d-0e922121d03c}
obj[154]=File : C:\WINDOWS\system32\browsemu.dll

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[68]=Regkey : system\currentcontrolset\enum\root\legacy_*008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08
obj[151]=Regkey : software\microsoft\internet explorer\urlsearchhooks
obj[152]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions"
obj[153]=RegData : software\microsoft\internet explorer\main "Use Search Asst"


and this is the log from today...

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : system\currentcontrolset\enum\root\legacy_*008f__6q*00d4*00f5*0013'*00aa*00b4*00c6*00d08

WIN32.TROJANSPY.GOLDUN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=File : C:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP756\A0047114.dll
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 15th, 2007, 2:09 am

Hi Bstuff

I'm Elrond, I'll be glad to help you with your computer problems.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post together with a new HijackThis log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 15th, 2007, 2:55 am

Thanks for your help Elrond.

I do have 2 user profiles on this pc... but I only ever use 1 of them and was only thinking I should delete that second profile in recent days.

I have some concern that posting detailled log info of all the software I have installed and default paths in use might present a security issue for me if left here forever. Is it possible to have this thread deleted when we are done?


Here is the the installed software log you asked for;

A.F.5 Rename your files 1.1
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AI RoboForm (All Users)
AnalogX Keyword Extractor
Available Domains Professional Edition 3.801
BB FlashBack
Bullant Remote 3.0
Coding Workshop Ringtone Converter
DivX Player
DivX Web Player
dmailerpro dmailerpro 1.0.0
Domain-Retriever
EFX Navigator
Email Address Extractor
Email Address Extractor 3.0
Extensis Mask Pro 2.0
Extensis PhotoFrame 1.0
Extensis PhotoGraphics 1.0
Eye Candy 4000
FxddAuto AutoTrading Platform
Google Earth
Google Gmail Notifier
Google Toolbar for Internet Explorer
Google Video Uploader
HaxFix 4.47
Hello (remove only)
HijackThis 1.99.1
Hotfix for Windows XP (KB929120)
ICQ
IE Booster - Web Browser Extensions for IE
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment Standard Edition v1.3.1_06
Java 2 Runtime Environment, SE v1.4.2_10
KeyScrambler
ListMate Pro PLATINUM 1.02
Macromedia Dreamweaver MX
Macromedia Extension Manager
Mail.com Alert
Marketiva
Maxthon Browser (remove only)
MetaTrader 4.00
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium
Microsoft Tool Web Package:WntIpcfg.exe
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (1.0)
MSXML 4.0 SP2 (KB927978)
Nero
Npust Email List Manager Version 1.0.1
OI Toolbar
OpenOffice.org 2.0
Password 2000 2.8.0
PDT USB Phone
PGPfreeware 6.5.8
PHP 4.3.2
PopMan 1.2
PowerDVD
QuickTime
RealPlayer
Remote Administrator v2.1
Remove DivX Codec
Samsung YP-55
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
Shockwave
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Skype 3.1
Skype Plugin Manager
Smaller Animals ThumbNailer v7
SpamBayes 1.0rc1
Spybot - Search & Destroy 1.4
StatsRemote
TextPad
Ulead VideoStudio 6 SE DVD
uMark Lite
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
VPON Live Video ActiveX Control
webgrabber
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinFast(R) TV2000 XP / VC100 XP(Application)
WinFast(R) TV2000 XP / VC100 XP(WDM Driver)
WinRAR archiver
WinSCP 3.4.2
WinZip
Xvid 1.1.3 final uninstall


and a new HiackThis log

Logfile of HijackThis v1.99.1
Scan saved at 4:51:43 PM, on 15/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Password 2000\password.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\mail.com\mcalert.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\SpamBayes\bin\sb_tray.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
F:\Program Files\Maxthon\maxthon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080
R3 - URLSearchHook: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: OI toolbar - {4319648b-98dc-4101-80c9-62f553da51de} - C:\Program Files\OI\tbOI.dll
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [\\PRINCESS\EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\DOCUME~1\Default\LOCALS~1\Temp\E_S240.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Password2000] C:\Program Files\Password 2000\password.exe -w
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Image: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Link: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Page: Show TABLE, FORM and DIV Borders - C:\Program Files\IE Booster\page-show-table-structure.htm
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.indirectlinking.com
O15 - Trusted Zone: *.indirectlinking.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/ ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/ ... /xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/c ... /yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/ ... /st3_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.bank.com.au/wtpbs/wtBala ... agerwt.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: UQLBGFKXT - Unknown owner - C:\DOCUME~1\Default\LOCALS~1\Temp\UQLBGFKXT.exe (file missing)

Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 15th, 2007, 2:07 pm

Hi Bstuff sorry for the delay. Took me some time to identify everything that you are running.

Before we do anything else there are some protective things we need to do or we risk further infections while we work. At the same time we will be removing some stuff that should be removed. The latter part of the post is trying to get some more information about what is going on.

  1. From what I can see You aren't running Anti Virus Software

    Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
    Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

    1) Antivir PersonalEditionClassic
    -Free anti-virus software for Windows.
    -Detects and removes more than 50,000 viruses. Free support.
    2) avast! 4 Home Edition
    -Anti-virus program for Windows.
    -The home edition is freeware for noncommercial users.
    3) AVG Anti-Virus Free Edition
    -Free edition of the AVG anti-virus program for Windows.

  2. Your Java version is outdated and a security risk.
    • Download the latest Java from here.
    • Scroll down to Java Runtime Environment (JRE) 6u2 and click on Download. Click on Accept License Agreement, the page will refresh.
    • Click on Windows Offline Installation, Multi-language and save it.
    • Do not run it yet.
    • Go to Start > Control Panel. Double click on Add/Remove Programs.
    • Locate J2SE Runtime Environment 5.0 Update 6 and click on Change/Remove to uninstall it.
      Find any other outdated Java runtime versions. Normaly I would not add this but because of your special mix of programs I need to warn you that removing older versions of Java can make certain progrmas not work. You have to weigh the risk between having some programs not work and the securty risk that older Java versions pose. I have no way of doing so.
    • If you do not purposely use OI Toolbar remove it as well.
    • Find HaxFix 4.47 and remove it. If we need it again we should download it again as it is being updated often. It is not a program that you should leave on your computer when it is not needed.
    • Once done, close Add/Remove Programs and Control Panel.
  3. After uninstalling the old Java program, install the latest version of Java that you've downloaded earlier.

  4. Do you know what these programs are? Let me know in your next post:
    ListMate Pro PLATINUM 1.02
    dmailerpro dmailerpro 1.0.0

  5. Go to http://virusscan.jotti.org
    Copy the following line into the white textbox:
    C:\DOCUME~1\Default\LOCALS~1\Temp\UQLBGFKXT.exe
    Click Submit.
    Please post the results of this scan to this thread

  6. Download and Run ComboFix

    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  7. Run another HijackThis scan and post the log together with the Combofix log, the results from Jotti and the answers to my questions.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 15th, 2007, 11:49 pm

no worries about time at all Elrond.. very much appreciate the effort. :)

1) Installed AntiVir

2) Downloaded jre-6u2-windows-i586-p.exe 13.89 MB

3) I have Removed these Java versions;

Java 2 runtime environment standard edition v1.3.1_06
Java 2 runtime environment SE v1.4.2_10
J2SE Runtime Environment 5.0 Update 6

I removed both OItoolbar and HaxFix

4) Installed java

5) They are programs I used about 3 years ago to manage an email subscriber list. I have un-installed both of them.

6) I received this error message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file.


But I may have been a bit too "smart" for myself and caused a small problem here. I changed the path on that line of the HT log file as it was the only line that showed my profile name on this pc. (call me paronoid if ya like :p)

Anyway, the correct path should have read... C:\DOCUME~1\Optional\LOCALS~1\Temp\UQLBGFKXT.exe

I submitted that correct path and got the same error message from the jotti site.

(I also changed a url of my onlinebank in original HT report too)

7) ComboFix log:

"Optional" - 2007-07-16 13:16:40 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GDIW2K


((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


2007-07-16 13:14 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 12:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-07-16 12:19 <DIR> d-------- C:\DOCUME~1\Optional\.SunDownloadManager
2007-07-12 14:30 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-07-12 14:30 9,006 --a------ C:\clean.bat
2007-07-12 14:30 86,528 --a------ C:\WINDOWS\system32\catchme.exe
2007-07-12 14:30 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-07-12 14:30 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-07-12 13:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-04 12:53 <DIR> d-------- C:\Program Files\AC3Filter
2007-07-04 12:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-07-04 12:52 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-07-04 12:52 <DIR> d-------- C:\Program Files\Xvid
2007-07-01 13:04 <DIR> d-------- C:\DOCUME~1\Optional\APPLIC~1\uTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-16 02:55:46 -------- d-----w C:\DOCUME~1\Optional\APPLIC~1\Skype
2007-07-16 02:55:39 -------- d-----w C:\Program Files\ICQ
2007-07-16 02:55:16 -------- d-----w C:\Program Files\OI
2007-07-16 02:37:14 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-11 00:16:32 -------- d-----w C:\Program Files\GoogleMon
2007-06-30 23:06:35 -------- d-----w C:\Program Files\DivX
2007-06-10 11:04:12 77,312 ----a-w C:\WINDOWS\ua2.dll
2007-06-05 12:41:50 -------- d-----w C:\Program Files\FxddAuto AutoTrading Platform
2007-06-04 16:08:09 -------- d-----w C:\Program Files\Novativa Streamster
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 05:33:30 10 ----a-w C:\WINDOWS\popcinfo.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 12:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 12:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 12:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 12:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 12:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 12:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 12:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 12:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-06-04 04:27:56 867 -c--a-w C:\Program Files\INSTALL.LOG
2003-01-27 22:02:17 8,192 -csha-w C:\Program Files\Thumbs.db
2001-11-08 05:55:50 286,809 ----a-w C:\Program Files\Portfoliomanager.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 03:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B9F5787-88A5-4945-90E7-C4B18563BC5E}]
2006-12-01 17:59 697344 --a------ C:\Program Files\KeyScrambler\keyscramblerIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
2006-11-18 14:26 5157944 --a------ F:\Program Files\Roboform\roboform.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 22:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mirabilis ICQ"="C:\PROGRA~1\ICQ\ICQNet.exe" [2003-10-15 02:36]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" [2005-07-15 14:48]
"SunServer"="F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 17:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Password2000"="C:\Program Files\Password 2000\password.exe" [2001-11-09 20:45]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"Mail.com"="C:\Program Files\mail.com\mcalert.exe" [2007-05-23 17:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservicesonce]
"washindex"=C:\Program Files\Washer\washidx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"iTunesHelper"="F:\Program Files\iTunes\iTunesHelper.exe"
"eBayToolbar"=F:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
"SiS Windows KeyHook"=C:\WINDOWS\System32\keyhook.exe
"SiSUSBRG"=C:\WINDOWS\SiSUSBrg.exe
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4db66ac-4acc-11db-8847-0011d8773220}]
AutoRun\command- ~tmp0.1st.exe

*Newly Created Service* - SSMDRV

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 13:24:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 13:27:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 13:26

--- E O F ---


8) HaxFix log:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:37 PM, on 16/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Password2000] C:\Program Files\Password 2000\password.exe -w
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Image: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Link: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Page: Show TABLE, FORM and DIV Borders - C:\Program Files\IE Booster\page-show-table-structure.htm
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: http://www.indirectlinking.com
O15 - Trusted Zone: *.indirectlinking.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/ ... vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/ ... /xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/c ... /yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/ ... /st3_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://CHANGED-THIS-URL/wtpbs/wtBalanc ... agerwt.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: UQLBGFKXT - Unknown owner - C:\DOCUME~1\Optional\LOCALS~1\Temp\UQLBGFKXT.exe (file missing)
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 16th, 2007, 11:23 am

Hi Bstuff

Let us continue cleaning up your computer.
    • Please open Notepad.
    • Ensure that word wrap is turned off. Click on Format and make sure that there's a tick next to Word Wrap. If there's none, click on Word Wrap to tick it.
    • Copy and paste the following in the code box into Notepad:
      Code: Select all
      sc stop UQLBGFKXT
      sc delete UQLBGFKXT
    • Click on File > Save As....
    • In the File Name box, copy and paste in Fix Service.bat
    • In the Save as type box, select All Files from the drop-down list.
    • Click Save.
    • Double click on fix service.bat. A Command Prompt window will open and close quickly. That is normal.
  1. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: http://www.indirectlinking.com
    O15 - Trusted Zone: *.indirectlinking.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O16 - DPF: Video Poker - http://download2.games.yahoo.com/games/ ... vpt0_x.cab
    O16 - DPF: {4B48D5DF-9021-45F7-A240-60304302A215} -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) -
    O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} -
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} -
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: UQLBGFKXT - Unknown owner - C:\DOCUME~1\Optional\LOCALS~1\Temp\UQLBGFKXT.exe (file missing)


    Click on Fix Checked when finished and exit HijackThis.

  2. From your log I can see you've installed PartyPoker poker programs. It is on the lists of dngerous programs.A lot of poker programs are infected/can infect you with malware. However it looks as if you have also uninstalled it. I have removed what looks like orfaned entries left behind by it.

    Here are links to some poker sites regarded as safe for your reference.

    * http://www.pokerstars.net/ - This is a free to use/play site.
    * http://www.pokerstars.com/ - This is the paid for version.

  3. In Windows ExplorerNavigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start, click Control Panel, and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

  4. Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

    If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
    • Click the Update icon at the top and under Manual Update click the Start update button.
    • The program will either update or inform you that no update was available.
    • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
    Please set up the program as follows:
    • Click the Shield icon at the top and under Resident shield is... click active. This should now
      change to inactive.
    • Click the Update icon and untick the automatic update option.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act? - make sure that Quarantine is selected.
      • Under How to scan? - All checkboxes should be ticked.
      • Under Possibly unwanted software - All checkboxes should be ticked.
      • Under Reports - Select Do not automatically generate reports.
      • Under What to scan? - Select Scan every file.
    Close all open windows.

  5. Restart the computer. When the BIOS has finished loading (before Windows starts loading) start rapidly tapping the "F8". A menu opens. Select "Safe Mode". The computer will start in safe mode.
    This can be tricky. If Windows starts up in normal mode, repeat the process. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key. The startup in safe mode takes some time and while it is doing so it shows you a black screen with the words "Safe Mode"
    • Click on Scanner on the toolbar.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan your computer.
    • When the scan has finished, follow the instructions below:
      • Make sure that Set all elements to: shows Quarantine
      • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
      • When the program has finished, it will display the message All actions have been applied.
      • Then click the Save Scan Report button.
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Tray Icon and select Exit.
  6. Restart in normal mode.

  7. Do you know what the following are?
    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080. Do you use this proxy server.
    • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present. Have you or an administrator set restrictions on Internet Explorer?
    • O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540
  8. Give me a description of any problems that you see with the computer.

  9. Run another HijackThis scan and post the log together with the log from AVG Spyware and replies to my questions.


If you added any sites to the trusted zone in Internet Explorerer you will need to add them again.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 17th, 2007, 7:17 am

Hi Elrond :)

1) done

2) done

3) thanks

4) deleted all files from TEMP folders (one file couldn't be deleted from my profile's temp folder, it's called Perflib_Perfdata_5e8.dat)

deleted temp internet files and cookies and reset web settings

there was no page called "Security info" in the display settings web tab... there is one entry titled, "My Current Home Page".


5) AVG installed and updated and settings changed

6, 7 and 8) all went as instructed apart from 3 items AVG detected as low danger, and which I think I know what they are, and thought would probably be better de-installed the regular way.. 2 items are from a program called remote administrator which I am no longer using and happy to de-install.. and the third item "appeared" to possibly be the downloading application for the Java update you had me install earlier. (see log)

I can de-install remoteadmin via the control panel... maybe you could let me know if I need to run AVG in safe mode again to remove that last item or not still.

Sorry if I made an error there.. the scan had taken 2.5 hours and I thought I had better make a decision. :\


9)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080. Do you use this proxy server.


I have a hub connected to this pc and 2 others connected to that sharing the internet connection. I assume this is for them.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present. Have you or an administrator set restrictions on Internet Explorer?


I could have.. been running this same pc for years. Also a "helpful" PC tech at the store where I got the original machine installed some manual updates to XP a year or two ago after I had a motherboard meltdown... and when I got it back there was an additional administrator account on pc and he was trying to explain about these "wonderful" little hacks he done for me. (which just annoyed me when all I asked for was a new motherboard!)

So is there any way to work out exactly what these restrictions may be? as that could give me a clue.

O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540


This was a Moveable type widget to make a blog post about the current webpage. never used it. Can we delete it?


10) I haven't used it much as we have been doing this but it seems to be operating smoothly right now.

11)

AVG scan log;

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:20:17 PM 17/07/2007

+ Scan result:



C:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP756\A0047115.dll -> Adware.AlexaBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP756\A0047116.dll -> Adware.AlexaBar : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\OEWABLog.txt:tlzcmb -> Backdoor.Small.dc : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\setupact.log:cvnlxj -> Backdoor.Small.dc : Cleaned with backup (quarantined).
C:\Documents and Settings\Optional\Desktop\WEBSITES\website1\Access_Plugin.exe -> Dialer.AXD.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Desktop/translate_c -> Dialer.Generic : Cleaned with backup (quarantined).
F:\WindowsXP\Auto Patch update aug-04\AutoPatcher XP\ProgFiles\MsgPlus-301.exe/Sponsor.exe -> Downloader.Swizzor.bt : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Ignored.
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/AdmDll.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Program Files\Radmin\AdmDll.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\WINDOWS\system32\admdll.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : Ignored.
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/r_server.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.21 : Ignored.
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/radmin.exe -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.21 : Ignored.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.10:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.11:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.1:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.2:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.3:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.4:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.5:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.6:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.7:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.8:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt.9:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\SchedLgU.Txt:ongqso -> Trojan.Agent.bi : Cleaned with backup (quarantined).


::Report end




HijackThis scan log;

Logfile of HijackThis v1.99.1
Scan saved at 8:55:18 PM, on 17/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Password2000] C:\Program Files\Password 2000\password.exe -w
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Image: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Link: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Page: Show TABLE, FORM and DIV Borders - C:\Program Files\IE Booster\page-show-table-structure.htm
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/ ... /xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/c ... /yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/ ... /st3_x.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://CHNAGED-THIS-URL/wtpbs/wtBalanc ... agerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe




I'm not using this piece of software anymore... and thought I had fully de installed it... should I use HijackThis to remove this item?

O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe

Also I noticed a reference to Firefox v1 in one of the installed software log reports... and I thought I had completely de-installed that too. Do you know how I might be able to get rid of it fully?

Thanks again for all this help

Bstuff
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 18th, 2007, 9:02 am

Hi Bstuff.

Sorry for letting you wait :( but needed to do some more research.

The RemoteAdministrator20 Entries ar all in a zipped backup folder that is part of a CD image. I doubt that they do any damage. The rest of the stuff in the AVG log is either quarantined or in a backup folder for a malware removal program. The log is practically speaking clean.

  1. R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080. I have found out what this is: It is part of a program to tunnel through firewalls. If you are useing it do not fix it in point 3.

  2. use add/remove to remove Remote Administrator v2.1
    Go through the Add/Remove list and remove any other programs that you do not use any more.

  3. Open HijackThis and click "Do a System Scan Only" or "Scan". Put a check mark by the items that are listed below.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = mule:8080
    O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O4 - HKLM\..\Run: [SunServer] F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O8 - Extra context menu item: MT It! - http://www.abuseblog.com/cgi-bin/mt.cgi ... height=540


    Close all open windows except HijackThis and then click the "Fix checked" button.

    • Download OTMoveIt by OldTimer from here
    • Double click on OTMoveIt to start OTMoveIt
      Image
    • Untick the option to Unregister Dll's and Ocx's (1)
    • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
      Code: Select all
       
      F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
      
    • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
    • Click Paste (2)
    • Click MoveIt! (3)
    • Copy and paste the contents of the results box (4) as a reply to this topic

  4. Please do a search:
    "Run "Start">"Search">"All Files and Folders"> enter in "All or part of file name". Select "More advanced options". Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders". Click "Search". Note the path to the file.

  5. Go to http://virusscan.jotti.org
    Copy the following line into the white textbox:
    ~tmp0.1st.exe (Include the complete path for ~tmp0.1st.exe that you found in the last point)
    Click Submit.
    Please post the results of this scan to this thread

  6. Download this file to your desktop.
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right-click on the deldomains.inf file and select 'Install'

    Once it is finished your Zones should be reset.

    Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

  7. Copy/paste the following text into a new Notepad document. Make sure that wordwrap is turned off.
    regedit /a /e regkey.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer"

    notepad regkey.txt

    Save it on your desktop as filename readIE.bat. Save it as file type All Files (not as a text document or it wont work).

    Double click readIE.bat. Notepad will open with readIE.txt.
    Post the content of the file please.
    If notepad doesn't bring up the text file, open readIE.txt yourself.

  8. Go here to run an online scannner from Kaspersky.

    • Click on "Kaspersky Online Scanner"
    • A new smaller window will pop up. Press on "Accept". After reading the contents.
    • Now Kaspersky will update the anti-virus database. Let it run.
    • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    • Then click on "My Computer", and the scan will start.
    • Once finished, save the log as "KAV.txt" to the desktop.
    • Please download
      GMER
    • Unzip it and start the GMER.exe
    • Click the Rootkit tab and click the Scan button.

    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.

    Warning ! Please, do not select the "Show all" checkbox during the scan.

  9. Run a new HijackThis scan but this time do it from each of the accounts that you have on that computer.
    Post the HijackThis logs together with the content of readIE.txt, KAV.txt, the GMER log and the jotti analysis in this thread.



That was a bit much but hope it will not throw you off. You are doing very well :)
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 20th, 2007, 2:44 am

1) I've got a nagging feeling this might be needed by something legit.. but am going to remove it anyway.

2) I missed this step and didn't end up removing remoteadministrator until AFTER I ran the Kapresky scan.

3) removed those 4 entries with HT

4) OTmoveit gave an error message that it was unable to create a log file but did say this in the results window.

File/Folder F:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe not found.

Created on 07/20/2007 05:54:56


5) Search for ~tmp0.1st.exe failed to find any file on pc. (set search for hidden and system areas as instructed)

6) N/A

7) Done

8) Log file;

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer]
"Show_FullURL"=dword:00000000
"SmartDithering"=dword:00000001
"AddButtons"=dword:00000002
"Download Directory"="C:\\Documents and Settings\\Optional\\Desktop"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor]
"Description"="Microsoft Word for Windows"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell\edit]
@="&Edit"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command]
@="\"C:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE\" /n"
"command"=hex(7):31,30,21,21,21,67,78,73,66,28,4e,67,5d,71,46,60,48,7b,4c,73,\
57,4f,52,44,46,69,6c,65,73,3e,6c,6c,54,5d,6a,49,7b,6a,66,28,3d,31,26,4c,5b,\
2d,38,31,2d,5d,20,2f,6e,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ddeexec]
@="[REM _DDE_Direct][FileOpen(\"%1\")]"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ddeexec\Application]
@="WinWord"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ddeexec\Topic]
@="System"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,02,00,00,00,00,00,00,00,02,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"BackupWallpaper"=""
"WallpaperFileTime"=hex:00,00,00,00,00,00,00,00
"WallpaperLocalFileTime"=hex:00,78,70,33,5c,00,00,00
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=""
"ComponentsPositioned"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,00,04,00,00,e2,02,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,57,65,62,5c,53,61,66,\
65,4d,6f,64,65,2e,68,74,74,00
"VisitGallery"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Scheme]
"Edit"=""
"Display"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Document Windows]
"Maximized"="no"
"height"=hex:00,00,00,00
"width"=hex:00,00,00,80
"x"=hex:00,00,00,80
"y"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download]
"CheckExeSignatures"="yes"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]
@="Media Band"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}]
"BarSize"=hex:cc,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}]
"BarSize"=hex:18,01,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}]
"BarSize"=hex:57,01,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}]
"BarSize"=hex:29,01,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping]
"NextId"=dword:00002013
"{6224f700-cba3-4071-b251-47cb894244cd}"=dword:00002001
"{FB5F1910-F110-11d2-BB9E-00C04F795683}"=dword:00002002
"{FD9DE2B4-C926-4460-81C4-FC58C6F1062E}"=dword:00002003
"{FF983118-58C7-4AD4-B5A7-691C39CB7B42}"=dword:00002004
"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}"=dword:00002005
"{053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7}"=dword:00002006
"{1FA9B650-D1BC-4E43-96B3-13A32FC39732}"=dword:00002007
"{320AF880-6646-11D3-ABEE-C5DBF3571F46}"=dword:00002009
"{320AF880-6646-11D3-ABEE-C5DBF3571F49}"=dword:0000200a
"{724d43aa-0d85-11d4-9908-00400523e39a}"=dword:0000200b
"{B13B4423-2647-4cfc-A4B3-C7D56CB83487}"=dword:0000200c
"{7130DF06-BBC1-4e16-83D4-1F875E65B695}"=dword:0000200d
"{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}"=dword:0000200f
"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"=dword:00002010
"{5C106A59-CC3C-4caa-81A4-6D909B5ACE23}"=dword:00002011

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Help_Menu_URLs]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\InformationBar]
"FirstTime"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\IntelliForms]
"AskUser"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\SPW]
"'?PG3U$/Q1U+[?B"=dword:00000000
"8L!!2JYYK$!Q*]8"=dword:00000000
"4%#C3P:\\ #-<:)+"=dword:00000000
"85APM@/ZN-J!:QD"=dword:00000000
"18\".=G5J;<[7\\/M"=dword:00000000
"7GL8E>8*%3?M6IU"=dword:00000000
"B')Y\"WD7_ R_\"\\1"=dword:00000000
"LNUF\"</@:.6G?BN"=dword:00000000
"BWSM3=9_X4 SV80"=dword:00000000
"EGQMY_5 ZG:JD[U"=dword:00000000
"%P$W[ Y^CX/W+M,"=dword:00000000
"V)@ AT4J*5B'Z8U"=dword:00000000
"H>7>62;EUN&(I3E"=dword:00000000
"]2;8:QXX?MIUAY-"=dword:00000000
"5J/; ',MU(>@)1B"=dword:00000000
"6.<C5:4,:;EZG!2"=dword:00000000
"H4,O3)_SG]6:G\"I"=dword:00000000
"SC:'][5SR,ED+DG"=dword:00000000
"X74V!47VR-5,-AU"=dword:00000000
"40 NX$(6CPK/6R8"=dword:00000000
")W(+S_76S,B3T9B"=dword:00000000
"I91-,\"O&E8@\"07W"=dword:00000000
"=OL+X^1_!:&7+<:"=dword:00000000
"S#U:$F*. 5R%V;:"=dword:00000000
"83M'=T19]3\"=XPE"=dword:00000000
"?-F02T).0NP]X-M"=dword:00000000
"#.\\.T*-]B'5I<>]"=dword:00000000
"6YCRB/JP5VC^IP@"=dword:00000000
"QDE:,RJ @H.73W#"=dword:00000000
"CD>1PL&^$@7*Z=I"=dword:00000000
"MF%J+TJFLM)(/7@"=dword:00000000
";8P*C86@_:\"T?!K"=dword:00000000
"_'&%,\\6Y**%5[^S"=dword:00000000
"GI]/DHO),</F@)>"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International]
@=""
"W2KLpk"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU]
"Enable"=dword:00000001
"Size"=dword:0000000a
"InitHits"=dword:00000064
"Factor"=dword:00000014
"Cache"=hex:e3,04,00,00,98,08,00,00,9f,4e,00,00,b1,06,00,00,b0,6f,00,00,53,03,\
00,00,bd,6f,00,00,f5,01,00,00,e2,04,00,00,d1,01,00,00,a8,03,00,00,33,01,00,\
00,82,51,00,00,a1,00,00,00,a4,03,00,00,48,00,00,00,ed,ca,00,00,25,00,00,00,\
6a,03,00,00,08,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25]
"IEFontSize"=hex:01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\26]
"IEFontSize"=hex:01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3]
"IEPropFontName"="Times New Roman"
"IEFixedFontName"="Courier New"
"IEFontSize"=hex:02,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Extensions]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Extensions\CmdMapping]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"NoUpdateCheck"=dword:00000000
"NoJITSetup"=dword:00000000
"Disable Script Debugger"="yes"
"Show_ChannelBand"="No"
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=hex:01,00,00,00
"Local Page"="C:\\WINDOWS\\system32\\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Start Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"Use_DlgBox_Colors"="yes"
"Check_Associations"="No"
"FullScreen"="no"
"Window_Placement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,8e,00,00,00,1d,00,00,00,e2,03,00,00,d4,02,00,\
00
"NotifyDownloadComplete"="no"
"Error Dlg Displayed On Every Error"="no"
"Error Dlg Details Pane Open"="yes"
"Use FormSuggest"="yes"
"ShowedCheckBrowser"="Yes"
"AddToFavoritesExpanded"=dword:00000001
"Expand Alt Text"="no"
"Move System Caret"="no"
"NscSingleExpand"=dword:00000001
"NoWebJITSetup"=dword:00000000
"Page_Transitions"=dword:00000001
"FavIntelliMenus"="yes"
"UseThemes"=dword:00000001
"Force Offscreen Composition"=dword:00000000
"AllowWindowReuse"=dword:00000000
"Friendly http errors"="no"
"ShowGoButton"="yes"
"SmoothScroll"=dword:00000001
"Enable AutoImageResize"="no"
"Enable_MyPics_Hoverbar"="no"
"Play_Animations"="yes"
"Play_Background_Sounds"="yes"
"Display Inline Videos"="yes"
"Show image placeholders"=dword:00000000
"Print_Background"="no"
"LastCheckedHi"=dword:01c7c436
"FavChevron"="NO"
"HistoryViewType"=hex:08,00,66,63,03,00,00,00,00,00
"HistoryTopNSitesView"=dword:00000014
"StatusBarOther"=dword:00000001
"Save Directory"="C:\\Documents and Settings\\Optional\\Desktop\\newzen-for-blogger\\images\\saved\\"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"iexplore.exe"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings]
"LOCALMACHINE_CD_UNLOCK"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Media]
"SuppressOnlineContent"="no"
"AutoplayPrompt"=hex:01

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Media\MimeTypes]
"text/vnd.rn-realtext"=hex:00
"application/vnd.rn-realplayer"=hex:00
"application/vnd.rn-rn_music_package"=hex:00
"audio/x-musicnet-stream"=hex:00
"audio/x-musicnet-download"=hex:00
"application/vnd.rn-realmedia-secure"=hex:00
"application/vnd.rn-realaudio-secure"=hex:00
"audio/x-realaudio-secure"=hex:00
"video/vnd.rn-realvideo-secure"=hex:00
"application/vnd.rn-realsystem-rjs"=hex:00
"audio/vnd.rn-realaudio"=hex:00
"audio/x-realaudio"=hex:00
"application/vnd.rn-realmedia"=hex:00
"application/vnd.rn-realmedia-vbr"=hex:00
"image/vnd.rn-realpix"=hex:00
"audio/x-pn-realaudio"=hex:00
"application/vnd.rn-rsml"=hex:00
"video/vnd.rn-realvideo"=hex:00
"application/vnd.rn-realsystem-rmj"=hex:00
"audio/x-la-lms"=hex:00
"audio/x-la-lqt"=hex:00
"audio/x-liquid-secure"=hex:00
"application/x-laplayer-reg"=hex:00
"audio/x-liquid-file"=hex:00
"application/vnd.rn-realsystem-rjt"=hex:00
"application/vnd.rn-realsystem-rmx"=hex:00
"application/vnd.rn-recording"=hex:00
"text/vnd.rn-realtext3d"=hex:00
"application/x-vpeg005"=hex:00
"video/quicktime"=hex:00
"image/x-macpaint"=hex:00
"image/x-quicktime"=hex:00
"audio/x-mpegurl"=hex:00
"video/x-ms-asf"=hex:00
"audio/wav"=hex:00
"video/x-ms-wmv"=hex:00
"video/msvideo"=hex:00
"audio/x-wav"=hex:01
"video/x-ms-wvx"=hex:00
"audio/m4a"=hex:00
"video/avi"=hex:00
"video/mpeg"=hex:00
"audio/x-ms-wax"=hex:00
"application/smil"=hex:00
"video/3gpp"=hex:00
"video/3gpp-encrypted"=hex:00
"audio/3gpp"=hex:00
"audio/3gpp-encrypted"=hex:00
"audio/AMR"=hex:00
"audio/AMR-encrypted"=hex:00
"audio/AMR-WB"=hex:00
"audio/AMR-WB-encrypted"=hex:00
"audio/X-RN-3GPP-AMR"=hex:00
"audio/X-RN-3GPP-AMR-encrypted"=hex:00
"audio/X-RN-3GPP-AMR-WB"=hex:00
"audio/X-RN-3GPP-AMR-WB-encrypted"=hex:00
"video/3gpp2"=hex:00
"audio/3gpp2"=hex:00
"video/x-mpeg"=hex:00
"application/sdp"=hex:00
"video/x-m4v"=hex:00
"video/sd-video"=hex:00
"application/x-mpeg"=hex:00
"image/pict"=hex:00
"image/x-pict"=hex:00
"video/flc"=hex:00
"audio/aac"=hex:00
"audio/x-aac"=hex:00
"audio/x-caf"=hex:00
"audio/mpeg"=hex:00
"audio/x-mpeg"=hex:00
"video/mp4"=hex:00
"audio/mp4"=hex:00
"image/jp2"=hex:00
"image/jpeg2000"=hex:00
"image/jpeg2000-image"=hex:00
"image/x-jpeg2000-image"=hex:00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Google Search]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Backward Links]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Cached Snapshot of Page]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Customize Menu]
@="file://F:\\Program Files\\Roboform\\RoboFormComCustomizeIEMenu.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Customize Menu &4]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Fill Forms]
@="file://F:\\Program Files\\Roboform\\RoboFormComFillForms.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Fill Forms &]]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Browser: Resize Window]
@="C:\\Program Files\\IE Booster\\window-size.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Frame: Open in &New Window]
@="C:\\Program Files\\IE Booster\\frame-open-in-new-window.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Frame: Open in &This Window]
@="C:\\Program Files\\IE Booster\\frame-open-in-this-window.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Image: Copy Path to Clipboard]
@="C:\\Program Files\\IE Booster\\image-copy-path-to-clipboard.html"
"contexts"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Image: Show Image Data]
"contexts"=dword:00000002
@="C:\\Program Files\\IE Booster\\image-view-image-data.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Image: Show Server Response]
@="C:\\Program Files\\IE Booster\\link-show-server-response.html"
"contexts"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Link: Copy as <A href="URL">caption</A>]
@="C:\\Program Files\\IE Booster\\link-copy.html"
"contexts"=dword:00000020

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Link: Open in New Minimized Window]
@="C:\\Program Files\\IE Booster\\link-open-minimized.html"
"contexts"=dword:00000020

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Link: Show Server Response]
@="C:\\Program Files\\IE Booster\\link-show-server-response.html"
"contexts"=dword:00000020

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Copy Title as <A href="URL">Title</a>]
@="C:\\Program Files\\IE Booster\\page-copy-title.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show Forms and Applets]
@="C:\\Program Files\\IE Booster\\page-show-forms.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show Hyperlinks]
@="C:\\Program Files\\IE Booster\\page-view-hyperlinks.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show Images]
@="C:\\Program Files\\IE Booster\\page-show-images.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show Source]
@="C:\\Program Files\\IE Booster\\page-view-source.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show Stylesheets]
@="C:\\Program Files\\IE Booster\\page-view-stylesheets.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Page: Show TABLE, FORM and DIV Borders]
@="C:\\Program Files\\IE Booster\\page-show-table-structure.htm"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Selection: Copy as plain text]
"contexts"=dword:00000010
@="C:\\Program Files\\IE Booster\\selection-copy-plaintext.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Selection: Open in Browser]
@="C:\\Program Files\\IE Booster\\selection-open-in-browser.html"
"contexts"=dword:00000010

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\IEB: Selection: Show Partial Source]
@="C:\\Program Files\\IE Booster\\selection-show-source.html"
"contexts"=dword:00000010

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\RoboForm &2]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\RoboForm Toolbar]
@="file://F:\\Program Files\\Roboform\\RoboFormComShowToolbar.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Forms]
@="file://F:\\Program Files\\Roboform\\RoboFormComSavePass.html"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Save Forms &[]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Similar Pages]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Translate into English]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows]
"PlaySound"=dword:00000001
"UseSecBand"=dword:00000001
"BlockUserInit"=dword:00000000
"UseTimerMethod"=dword:00000000
"UseHooks"=dword:00000001
"AllowHTTPS"=dword:00000000
"PopupMgr"="yes"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\PageSetup]
"header"="&w&bPage &p of &P"
"footer"="&u&b&d"
"margin_bottom"="0.750000"
"margin_left"="0.750000"
"margin_right"="0.750000"
"margin_top"="0.750000"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter]
"Enabled"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"="http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchProperties]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\SearchProperties\en-au]
"PanelOrder"=hex:57,00,65,00,62,00,01,00,50,00,72,00,65,00,76,00,01,00,4d,00,\
61,00,70,00,01,00,45,00,6e,00,63,00
"Panel@Web"=hex:64,00,65,00,66,00,61,00,75,00,6c,00,74,00,03,00,6c,00,6f,00,6f,\
00,6b,00,73,00,6d,00,61,00,72,00,74,00,04,00,6d,00,73,00,6e,00
"Panel@Enc"=hex:64,00,65,00,66,00,61,00,75,00,6c,00,74,00,03,00,65,00,6e,00,63,\
00,61,00,72,00,74,00,61,00
"Panel@Map"=hex:70,00,6c,00,61,00,63,00,65,00,03,00,65,00,78,00,70,00,65,00,64,\
00,69,00,61,00
"SettingsVersion"=hex:42,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl]
"provider"=""
@="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security]
"Sending_Security"="Medium"
"Viewing_Security"="Low"
"Safety Warning Level"="Query"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\P3Global]
"Enabled"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\P3Sites]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Services]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings]
"Anchor Color Visited"="128,0,128"
"Anchor Color"="0,0,255"
"Background Color"="192,192,192"
"Text Color"="0,0,0"
"Use Anchor Hover Color"="No"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"LinksFolderName"="Links"
"Locked"=dword:00000001
"ShowDiscussionButton"="Yes"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Explorer]
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1b,00,00,00,\
4e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\
aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:b1,c2,18,23,65,49,d4,11,9b,18,00,\
90,27,a5,cd,4f
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"=hex:2a,8c,5c,4d,75,d0,d0,11,b4,16,00,\
c0,4f,b9,03,76
"{724D43A0-0D85-11D4-9908-00400523E39A}"=hex:a0,43,4d,72,85,0d,d4,11,99,08,00,\
40,05,23,e3,9a
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1b,00,00,00,\
4e,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{01E04581-4EEE-11D0-BFE9-00AA005B4383}"=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\
aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:b1,c2,18,23,65,49,d4,11,9b,18,00,\
90,27,a5,cd,4f
"{0E5CBF21-D15F-11D0-8301-00AA005B4383}"=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,\
aa,00,5b,43,83,22,00,1c,00,08,01,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,4c,00,00,00,01,14,02,00,00,00,00,00,c0,00,00,00,00,\
00,00,46,81,00,00,00,10,00,00,00,ce,ae,35,f1,3d,a3,c2,01,c9,ae,37,5f,14,c9,\
c7,01,1a,4a,e5,dc,1f,7a,c5,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,43,01,14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,\
08,00,2b,30,30,9d,19,00,2f,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,5c,00,31,00,00,00,00,00,d9,34,7d,58,10,00,44,4f,43,55,4d,\
45,7e,31,00,00,44,00,03,00,04,00,ef,be,8e,2d,8c,8c,f2,36,4e,3d,14,00,00,00,\
44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,\
00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,00,00,18,00,40,00,\
31,00,00,00,00,00,f0,36,9b,22,10,00,4f,70,74,69,6f,6e,61,6c,00,00,28,00,03,\
00,04,00,ef,be,8e,2d,10,37,f2,36,d5,3c,14,00,00,00,4f,00,70,00,74,00,69,00,\
6f,00,6e,00,61,00,6c,00,00,00,18,00,42,00,31,00,00,00,00,00,e8,36,60,39,30,\
00,46,41,56,4f,52,49,7e,31,00,00,2a,00,03,00,04,00,ef,be,8e,2d,10,37,f1,36,\
18,7d,14,00,00,00,46,00,61,00,76,00,6f,00,72,00,69,00,74,00,65,00,73,00,00,\
00,18,00,36,00,31,00,00,00,00,00,da,32,da,3a,10,00,4c,69,6e,6b,73,00,22,00,\
03,00,04,00,ef,be,8e,2d,12,37,f1,36,23,7d,14,00,00,00,4c,00,69,00,6e,00,6b,\
00,73,00,00,00,14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,\
6d,75,6c,65,00,00,00,00,00,00,00,00,00,00,00,00,50,77,65,41,10,3d,34,41,bc,\
7a,9e,76,95,7a,5b,de,32,bc,0e,d2,33,0f,d7,11,a7,91,00,e0,29,9d,c1,b1,50,77,\
65,41,10,3d,34,41,bc,7a,9e,76,95,7a,5b,de,32,bc,0e,d2,33,0f,d7,11,a7,91,00,\
e0,29,9d,c1,b1,00,00,00,00,08,00,00,00,02,00,00,00,32,03,00,00,01,00,00,00,\
08,00,00,00,4e,00,00,00,00,00,00,00,40,00,32,00,97,00,00,00,38,32,89,70,20,\
08,41,6e,6f,6e,2e,75,72,6c,00,00,28,00,03,00,04,00,ef,be,4a,30,cb,84,f1,36,\
23,7d,14,00,00,00,41,00,6e,00,6f,00,6e,00,2e,00,75,00,72,00,6c,00,00,00,18,\
00,00,00,00,00,00,00,68,00,00,00,05,00,00,00,5a,00,32,00,17,00,00,00,d9,32,\
9a,06,20,00,41,55,54,4f,4d,41,7e,31,2e,55,52,4c,00,00,3e,00,03,00,04,00,ef,\
be,d9,32,9a,06,f1,36,23,7d,14,00,00,00,41,00,75,00,74,00,6f,00,6d,00,61,00,\
74,00,65,00,20,00,4c,00,69,00,6e,00,6b,00,73,00,32,00,2e,00,75,00,72,00,6c,\
00,00,00,1c,00,00,00,00,00,00,00,5c,00,00,00,01,00,00,00,4e,00,32,00,c5,01,\
00,00,6f,31,05,a2,20,00,42,4c,4f,47,50,4f,7e,31,2e,55,52,4c,00,00,32,00,03,\
00,04,00,ef,be,07,31,eb,39,f1,36,23,7d,14,00,00,00,42,00,6c,00,6f,00,67,00,\
20,00,50,00,6f,00,73,00,74,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,00,00,00,\
00,00,00,5e,00,00,00,06,00,00,00,50,00,32,00,34,00,00,00,d9,32,08,07,20,00,\
43,4f,4e,56,45,52,7e,31,2e,55,52,4c,00,00,34,00,03,00,04,00,ef,be,d9,32,08,\
07,f1,36,23,7d,14,00,00,00,43,00,6f,00,6e,00,76,00,65,00,72,00,73,00,61,00,\
74,00,65,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,00,00,00,00,00,00,82,00,00,\
00,04,00,00,00,74,00,32,00,6a,00,00,00,d9,32,eb,38,20,00,44,45,4c,49,43,49,\
7e,31,2e,55,52,4c,00,00,58,00,03,00,04,00,ef,be,d9,32,4b,06,f1,36,23,7d,14,\
00,00,00,64,00,65,00,6c,00,2e,00,69,00,63,00,69,00,6f,00,2e,00,75,00,73,00,\
2d,00,64,00,6f,00,63,00,2d,00,62,00,6f,00,6f,00,6b,00,6d,00,61,00,72,00,6b,\
00,6c,00,65,00,74,00,73,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,00,00,00,00,\
00,00,5a,00,00,00,02,00,00,00,4c,00,32,00,50,01,00,00,6f,31,64,a2,20,00,4e,\
59,54,4c,49,4e,7e,31,2e,55,52,4c,00,00,30,00,03,00,04,00,ef,be,08,31,e9,22,\
f1,36,23,7d,14,00,00,00,6e,00,79,00,74,00,20,00,6c,00,69,00,6e,00,6b,00,2e,\
00,75,00,72,00,6c,00,00,00,1c,00,00,00,00,00,00,00,6a,00,00,00,07,00,00,00,\
5c,00,32,00,c1,00,00,00,d9,32,b5,06,20,08,50,4f,4f,44,4c,45,7e,31,2e,55,52,\
4c,00,00,40,00,03,00,04,00,ef,be,7a,30,1c,87,f1,36,23,7d,14,00,00,00,50,00,\
6f,00,6f,00,64,00,6c,00,65,00,20,00,50,00,72,00,65,00,64,00,69,00,63,00,74,\
00,6f,00,72,00,2e,00,75,00,72,00,6c,00,00,00,1c,00,00,00,00,00,00,00,70,00,\
00,00,03,00,00,00,62,00,32,00,a9,00,00,00,99,32,0e,af,20,00,57,49,4e,44,4f,\
57,7e,32,2e,55,52,4c,00,00,46,00,03,00,04,00,ef,be,99,32,0e,af,f1,36,23,7d,\
14,00,00,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4d,00,61,00,72,\
00,6b,00,65,00,74,00,70,00,6c,00,61,00,63,00,65,00,2e,00,75,00,72,00,6c,00,\
00,00,1c,00,00,00,00,00,00,00
"{724D43A0-0D85-11D4-9908-00400523E39A}"=hex:a0,43,4d,72,85,0d,d4,11,99,08,00,\
40,05,23,e3,9a
"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"=hex:2a,8c,5c,4d,75,d0,d0,11,b4,16,00,\
c0,4f,b9,03,76
"ITBarLayout"=hex:11,00,00,00,4c,00,00,00,00,00,00,00,34,00,00,00,1f,00,03,00,\
81,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\
00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\
00,00,03,00,00,00,20,03,00,00,00,00,00,00,07,00,00,00,21,05,00,00,00,00,00,\
00,06,00,00,00,21,05,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,a0,43,4d,72,85,0d,d4,11,99,08,00,40,05,23,e3,9a,b1,c2,18,\
23,65,49,d4,11,9b,18,00,90,27,a5,cd,4f,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""





9) Kapersky scan took over 8 hours!

log file;

[quote]
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 20, 2007 2:52:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/07/2007
Kaspersky Anti-Virus database records: 365310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 210951
Number of viruses found: 26
Number of infected objects: 140 / 0
Number of suspicious objects: 11
Duration of the scan process: 08:23:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox/[From "Valeria Carlisle" <Szxluqwh@altern.org>][Date Mon, 01 Aug 2005 02:19:39 -0400]/UNNAMED/[From "Emanuel Mays" <acasgzmoqhs@almodels.com>][Date Mon, 01 Aug 2005 07:12:38 +0000]/text/[From "Proteus O. Thriftiness" <David|david_wertheim@nyc.com>][Date Mon, 01 Aug 2005 03:29:06 -0400]/UNNAMED/[From "Gonzales" <xqsomkj@ed.shawcable.net>][Date Mon, 01 Aug 2005 02:01:40 -0800]/text/[From nangel8475@aol.com][Date Mon, 1 Aug 2005 18:30:06 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox/[From "Valeria Carlisle" <Szxluqwh@altern.org>][Date Mon, 01 Aug 2005 02:19:39 -0400]/UNNAMED/[From "Emanuel Mays" <acasgzmoqhs@almodels.com>][Date Mon, 01 Aug 2005 07:12:38 +0000]/text/[From "Proteus O. Thriftiness" <David|david_wertheim@nyc.com>][Date Mon, 01 Aug 2005 03:29:06 -0400]/UNNAMED/[From "Gonzales" <xqsomkj@ed.shawcable.net>][Date Mon, 01 Aug 2005 02:01:40 -0800]/text Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox/[From "Valeria Carlisle" <Szxluqwh@altern.org>][Date Mon, 01 Aug 2005 02:19:39 -0400]/UNNAMED/[From "Emanuel Mays" <acasgzmoqhs@almodels.com>][Date Mon, 01 Aug 2005 07:12:38 +0000]/text/[From "Proteus O. Thriftiness" <David|david_wertheim@nyc.com>][Date Mon, 01 Aug 2005 03:29:06 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox/[From "Valeria Carlisle" <Szxluqwh@altern.org>][Date Mon, 01 Aug 2005 02:19:39 -0400]/UNNAMED/[From "Emanuel Mays" <acasgzmoqhs@almodels.com>][Date Mon, 01 Aug 2005 07:12:38 +0000]/text Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox/[From "Valeria Carlisle" <Szxluqwh@altern.org>][Date Mon, 01 Aug 2005 02:19:39 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles\fro310x9.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 5 skipped
C:\Documents and Settings\Optional\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Desktop/translate_c Infected: not-a-virus:Dialer.Win32.gen skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip/image_cdrive/Program Files/Radmin/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip ZIP: infected - 5 skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "cknor" <cknor@erols.com>][Date Wed, 24 Sep 2003 21:40:02 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "cknor" <cknor@erols.com>][Date Wed, 24 Sep 2003 21:40:02 -0400]/cjfd.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/installer58.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "William Roeder" <WHRoeder@yahoo.com>][Date Tue, 7 Oct 2003 15:08:10 -0400]/text/[From "Matthew Smith" <smithm@4thenet.co.uk>][Date Wed, 8 Oct 2003 04:48:44 +0100]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "William Roeder" <WHRoeder@yahoo.com>][Date Tue, 7 Oct 2003 15:08:10 -0400]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "Dave Murphy" <murphydn@pei.sympatico.ca>][Date Wed, 8 Oct 2003 20:52:20 -0300]/UNNAMED/[From "Microsoft Corporation Security Center" <sunncuvhory@bulletin.msdn.net>][Date Thu, 9 Oct 2003 16:31:48 +0200]/PACK19.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "Dave Murphy" <murphydn@pei.sympatico.ca>][Date Wed, 8 Oct 2003 20:52:20 -0300]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@bluesteel.co.za][Date Fri, 10 Oct 2003 12:48:11 +0200]/UNNAMED/[From "Microsoft Network Email Delivery Service" <dmailautomat@netmail.com>][Date Fri, 10 Oct 2003 09:21:04 +0200]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@bluesteel.co.za][Date Fri, 10 Oct 2003 12:48:11 +0200]/UNNAMED/[From "Microsoft Network Email Delivery Service" <dmailautomat@netmail.com>][Date Fri, 10 Oct 2003 09:21:04 +0200]/ectpr.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@bluesteel.co.za][Date Fri, 10 Oct 2003 12:48:11 +0200]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "gordon" <gordonmcg@blueyonder.co.uk>][Date Fri, 10 Oct 2003 18:06:12 +0100]/UNNAMED/[From Pat Evans <rwjm@mindspring.com>][Date Sat, 11 Oct 2003 09:11:29 -0400]/text/[From Sandy <sandyuhhfgh24@ale.com.tw>][Date Sun, 12 Oct 2003 05:09:12 +0800 (CST)]/©T©w¸Ó§R°£ªº¸ê®Æ§¨¤º®e.doc.scr Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "gordon" <gordonmcg@blueyonder.co.uk>][Date Fri, 10 Oct 2003 18:06:12 +0100]/UNNAMED/[From Pat Evans <rwjm@mindspring.com>][Date Sat, 11 Oct 2003 09:11:29 -0400]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From "gordon" <gordonmcg@blueyonder.co.uk>][Date Fri, 10 Oct 2003 18:06:12 +0100]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Svetaka, Marius M LITHREP-OA (Secondary)" <Marius.M.Svetaka@ope.shell.com>][D ... /[From "Microsoft Network Security Division" <lbdiulfjmqnwjkw-llws@advisor.net>][Date Mon, 13 Oct 2003 09:23:48 +0200]/patch327.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Svetaka, Marius M LITHREP-OA (Secondary)" <Marius.M.Svetaka@ope.shell.com>][Date Sat, 11 Oct 2003 ... /[From i_like_someone_special2001 <i_like_someone_special2001@yahoo.com>][Date 13 Oct 2003 09:54:55 +0100]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Svetaka, Marius M LITHREP-OA (Secondary)" <Marius.M.Svetaka@ope.shell.com>][Date Sat, 1 ... /[From i_like_someone_special2001 <i_like_someone_special2001@yahoo.com>][Date 13 Oct 2003 09:54:55 +0100]/counter[3].bat Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Svetaka, Marius M LITHREP-OA (Secondary)" <Marius.M.Svetaka@ope.shell.com>][Date Sat, 11 Oct 2003 12:14:21 +0200]/UNNAMED/[From <NEXON-MAILER@nexonclub.com>][Date Mon, 13 Oct 2003 16:42:06 +0900 (KST)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Svetaka, Marius M LITHREP-OA (Secondary)" <Marius.M.Svetaka@ope.shell.com>][Date Sat, 11 Oct 2003 12:14:21 +0200]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/html/[From inmeuk <inmeuk@hotmail.com>][Date 13 Oct 2003 22:38:31 +0100]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/html/[From inmeuk <inmeuk@hotmail.com>][Date 13 Oct 2003 22:38:31 +0100]/age.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/html Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From brandie <brandie@wu6nw7h992.com>][Date Tue, 14 Oct 2003 05:16:03 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From brandie <brandie@wu6nw7h992.com>][Date Tue, 14 Oct 2003 05:16:03 -0400]/for.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yahoo.com][Date Tue, 14 Oct 2003 01:55 ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yahoo.com][Date Tue, 14 Oct 2003 ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/fajnh.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network Message Delivery Service" <mailerform@puremail.com>][Date Tue, 14 Oct 2003 12:47:01 +030 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network Message Delivery Service" <mailerform@puremail.com>][Date Tue, 14 Oct 2003 12:47: ... /flnhyha.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/CPheading.doc.scr Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network Message Deliver ... /[From postmaster@eusbius.local][Date Tue, 14 Oct 2003 12:39:44 +0100]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network Message Delivery ... /[From stuserv@educationdirect.com][Date Tue, 14 Oct 2003 10:38:04 GMT]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yaho ... /[From "Network Message Delivery Service" <mailerform@puremail.com>][Date Tue, 14 Oct 2003 12:47:01 +0300]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html/[From jingers911@yahoo.com][Date Tue, 14 Oct 2003 01:55:55 -0700 (PDT)]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:35:47 -0000]/html Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From postmaster@hitel.net][Date Sun, 12 Oct 2003 18:39:55 +0900]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From <victoryyy@rambler.ru>(OLEG GHHH)][Date Wed, 15 Oct 2003 11:13:39 +0400]/sexy Infected: Email-Worm.Win32.Hybris.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 07:09:27 -0000]/play.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER-DAEM ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 13 Oct 2003 18:15:34 -0000]/die Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER ... ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 17 Oct 2003 00:37:34 -0000]/How Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER ... /[From "David E. Lovejoy" <del@fdml.com>][Date Thu, 16 Oct 2003 21:31:29 -0700]/text Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER-DAE ... /[From "Max C. Shot" <info@wonderdrug.ws>][Date 17 Oct 2003 00:37:34 -0000]/html Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER-DAEM ... /[From amandita1@yahoo.com][Date Wed, 15 Oct 2003 13:22:06 -0700 (PDT)]/UNNAMED Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED/[From Mail Delivery Subsystem <MAILER-DAEMON@pop3.yucom.be>][Date Wed, 15 Oct 2003 21:44:55 +0200]/text Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Bstuff » July 20th, 2007, 4:05 am

looks like my reply was too long for one post....


9) CONTINUED

continuation of Kapersky log file from previous post;


C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED/[From jumpmaster_slade@yahoo.com][Date Wed, 15 Oct 2003 04:58:41 -0700 (PDT)]/UNNAMED Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From sgirlboarder@yahoo.com][Date Tue, 14 Oct 2003 20:28:42 -0700 (PDT)]/UNNAMED Infected: Virus.Win32.Xorala skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "MS Corporation Technical Support" <nrgsij@newsletters.microsoft.com>][Date Sun, 26 Oct 2003 19:24:38 +1100]/Qwcqd.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/focg.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/U ... /[From "The Mortgage Alliance Company of Canada" <chris@btinternet.com>][Date Mon, 27 Oct 2003 19:05:30 +0000]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNN ... /[From "The Mortgage Alliance Company of Canada" <chris@btinternet.com>][Date Mon, 27 Oct 2003 19:05:30 +0000]/13 Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim ... /[From "delivery system" <mailroutine@bigfoot.com>][Date Tue, 28 Oct 2003 10:12:36 +080 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim ... /[From "delivery system" <mailroutine@bigfoot.com>][Date Tue, 28 Oct 2003 10:12:3 ... /chcejr.pif Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "Microsoft" <haypgjlfac@support.msn.com>][Date Tue, 28 Oct 2003 10:07: ... /Q439284.exe Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "Microsoft" ... /[From bbh <bbh@gshosp.co.kr>][Date 30 Oct 2003 00:36:48 +090 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "Microsoft" ... /[From bbh <bbh@gshosp.co.kr>][Date 30 Oct 2003 00:36:4 ... /border.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "e. van duijn" <e.vanduijn@chello.nl>][Date Wed, 29 Oct 2003 09:08:48 +0100]/readme.exe Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... /[From "fred" <WaHYWCoqgEKRJtqolNK@pacbell.net>][Date Fri, 31 Oct 2003 17:02:14 ... /photo.scr Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[F ... /[From "Currupt Deal 2" <info@corrupt.ws>][Date 29 Oct 2003 00:59:37 -0000]/UNNAMED Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[From DST Enterprises <dstent5@fastmail.fm>][Date Sat, 1 Nov 2003 13:59:24 - ... /UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[Fro ... /[From "Internet Mail Service" < >][Date Sun, 02 Nov 2003 13:11:51 + ... /UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From ... /[From "Microsoft Public Assistance" <dzuhiegqa@technet.net>][Date Sun, 02 Nov 2003 13:00:34 + ... /UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From ... /[From "Microsoft Public Assistance" <dzuhiegqa@technet.net>][Date Sun, 02 Nov 2003 13:00:34 +1100]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[Fro ... /[From "Internet Mail Service" < >][Date Sun, 02 Nov 2003 13:11:51 +1100]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[From DST Enterprises <dstent5@fastmail.fm>][Date Sat, 1 Nov 2003 13:59:24 -0500]/UNNAMED Infected: Email-Worm.Win32.Swen skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[From DST Enterprises <dstent5@fastmail.fm>][Date Sat, 1 Nov 2003 13:59:24 -0500]/UNNAMED Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[F ... /[From rogerhatherall@optusnet.com.au][Date Mon, 3 Nov 2003 20:05:30 +1100]/UNNAMED Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... ... /[From "Helen Skinner" <hc.skinner@ntlworld.com>][Date Sat, 1 Nov 2003 11:31:18 +0000]/text Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim . ... /[From "fred" <WaHYWCoqgEKRJtqolNK@pacbell.net>][Date Fri, 31 Oct 2003 17:02:14 -0800]/UNNAMED Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "M ... /[From "Currupt Deal 2" <info@corrupt.ws>][Date 29 Oct 2003 00:59:37 -0000]/html Infected: Email-Worm.Win32.Hawawi.g skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt Deal 2" <info ... /[From trushin@perm.ru][Date Mon, 10 Nov 2003 11:14:59 +0500]/ie5setup.exe.exe Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt D ... /[From "Joseph Stout" <josephstout_lq@lycos.com>][Date Thu, 6 Nov 2003 10:58:37 GMT]/bevel Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt Deal ... /[From mag2from <mag2from@tegami.com>][Date Tue, 4 Nov 2003 17:17:07 +0900 (JST)]/text Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt Deal 2" <info@corrupt.ws>] ... /[From trushin@perm.ru][Date Thu, 6 Nov 2003 00:27:56 +0500]/text Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt Deal 2" <info@corrupt.ws>][Da ... /[From samd@poboxes.com][Date 10 Nov 2003 13:57:16 -0000]/text Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[ ... /[From "Currupt Deal 2" <info@corrupt.ws>][Date * 1.6 -- Date: is 96 hours or more before Received: date]/html Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "M ... /[From "Spork" <spork@cfl.rr.com>][Date Thu, 30 Oct 2003 19:57:26 -0500]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "Microsoft" ... /[From bbh <bbh@gshosp.co.kr>][Date 30 Oct 2003 00:36:48 +0900]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim .. ... /[From "Microsoft" <haypgjlfac@support.msn.com>][Date Tue, 28 Oct 2003 10:07:56 +0800]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zim ... /[From "delivery system" <mailroutine@bigfoot.com>][Date Tue, 28 Oct 2003 10:12:36 +0800]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED/[From Donald Zimmerman <donz@mailblocks.com>][Date Sun, 26 Oct 2003 06:30:49 -0800]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text/[From "" <masterprogram@freemail.com>][Date Sun, 26 Oct 2003 19:32:40 +1100]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Mailer-Daemon@rdprod.com (Mailer-Daemon)][Date Fri, 24 Oct 2003 12:48:22 +0800]/text Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Sizzlin46@aol.com][Date 12 Nov 2003 22:57:32 -0000]/text/[From <customerservice@cyberdetective.net>][Date Wed, 12 Nov 2003 18:34:02 -0500]/[Wayne_Dyer] Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Sizzlin46@aol.com][Date 12 Nov 2003 22:57:32 -0000]/text/[From regententerprises2002@yahoo.com][Date 13 Nov 2003 03:58:10 -0000]/text/[From "China Inflatables" <tian@cn-inflatables.com>][Date Wed, 12 Nov 2003 15:21:28 +0800]/[Wayne_Dyer] Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Sizzlin46@aol.com][Date 12 Nov 2003 22:57:32 -0000]/text/[From regententerprises2002@yahoo.com][Date 13 Nov 2003 03:58:10 -0000]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text/[From Sizzlin46@aol.com][Date 12 Nov 2003 22:57:32 -0000]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED/[From "Larry Harris" <lharris@sgpvfed.org>][Date Tue, 7 Oct 2003 08:50:46 -0700]/text Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox/[From "MS Corporation Security Bulletin" <pldewkiwwlh@vrtxcy.net>][Date Tue, 07 Oct 2003 16:23:29 +0100]/UNNAMED Infected: Email-Worm.Win32.Tanatos.b skipped
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox Mail Berkeley mbox: infected - 76, suspicious - 11 skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Family Stuff.dbx/[From "Ronda" <ronda@bigpond.com>][Date Mon, 23 Oct 2006 21:48:49 +1000]/text/Update-KB4578-x86.zip/Update-KB4578-x86.exe Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Family Stuff.dbx/[From "Ronda" <ronda@bigpond.com>][Date Mon, 23 Oct 2006 21:48:49 +1000]/text/Update-KB4578-x86.zip Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Family Stuff.dbx/[From "Ronda" <ronda@bigpond.com>][Date Mon, 23 Oct 2006 21:48:49 +1000]/text Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Family Stuff.dbx Mail MS Outlook 5: infected - 3 skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Mainstream.dbx/[From Lula Holcomb <Lula_Holcomb@amazon.com>][Date Wen, 23 Feb 2005 02:05:50 +0000]/html/Lula_Holcomb@Amazon.com Infected: Trojan-Downloader.Win32.Agent.js skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Mainstream.dbx/[From Lula Holcomb <Lula_Holcomb@amazon.com>][Date Wen, 23 Feb 2005 02:05:50 +0000]/html Infected: Trojan-Downloader.Win32.Agent.js skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\Mainstream.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From "member@ebay.com"<member@ebay.com>][Date Tue, 17 Oct 2006 08:40:04 +0200]/html Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From "eBay Billing Department Team" <update@ebay.com>][Date Mon, 24 Jan 2005 23:20:08 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.l skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From aw-confirm@ebay.com <aw-confirm@ebay.com>][Date Fri, 6 May 2005 00:50:55 +0300 (EEST)]/html Infected: Trojan-Spy.HTML.Bayfraud.dc skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Mon, 18 Jul 2005 06:09:34 -0500]/html/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Mon, 18 Jul 2005 06:09:34 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From eBay <support_ref_23065@ebay.com>][Date Wed, 20 Jul 2005 18:04:58 +0500]/html/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From eBay <support_ref_23065@ebay.com>][Date Wed, 20 Jul 2005 18:04:58 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From 0.1 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters][Date Fri, 22 Jul 2005 13:05:55 +0400]/html/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[From 0.1 FROM_HAS_ULINE_NUMS From: contains an underline and numbers/letters][Date Fri, 22 Jul 2005 13:05:55 +0400]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Wed, 17 Aug 2005 15:47:53 +0200]/html/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Wed, 17 Aug 2005 15:47:53 +0200]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Thu, 18 Aug 2005 11:15:12 -0300]/html/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx/[Date Thu, 18 Aug 2005 11:15:12 -0300]/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express\PayPal.dbx Mail MS Outlook 5: infected - 13 skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Dec 2004 22:48 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From riselda@iacinc.com][Date Mon, 27 Dec 2004 01:48:01 +0300]/UNNAMED/letter_envelope-fromheike.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Dec 2004 22:48 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From riselda@iacinc.com][Date Mon, 27 Dec 2004 01:48:01 +0300]/UNNAMED/letter_envelope-fromheike.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Dec 2004 22:48 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From riselda@iacinc.com][Date Mon, 27 Dec 2004 01:48:01 +0300]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/26 Dec 2004 22:48 from MAILER-DAEMON@email.seznam.cz:failure not.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-SPAM/17 Oct 2004 06:48 to spam:Your Account..html Infected: Trojan-Spy.HTML.Citifraud.bk skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-SPAM/17 Oct 2004 10:26 to spam:Your Account..html Infected: Trojan-Spy.HTML.Citifraud.bk skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-SPAM/17 Oct 2004 16:21 to spam; Optional:Please confirm Your account.html Infected: Trojan-Spy.HTML.Citifraud.bk skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-SPAM/17 Oct 2004 16:50 to spam; Optional:NOTE! Citibank account suspe.eml Infected: Trojan-Spy.HTML.Citifraud.ay skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-SPAM/17 Oct 2004 18:47 to spam; Optional:NOTE! Citibank account suspe.eml Infected: Trojan-Spy.HTML.Citifraud.ay skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-UNSURE/09 Jul 2004 03:46 from Bendigo Bank:lmportant information from B.html Infected: Trojan-Spy.HTML.Bankfraud.c skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/AA-UNSURE/07 Nov 2004 00:02 to unsure; webmaster@xengi.com:PayPal.html Infected: Trojan-Spy.HTML.Paylap.p skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/15 Mar 2002 12:55 from Microsoft Corporation Security Center:Int/q216309.exe Infected: Email-Worm.Win32.Gibe.a skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/17 Jul 2003 01:46 to Opti:Re: Your E-Loan Refinance Application /E-Loan-Appraiser-Results.pif Infected: Trojan-Proxy.Win32.Webber.10.a skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 13 skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Optional\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Optional\Local Settings\History\History.IE5\MSHist012007072020070721\index.dat Object is locked skipped
C:\Documents and Settings\Optional\Local Settings\Temp\Perflib_Perfdata_d08.dat Object is locked skipped
C:\Documents and Settings\Optional\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Optional\ntuser.dat Object is locked skipped
C:\Documents and Settings\Optional\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP765\A0047836.exe Object is locked skipped
C:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP767\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\software\Kazaa Lite\klite202e.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
F:\software\Kazaa Lite\klite202e.exe Inno: infected - 1 skipped
F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
F:\software\remote administrator\radmin21.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
F:\software\remote administrator\radmin21.zip ZIP: infected - 5 skipped
F:\software\remote administrator\remoteadmin\radmin21.exe/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
F:\software\remote administrator\remoteadmin\radmin21.exe/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
F:\software\remote administrator\remoteadmin\radmin21.exe/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
F:\software\remote administrator\remoteadmin\radmin21.exe/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
F:\software\remote administrator\remoteadmin\radmin21.exe Gentee: infected - 4 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{72BC3969-BE94-47F8-B036-A9C97CA8172E}\RP767\change.log Object is locked skipped

Scan process completed.



I notice a few entries above pointing at Thunderbird and MS Outlook email boxes... I do not use either of those programs, only Outlook Express. Just in case knowing that makes removal easier.



10)

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-20 16:01:45
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7E8B454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7E8B454] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F7E8B1DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7E7EF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7E7EF4C] fltmgr.sys

---- EOF - GMER 1.0.13 ----



11) When I go into the control panel and click users, it shows me 4 accounts; 'Optional', 'Guest', 'Internet Guest Account' and 'ASP.net Machine Account'

The last 2 are password protected and I dont know the passwords.. so cant get in to run HT. (they were created by a shop tech as mentioned earlier when he did some software updates for me)

The tech told me at the time it was fine to delete the account/s he had created but I just havent bothered before now.... good idea to get rid of them totally?



HT logfile from account "Optional"


Logfile of HijackThis v1.99.1
Scan saved at 4:06:37 PM, on 20/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
F:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - F:\Program Files\Roboform\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Password2000] C:\Program Files\Password 2000\password.exe -w
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - Startup: SpamBayes Tray Icon.lnk = C:\Program Files\SpamBayes\bin\sb_tray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Customize Menu - file://F:\Program Files\Roboform\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O8 - Extra context menu item: IEB: Browser: Resize Window - C:\Program Files\IE Booster\window-size.html
O8 - Extra context menu item: IEB: Frame: Open in &New Window - C:\Program Files\IE Booster\frame-open-in-new-window.html
O8 - Extra context menu item: IEB: Frame: Open in &This Window - C:\Program Files\IE Booster\frame-open-in-this-window.html
O8 - Extra context menu item: IEB: Image: Copy Path to Clipboard - C:\Program Files\IE Booster\image-copy-path-to-clipboard.html
O8 - Extra context menu item: IEB: Image: Show Image Data - C:\Program Files\IE Booster\image-view-image-data.html
O8 - Extra context menu item: IEB: Image: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Link: Copy as <A href="URL">caption</A> - C:\Program Files\IE Booster\link-copy.html
O8 - Extra context menu item: IEB: Link: Open in New Minimized Window - C:\Program Files\IE Booster\link-open-minimized.html
O8 - Extra context menu item: IEB: Link: Show Server Response - C:\Program Files\IE Booster\link-show-server-response.html
O8 - Extra context menu item: IEB: Page: Copy Title as <A href="URL">Title</a> - C:\Program Files\IE Booster\page-copy-title.html
O8 - Extra context menu item: IEB: Page: Show Forms and Applets - C:\Program Files\IE Booster\page-show-forms.html
O8 - Extra context menu item: IEB: Page: Show Hyperlinks - C:\Program Files\IE Booster\page-view-hyperlinks.html
O8 - Extra context menu item: IEB: Page: Show Images - C:\Program Files\IE Booster\page-show-images.html
O8 - Extra context menu item: IEB: Page: Show Source - C:\Program Files\IE Booster\page-view-source.html
O8 - Extra context menu item: IEB: Page: Show Stylesheets - C:\Program Files\IE Booster\page-view-stylesheets.html
O8 - Extra context menu item: IEB: Page: Show TABLE, FORM and DIV Borders - C:\Program Files\IE Booster\page-show-table-structure.htm
O8 - Extra context menu item: IEB: Selection: Copy as plain text - C:\Program Files\IE Booster\selection-copy-plaintext.html
O8 - Extra context menu item: IEB: Selection: Open in Browser - C:\Program Files\IE Booster\selection-open-in-browser.html
O8 - Extra context menu item: IEB: Selection: Show Partial Source - C:\Program Files\IE Booster\selection-show-source.html
O8 - Extra context menu item: RoboForm Toolbar - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://F:\Program Files\Roboform\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://F:\Program Files\Roboform\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://F:\Program Files\Roboform\RoboFormComShowToolbar.html
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download2.games.yahoo.com/games/ ... /xt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/c ... /yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download2.games.yahoo.com/games/ ... /pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/ ... poti_x.cab
O16 - DPF: Yahoo! Spades - http://download2.games.yahoo.com/games/ ... /st3_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/a ... _en_dl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/p ... der_v6.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://CHNAGED-URL/wtpbs/wtBalanceShee ... agerwt.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 20th, 2007, 7:34 am

Hi bstuff.


Optional seems to be your main account. This would be a good time to get rid of them if the tech said that they can go. Check if the guest account is needed or has anything iof interest in it and if it is not needed and is unused I would get rid of it as well.


The following mailfolders in Outlook Express seem to be infected and need to be cleened of infected mail (can be found from the Kaspersky log. We will run a new one when most of the junk is gone. It shoild be much faster.)

Family Stuff
Mainstream
PayPal


However before we start with that I want to be sure that they are in your present E-mail store.

  1. I need to check where your Outlook Express Files are stored. Do not want to wipe out your stored E-mails.
    • Please open Outlook Express.
    • On Toolbar please click Tools
    • Click Options.
    • Click the Maintenance tag.
    • Click Store Folder...
    • A small window will open with a box with a file path in it.
    • Please copy the path and add it to your next post. DO NOT CANGE ANYTHING{/b]
    • Click [b]Cancell
    • Close Outlook Express.

  2. Now to get rid of a load of old stuff.

    Do you have the following folders on your desktop? Do you want to keep them?
    They are at least partly infected and if they are wanted then we will have to go through them and delete stuff which will be timeconsuming for me.
    BACKUPS
    EMAIL

    If you decide to keep them do remove these two from the list below
    C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip
    C:\Documents and Settings\Optional\Desktop\\Mailbox
    .

    If you decide that the whole Backups folder can go just add the following to the listbelow C:\Documents and Settings\Optional\Desktop\BACKUPS.

    Let me know what you did.

    • Double click on OTMoveIt to start OTMoveIt
      Image
    • Untick the option to Unregister Dll's and Ocx's (1)
    • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
      Code: Select all
       
      C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook
      C:\Documents and Settings\Optional\Application Data\Thunderbird
      C:\Documents and Settings\Optional\Desktop\BACKUPS\image_cdrive.zip
      C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox
      F:\software\Kazaa Lite\klite202e.exe/data0014
      F:\software\Kazaa Lite\klite202e.exe 
      F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/AdmDll.dll
      F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/raddrv.dll
      F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/radmin.exe
      F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/r_server.exe
      F:\software\remote administrator\radmin21.zip/RADMIN21
      F:\software\remote administrator\radmin21.zip
      F:\software\remote administrator\remoteadmin\radmin21.exe/AdmDll.dll
      F:\software\remote administrator\remoteadmin\radmin21.exe/raddrv.dll
      F:\software\remote administrator\remoteadmin\radmin21.exe/radmin.exe
      F:\software\remote administrator\remoteadmin\radmin21.exe/r_server.exe
      F:\software\remote administrator\remoteadmin\radmin21.exe
      
    • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
    • Click Paste (2)
    • Click MoveIt! (3)
    • Copy and paste the contents of the results box (4) as a reply to this topic

    Hopefully not everything will be there but I want to be sure.

  3. Post the path to the Outlook Express store and the log from OTMove.



For your information I will be off line from about 15:00 Friday until 18:00 Saturday UT.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 20th, 2007, 2:13 pm

Hope you enjoy your weekend Elrond.. I have a busy one planned myself as well.

I deleted all but the "Optional" account. The Guest account says it is turned off and has no option listed to delete it like the others. (just one option to turn it on)

I keep vitually all emails I have ever received or sent. The 3 mail folders Family Stuff, Mainstream and PayPal are just archives... although I would prefer to keep them, if it is going to cause a lot of extra effort to clean, I can live without them.


1) Path for OE is C:\Documents and Settings\Optional\Local Settings\Application Data\Identities\{03B886DF-14FA-4C72-9845-380CC7A7CBBE}\Microsoft\Outlook Express


2) the image_cdrive.zip file contains a backup of old stuff from a previous computer.. I havent needed to use it in recent memory.. but I dont want to delete it really. (maybe its not worth the effort to clean as i dont use it and know to take care if I ever do now?)

I am happy to lose the Mailbox file.

here is the OTmoveit results;

C:\Documents and Settings\Optional\Local Settings\Application Data\Microsoft\Outlook moved successfully.
C:\Documents and Settings\Optional\Application Data\Thunderbird\Profiles moved successfully.
C:\Documents and Settings\Optional\Application Data\Thunderbird moved successfully.
C:\Documents and Settings\Optional\Desktop\EMAIL\Mailbox moved successfully.
File/Folder F:\software\Kazaa Lite\klite202e.exe/data0014 not found.
F:\software\Kazaa Lite\klite202e.exe moved successfully.
File/Folder F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/AdmDll.dll not found.
File/Folder F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/raddrv.dll not found.
File/Folder F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/radmin.exe not found.
File/Folder F:\software\remote administrator\radmin21.zip/RADMIN21.EXE/r_server.exe not found.
File/Folder F:\software\remote administrator\radmin21.zip/RADMIN21 not found.
F:\software\remote administrator\radmin21.zip moved successfully.
File/Folder F:\software\remote administrator\remoteadmin\radmin21.exe/AdmDll.dll not found.
File/Folder F:\software\remote administrator\remoteadmin\radmin21.exe/raddrv.dll not found.
File/Folder F:\software\remote administrator\remoteadmin\radmin21.exe/radmin.exe not found.
File/Folder F:\software\remote administrator\remoteadmin\radmin21.exe/r_server.exe not found.
F:\software\remote administrator\remoteadmin\radmin21.exe moved successfully.

Created on 07/21/2007 04:06:54



all best,
Bstuff
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am

Unread postby Elrond » July 21st, 2007, 4:38 pm

Have a good weekend.

Run a complete scan with Antivir. Sorry that I can not give you instructions for that but I am not running Avir on any of my computers. It is possible that it can take out the infected mail or if not all then at least a good chunk of it.

Run a new Kaspersky online scan and post the log. It should not be as time consumming as the last one was. From there we can see what needs to be taken out by hand.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Bstuff » July 22nd, 2007, 7:32 am

I'm a bit "suss" about this AntiVir application actually.. it brings up a nag screen daily... inside an IE6 browser popup window... which is VERY annoying considering IE is not my default browser and when it does that my PC seems to "stall" until I click off it.... so for instance, if I left Kapersky to run overnoght and the popup nag window comes.. i think it stalls it somehow. (I could be wrong about that)

But one thing it definitely does that I think may be "underhanded" is that once or twice per day it pops up an alert for some new file that is infected... they are ALWAYS old files or restore points and I can only believe it is another way the makers want to nag users and possibly make their software appear to be more useful than it is.

Anyway... just letting you know as, if other people report similar experiences with AntiVir, maybe you guys will want to stop giving it as an option.

I think I might de-install it and swap for the AVG antivirus product you had listed.


But will run a full scan with AntiVir first and see what it wants to clean out as requested.

Will set kapersky to run tonight before bed... will post results in morning my time. (it's 9.15pm Sunday here right now)


and thanks.. my weekend has been exceptionally nice :) hope the same for you.
Bstuff
Regular Member
 
Posts: 23
Joined: July 12th, 2007, 12:48 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware