Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Pop-ups - could it be a virus?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Pop-ups - could it be a virus?

Unread postby jools » March 17th, 2008, 6:20 am

Hi

For about 2 weeks now I keep getting pop-ups via Internet Explorer. I use Mozilla Firefox as my main web browser. My settings are set to block all pop-ups but they keep appearing for online betting, dating, etc. Could I have picked up a virus from somewhere? It is very frustrating. I have ran all my virus software and more but still they are there.

Thank you.

Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am
Advertisement
Register to Remove

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 17th, 2008, 3:05 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Step # 1: Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 17th, 2008, 4:18 pm

Hi

Thanks for assisting me.

Here is the Hijack This log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:14:26, on 17/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1150136885\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1150136885\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\Documents and Settings\Jules\Desktop\HiJackThis 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DeskalertsBHO - {5121B863-FAE8-4935-BA76-0ABE0239AECA} - C:\Program Files\DeskAlerts\deskbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\platform inter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Type4Me] C:\Program Files\Type4Me\ZST4ME.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Build Amok] C:\DOCUME~1\Jules\APPLIC~1\CHINMO~1\corn trust axis.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 14085 bytes


Here is the uninstall list:

Ability Office 4
Ad-Aware 2007
Adobe Reader 7.0.9
Ahead InCD EasyWrite Reader
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Uninstaller (Choose which Products to Remove)
AOL You've Got Pictures Screensaver
Apex WMV ASF Converter 4.6
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Avanquest update
AVG Anti-Spyware 7.5
BT Voyager 105 ADSL Modem
BT Voyager Modem AOL Test
Compatibility Pack for the 2007 Office system
FileZilla (remove only)
GoldWave v5.18
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Learn2 Player (Uninstall Only)
Lexmark Software Uninstall
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Macromedia Flash Player 8
Macromedia Shockwave Player
Memories Disc Creator 2.0
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Greetings
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 99
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Picture It! Express 2.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Microsoft Works Setup Launcher
Mnemic Emoticon Packs for Messenger
mobile PhoneTools
Mozilla Firefox (2.0.0.12)
Mozilla Thunderbird (2.0.0.12)
MSN
MSN Search Toolbar
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NCTAudioConvert ActiveX EXE Server 3.5.3
Nero 6
Nero Media Player
NeroVision Express 2
NVIDIA Drivers
NvMixer
Opera
PCI SoftV92 Modem
PhotoNow! 1.0
PowerDirector Express
PowerDVD
PowerDVD Copy 1.0
PowerProducer
QuickTime
RealOne Player
SANYO LD-ADPCM Audio CODEC uninstall
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sony Digital Voice Editor 2
SpeedTouch 120g Wireless USB Adapter
Spybot - Search & Destroy
SpywareBlaster v3.5.1
SpywareGuard v2.2
Start Stop Universal Transcription System
Time Stamp
TraxTime
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
WavePad Uninstall
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885295
Wise-FTP

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 17th, 2008, 5:40 pm

Edit: If you read this post earlier, I've added Step 5, Add/Remove Programs, please take note of it


Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Step # 2: Disable AVG Anti-Spyware Guard

AVG Anti-Spyware Guard normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.


Open AVG Anti-Spyware
Click Shield
Click under "resident shield is"
Change it to inactive
Close the program



Step # 3 Remove Viewpoint Media Player

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove.



Step # 4 Remove Logitech Desktop Messenger

You appear to have a program on your system called Logitech® Desktop Messenger. This is a background process that can automatically access the Internet without your knowledge or permission. Although it does provide updates for your Logitech products, the fact that it can access the Internet without your consent is potentially dangerous. It does download and update your Logitech products but this can be done manually by visiting the Logitech web site. My advice would be to uninstall this program (Start > Control Panel > Add or Remove Programs) but this is entirely your decision. I suggest doing all updates yourself and removing this application!

Step # 5: Add/Remove Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Messenger Plus! Live & Sponsor (CiD)

If you use Messenger Plus! Live you can redownload and reinstall it, just don't install the Sponsor during the installation process. Look for "I refuse, do not install the sponsor program" during the installation process and click it.



Step # 6: Download and Run NoLop
Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish.
  • Please post the contents of C:\NoLop.log and a fresh Hijackthis log.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to C:\WINDOWS\system32\ folder then rerun the program.


In your next post/reply, I need to see the NoLop Log and a fresh HiJackThis Log. Use multiple posts if you can't fit them into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 18th, 2008, 3:55 am

Hi

Here is the NoLop log:

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Jules\Desktop
[18/03/2008]
[07:45:15]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Flexnet
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Messenger Plus!
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn Search Toolbar
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Nch Swift Sound
C:\Documents and Settings\All Users\Application Data\Prism
C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Trend Micro
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Windowsliveinstaller
C:\Documents and Settings\All Users\Application Data\Wlinstaller
C:\Documents and Settings\Amy\Application Data\Adobe
C:\Documents and Settings\Amy\Application Data\Aol
C:\Documents and Settings\Amy\Application Data\Ati
C:\Documents and Settings\Amy\Application Data\Cyberlink
C:\Documents and Settings\Amy\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Amy\Application Data\Grisoft
C:\Documents and Settings\Amy\Application Data\Identities
C:\Documents and Settings\Amy\Application Data\Macromedia
C:\Documents and Settings\Amy\Application Data\Microsoft
C:\Documents and Settings\Amy\Application Data\Mozilla
C:\Documents and Settings\Amy\Application Data\Real
C:\Documents and Settings\Amy\Application Data\Sun
C:\Documents and Settings\Amy\Application Data\Thunderbird
C:\Documents and Settings\Default User\Application Data\Ati
C:\Documents and Settings\Default User\Application Data\Cyberlink
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Real
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Jules\Application Data\Ability
C:\Documents and Settings\Jules\Application Data\Adobe
C:\Documents and Settings\Jules\Application Data\Adobeum
C:\Documents and Settings\Jules\Application Data\Ahead
C:\Documents and Settings\Jules\Application Data\Aol
C:\Documents and Settings\Jules\Application Data\Apple Computer
C:\Documents and Settings\Jules\Application Data\Ati
C:\Documents and Settings\Jules\Application Data\Avg7
C:\Documents and Settings\Jules\Application Data\Cyberlink
C:\Documents and Settings\Jules\Application Data\Expert Pdf Editor
C:\Documents and Settings\Jules\Application Data\Fotowire
C:\Documents and Settings\Jules\Application Data\Google
C:\Documents and Settings\Jules\Application Data\Grisoft
C:\Documents and Settings\Jules\Application Data\Gtek
C:\Documents and Settings\Jules\Application Data\Help
C:\Documents and Settings\Jules\Application Data\Hp
C:\Documents and Settings\Jules\Application Data\Identities
C:\Documents and Settings\Jules\Application Data\Installshield
C:\Documents and Settings\Jules\Application Data\Jasc Software Inc
C:\Documents and Settings\Jules\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Jules\Application Data\Macromedia
C:\Documents and Settings\Jules\Application Data\Microsoft
C:\Documents and Settings\Jules\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Jules\Application Data\Mozilla
C:\Documents and Settings\Jules\Application Data\Msn Search Toolbar
C:\Documents and Settings\Jules\Application Data\Msn6
C:\Documents and Settings\Jules\Application Data\Msninstaller
C:\Documents and Settings\Jules\Application Data\Nch Swift Sound
C:\Documents and Settings\Jules\Application Data\Opera
C:\Documents and Settings\Jules\Application Data\Real
C:\Documents and Settings\Jules\Application Data\Recordpad -- EMPTY Directory
C:\Documents and Settings\Jules\Application Data\Skype
C:\Documents and Settings\Jules\Application Data\Sun
C:\Documents and Settings\Jules\Application Data\Talkback
C:\Documents and Settings\Jules\Application Data\Template
C:\Documents and Settings\Jules\Application Data\Thunderbird
C:\Documents and Settings\Jules\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Nick\Application Data\Adobe
C:\Documents and Settings\Nick\Application Data\Aol
C:\Documents and Settings\Nick\Application Data\Ati
C:\Documents and Settings\Nick\Application Data\Cyberlink
C:\Documents and Settings\Nick\Application Data\Grisoft
C:\Documents and Settings\Nick\Application Data\Identities
C:\Documents and Settings\Nick\Application Data\Jasc Software Inc
C:\Documents and Settings\Nick\Application Data\Macromedia
C:\Documents and Settings\Nick\Application Data\Microsoft
C:\Documents and Settings\Nick\Application Data\Mozilla
C:\Documents and Settings\Nick\Application Data\Opera
C:\Documents and Settings\Nick\Application Data\Real
C:\Documents and Settings\Nick\Application Data\Sun

Here is Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:54:06, on 18/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\program files\common files\aol\1150136885\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1150136885\ee\aolsoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jules\Desktop\HiJackThis 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: DeskalertsBHO - {5121B863-FAE8-4935-BA76-0ABE0239AECA} - C:\Program Files\DeskAlerts\deskbar.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\platform inter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\Jules\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Type4Me] C:\Program Files\Type4Me\ZST4ME.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13503 bytes

With the Messenger Plus a message came up saying all files could not be removed.

Regards
Jools

PS Just to let you know my Internet connection is going to be down from Wednesday morning to possibly Thursday morning, so if I don't respond straightaway this is why.
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 18th, 2008, 2:45 pm

Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:


  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Be sure to re-hide your files once you are finished cleaning your computer.

Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 2: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    O2 - BHO: (no name) - {06647158-359E-4D10-A8DE-E6145DA90BE9} - (no file)

    O2 - BHO: DeskalertsBHO - {5121B863-FAE8-4935-BA76-0ABE0239AECA} - C:\Program Files\DeskAlerts\deskbar.dll (file missing)

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [CHIN PING PHONE PILE] C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\platform inter.exe

    O4 - HKLM\..\RunOnce: [MessengerPlusLiveUninstall] "C:\DOCUME~1\Jules\LOCALS~1\Temp\MsgPlusUninstall.exe" /Cleanup

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.


Step # 3: Deleting Files/Folders

I need you to use Windows Explorer to delete the files/folders I have marked in Red(if found):


C:\Documents and Settings\All Users\Application Data\Messenger Plus!\

C:\Documents and Settings\All Users\Application Data\Proxy Long Chin Ping\

C:\Program Files\DeskAlerts\


Step # 4 Download and Run Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.

In your next post/reply, I need to see the results from the MalwareBytes' scan and a fresh HiJackThis Log. Use multiple posts if you can't fit them into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 18th, 2008, 4:36 pm

Hi

Here is a fresh HiJackThis Log after doing all you suggest:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:33:11, on 18/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVComS.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
c:\program files\common files\aol\1150136885\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1150136885\ee\aolsoftware.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jules\Desktop\HiJackThis 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Type4Me] C:\Program Files\Type4Me\ZST4ME.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 12977 bytes

Regards
Jools

Malware results in next reply.
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby jools » March 18th, 2008, 4:37 pm

Here is the MalwareBytes results log:

Malwarebytes' Anti-Malware 1.08
Database version: 501

Scan type: Full Scan (C:\|)
Objects scanned: 142991
Time elapsed: 1 hour(s), 7 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b45e2d97-2a06-4d64-b8cc-89df59d5534c} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0d2727d9-e6d1-4549-be55-5d38e678c1bd} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{20159057-f0d9-4520-8d0e-b117b49fb5d9} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{45a31505-d656-46c8-9719-ea5a4ff3c5f7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\instsrv.exe (IRC.Bot) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\svchost.exe (IRC.Bot) -> Quarantined and deleted successfully.

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 18th, 2008, 5:03 pm

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php



Step # 2 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u5.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:
  • J2SE Runtime Environment 5.0 Update 8

    J2SE Runtime Environment 5.0 Update 9

    J2SE Runtime Environment 5.0 Update 11

    Java(TM) 6 Update 2

    Java(TM) 6 Update 3

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 3: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

You must be using Internet Explorer, Kaspersky does not work with Firefox

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


In your next post/reply, I need to see the Kaspersky results (KAV.txt) and a fresh HiJackThis Log. Also let me know how your computer is running, any problems?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 19th, 2008, 5:30 pm

Hi

I have performed and removed everything you suggest. When I try to run the Kapersky scan - which I have tried to do 3 times - it seems to stop mid-way through - the latest time being at 87% after it had been running for 2 hours.

Computer is extremely slow at opening everything from programmes to Word documents etc, even my email.

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 19th, 2008, 7:32 pm

Let's try another scan:

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.

  1. Check (tick) this box: YES, I accept the Terms of Use.
  2. Click on the Start button next to it.
  3. When prompted to run ActiveX. click Yes.
  4. You will be asked to install an ActiveX. Click Install.
  5. Once installed, the scanner will be initialized.
  6. After the scanner is initialized, click Start.
  7. Uncheck (untick) Remove found threats box.
  8. Check (tick) Scan unwanted applications.
  9. Click on Scan.
  10. It will start scanning. Please be patient.
  11. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.


As for everything opening slowly, how much RAM do you have? Also, how much free space do you have on your HD? Have you defragged your HD lately?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 20th, 2008, 2:45 pm

Hi

Just thought I would try Kapersky once more and after 4 hours it completed the full scan - log below:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 20, 2008 6:37:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/03/2008
Kaspersky Anti-Virus database records: 644561
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 108319
Number of viruses found: 10
Number of infected objects: 31
Number of suspicious objects: 82
Duration of the scan process: 04:00:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\163d1afd94bf7829107dbbd4e9e814ed_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25065b9ae7ff823d2d6ea531b3f11332_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\265eba7aed2766eb8d0cfc29dfd6230e_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\28663895dc26a06ed1a653357a218ef3_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2dcfb698803208c3685b3aa144e67f6c_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51cb710e81a32d2481caaaac6f8cc914_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5c35cc7fd5cadc6be26edec52460ae4b_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\633829d1a1dc53b1e7cdd1e78f380f42_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\633e695810e15167d358c02369b59bfd_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\88c1406875837cafff937498ea82bd77_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8c97fccfeec3625632d3ec3091ea3621_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\92632ab71c8a14b8f0691b2d5ba83d95_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\afd946be3ae7c6731bd2cfdc6c7b9d75_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e7bbd23212389c703934be7f8959e1ba_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e90662576df16757e8a33ef2f66f9eaa_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eea0bd129253577a5e8a04ebdd891366_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f00ff4fe52f4b70eada570e9bb4bcecc_85a18cc8-ceeb-4b34-b966-2a02f7dd0496 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\3c0dac97 Object is locked skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/WINDOWS/NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet3_88.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet7_22.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/uninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet3_88.to_be_deleted Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet7_22.to_be_deleted Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016 ZIP: infected - 6 skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\20060813174031.zip.bac_a04016 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Jules\.housecall\Quarantine\SHNT288.exe.bac_a04016 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/WINDOWS/NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet3_88.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet7_22.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/uninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet3_88.to_be_deleted Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016/Program Files/newdotnet/newdotnet7_22.to_be_deleted Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016 ZIP: infected - 6 skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\20060813174031.zip.bac_a04016 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Jules\.housecall6.6\Quarantine\SHNT288.exe.bac_a04016 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Jules\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.15.Crwl Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.15.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl0.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl1.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl3.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl4.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl5.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl6.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl7.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy2.gthr Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf9.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\NtfA.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_e08.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/10 May 2007 05:40:Trend Micro PC-cillin Internet Security detect/original.txt/[From "PayPal Inc"<mail@ws.com>][Date Thu, 10 May 2007 02:01:33 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/10 May 2007 05:40:Trend Micro PC-cillin Internet Security detect/original.txt Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/19 Aug 2007 02:12 from The Royal Bank of Scotland:spam: Details .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/03 Dec 2007 10:56 from Scott Kempton:Question from eBay member- .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/14 Jan 2008 08:18 from crafty_net:Question from eBay member- cra.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/14 Jan 2008 11:01 from crafty_net:Question from eBay member- cra.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Inbox/22 Jan 2008 12:31 from smudger:Question from eBay member- smudge.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/10 Nov 2007 16:42 from NatWest:Spam: urgent message! (mess_id: a.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/18 Nov 2007 07:29 from NatWest:Spam: National Westminster Bank r.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/21 Nov 2007 21:23 from NatWest Bank:Spam: Data confirmation! (me.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/22 Nov 2007 12:40 from NatWest Bank:Spam: NatWest Bank: importan.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/29 Nov 2007 12:33 from NatWest Bank:Spam: National Westminster B.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/03 Dec 2007 16:07 from Regions Bank:Spam: Customer Notice: Your .html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/18 Jan 2008 02:51 from Wells Fargo bank:Spam: Wells Fargo Bank c.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/18 Jan 2008 23:55 from Regions Bank:Spam: Please Update Your Acc.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/22 Jan 2008 06:35 from National Westminster Bank:Spam: NatWest B.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst/Personal Folders/Junk E-mail/22 Feb 2008 10:33 from PayPal Inc:PayPal Security Center Update!.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst Mail MS Mail: suspicious - 17 skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\Perflib_Perfdata_5c8.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\Perflib_Perfdata_80.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\Perflib_Perfdata_c28.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\~DF7DD0.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\~DFCF55.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\~DFD457.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temp\~DFDA64.tmp Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jules\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jules\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jules\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\87.tmp Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\88.tmp Infected: Packed.Win32.PolyCrypt.d skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\89.tmp Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\8A.tmp Infected: Packed.Win32.PolyCrypt.d skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\8B.tmp Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\8C.tmp Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\8D.tmp Infected: not-a-virus:AdWare.Win32.Lop.bb skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... ... /[From "update@securingebay.com" <update@securingebay.com>][Date Tue, 26 Sep 2006 08:30:35 -0800]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele . ... /[From "Secretarial Services 4 U"][Date Tue, 12 Sep 2006 11:51:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele . ... /[From "Secretarial Services 4 U"][Date Tue, 12 Sep 2006 10:44:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele . ... /[From "Secretarial Services 4 U"][Date Tue, 12 Sep 2006 09:19:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele .. ... /[From "Secretarial Services 4 U"][Date Wed, 6 Sep 2006 12:09:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Nat ... ... /[From "service@intl.paypal.com" <service@intl.paypal.com>][Date Thu, 11 Jan 2007 11:26:23 -0800]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Nat ... /[From "Luis Romero" <bbudgetcontroluke@budgetcontroluk.com>][Date Thu, 11 Jan 2007 19:32:07 +0300]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National ... /[Fr ... /[From "Jayne Moreno" <chcinnamon@goolook.ru>][Date Thu, 11 Jan 2007 21:09:34 +0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National ... /[Fr ... ... /[From "Grant" <grant@Industrymailsend.info>][Date Thu, 11 Jan 2007 16:03:10 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National ... /[Fr ... /[From CBRUDSPDF" <Submitted@ephemeroptera.org.uk>][Date 11 Jan 2007 12:59:55 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National ... /[Fr ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Thu, 9 Nov 2006 08:32:25 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National ... /[From "Julianne Regan" <julianne_regan@btinternet.com>][Date Sat, 8 Nov 2008 11:18:38 -0000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National Westminster Bank" <online ... / ... /[From <hrvnplnn@optipro.net>][Date 8 Nov 2006 13:27:11 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National Westminster Bank" <online ... / ... /[From <jucflpgmvs@rdsnet.ro>][Date 8 Nov 2006 12:10:20 -0200]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National Westminster Bank" <online ... /[From <pgimunp@oyeproductions.com>][Date 8 Nov 2006 15:36:09 +0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "National Westminster Bank" <online_support_id_4846547id@natwest.com>][Date Wed, 08 Nov 2006 08:21:20 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[F ... /[From "Barclays plc" <operate_ref4476023990id@barclays.co.uk>][Date Wed, 08 Nov 2006 03:03:11 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... / ... /[F ... /[From "carl lane" <emnwyawudy@interalb.net>][Date Tue, 07 Nov 2006 19:45:40 -0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... / ... /[From "Patrick Griffin" <xowdwxt@pasionlesbica.com>][Date Wed, 08 Nov 2006 12:00:08 +0530]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... / ... /[From ... /[From "Jaime" <ogpontiff@analyzeislam.com>][Date Mon, 02 Oct 2006 08:08:23 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... / ... /[From "CUPIDO Jennifer" <jennifer.cupido@cic.uk.com>][Date Mon, 2 Oct 2006 09:35:41 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... /[From "Snowdon, C ... /[From info@networkingwomen.co.uk][Date Mon, 2 Oct 2006 10:55:06 +0100 (BST)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From ... /[From "Snowdon, Clifford" <clifford.snowdon@tynemet.ac.uk>][Date Mon, 2 Oct 2006 12:25:38 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From "Barclay ... /[From "Open Business Club" <mailrobot@openbc.com>][Date Mon, 02 Oct 2006 02:08:17 +0200]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From "Barclays United K ... /[From "Steve Yakim" <support@EZasMagic.com>][Date Sun, 1 Oct 2006 01:41:55 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[ ... /[From "Barclays United Kingdom" <custsupport_64189689id@barclays.com>][Date Sun, 01 Oct 2006 08:39:27 +0200]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclay ... /[ .. ... / ... /[From "K B Typing" <kbtyping@tpg.com.au>][Date Sat, 30 Sep 2006 23:45:43 +1000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclay ... /[ .. ... /[From ebuyer.com edeals <edeals-uk@ebuyer.com>][Date Fri, 29 Sep 2006 12:03:11 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclay ... /[ ... /[From "TrafficSwarm" <service@trafficswarmnews.com>][Date Fri, 29 Sep 2006 05:02:50 UT]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclay ... /[From "Open Business Club" < ... /[From mail@ecademy.com][Date Thu, 28 Sep 2006 19:05:21 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclay ... /[From "Open Business Club" <mailrobot@openbc.com>][Date Thu, 28 Sep 2006 15:07:31 +0200 (CEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclays United Kingdom" ... /[From "Zakazchik Media" <zakaz@eposte.ru>][Date Thu, 28 Sep 2006 13:07:51 +0400]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date M ... /[From "Barclays United Kingdom" <custsupport-910003159534510id@barclays.com>][Date Thu, 28 Sep 2006 10:26:42 +0200]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... ... /[From "Janelle Zimmerman" <emboweling@retailreturn.com>][Date Thu, 28 Sep 2006 13:56:00 +0800]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele ... /[From nj ... /[From "Julia Fecitt"][Date Wed, 23 Aug 2006 11:04:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele ... /[From nj ... /[From "Julia Fecitt"][Date Wed, 23 Aug 2006 07:28:00 -0000]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Ele ... /[From nj-services@blueyonder.co.uk][Date Sat, 02 Sep 2006 13:02:34 +0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 6 Sep 2006 14:49:31 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 6 Sep 2006 14:51:54 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From " ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Thu, 7 Sep 2006 08:53:55 +0100]/birthunderwater.pps Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secr ... /[F ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Thu, 7 Sep 2006 09:07:28 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secr ... /[Fro ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 11 Sep 2006 08:03:13 +0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secr ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 11 Sep 2006 08:04:25 +0100]/MINDREADER.pps Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 11 Sep 2006 08:05:03 +0100]/ATT07664.gif Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre . ... ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 11 Sep 2006 08:05:41 +0100]/pop.jpg Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre . ... ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 11 Sep 2006 08:07:21 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre . ... /[ ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 13 Sep 2006 14:08:40 +0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre . ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 13 Sep 2006 16:31:24 +0100]/offside.wmv Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 20 Sep 2006 16:17:31 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / .. ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 20 Sep 2006 09:25:19 +0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / .. ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 20 Sep 2006 08:52:38 +0100]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Wed, 20 Sep 2006 08:58:59 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 18 Sep 2006 10:07:34 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 18 Sep 2006 09:31:42 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... / ... /[From "Eleanor McLellan" <eleanor@syalons.co.uk>][Date Mon, 18 Sep 2006 09:26:49 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secre ... /[From "Julianne Regan" <julianne_regan@btinternet.com>][Date Tue, 19 Sep 2006 18:26:24 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, ... /[From "Secretarial Services 4 U" <enquiries@secretarialservices4u.co.uk>][Date Tue, 26 Sep 2006 10:07:17 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 15:12:16 +010 ... /[ ... /[From "Steve Yakim" <support@ezasmagic.com>][Date Mon, 25 Sep 2006 23:07:45 -0800]/text Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 15:12:16 +010 ... /[From "Care Bullying" <nspvzioz@elster.com>][Date Tue, 26 Sep 2006 10:35:01 +0700]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 15:12:16 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:58:15 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 13:07:09 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50/[From "Duncan McIlroy" <duncan@sourcefinancial.co.uk>][Date Mon, 25 Sep 2006 11:46:22 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\RECYCLER\S-1-5-21-1663651312-141262919-3884284984-1006\Dc50 Mail Berkeley mbox: suspicious - 63 skipped
C:\RECYCLER\S-1-5-21-606747145-1085031214-725345543-500\script.ini Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP926\A0138017.exe/SpywareBot/SpywareBot.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.d skipped
C:\System Volume Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP926\A0138017.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP926\A0138017.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP926\A0138017.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{FAD31253-1C6F-4667-9D3B-0B60ECC5D88D}\RP943\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HiJackthis Log in next reply.

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby jools » March 20th, 2008, 2:47 pm

Hi

HiJackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:18, on 20/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\program files\common files\aol\1150136885\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1150136885\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jules\Desktop\HiJackThis 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150136885\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE" /minimized
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Type4Me] C:\Program Files\Type4Me\ZST4ME.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: SpeedTouch 120g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 120g Wireless USB Monitor\st120g.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/s ... wflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 13289 bytes

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am

Re: Pop-ups - could it be a virus?

Unread postby km2357 » March 20th, 2008, 4:05 pm

Delete the contents of the following two folders, do not delete the folders themselves:

C:\Documents and Settings\Jules\.housecall\Quarantine\
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\

Open up Outlook and delete the following e-mails from your Inbox:

[From "PayPal Inc"<mail@ws.com>][Date Thu, 10 May 2007 02:01:33 -0700] (if not in Inbox, look in 10 May 2007 05:40:Trend Micro PC-cillin Internet Security detect folder)
19 Aug 2007 02:12 from The Royal Bank of Scotland
03 Dec 2007 10:56 from Scott Kempton:Question from eBay member-
03 Dec 2007 10:56 from Scott Kempton:Question from eBay member
14 Jan 2008 08:18 from crafty_net:Question from eBay member-
22 Jan 2008 12:31 from smudger:Question from eBay member-


Also empty out your Junk E-mail folder.

Empty your Recycle Bin.

Let me know if you have any problems deleting anything.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Pop-ups - could it be a virus?

Unread postby jools » March 20th, 2008, 5:01 pm

Hi

I have deleted everything you suggest without any problems.

Also, since Tuesday, I think, no pop-ups have appeared.

Regards
Jools
jools
Active Member
 
Posts: 10
Joined: March 17th, 2008, 6:15 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware