Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Further help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Further help please

Unread postby Angelicusblue » May 2nd, 2008, 11:56 am

Hi

I contacted you recently with "problems"
Well, I have done a complete re-install of windows. I have also now managed to install Sophos anti-virus that I got through work.

My main questions are:

1. How do I know if I am now free of infections?
A. I ran HijackThis and have inserted a log below this
B. I ran Sophos and it detected:
Mal/Behav-066 - Virus/spywhere
MyWebSearch - Adware/PUA
So am I problem free or is there more I should do?

2. Previously I used ZoneAlarm firewall (free option). Is this a good choice? With Sohos anti-virus and Zone Alarm, do they work ok together and do I need anything in addition to that?

Any advice would be MOST welcome, please.

Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 07:06:50, on 02/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magictaxi.com/
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
Angelicusblue
Active Member
 
Posts: 10
Joined: April 18th, 2008, 3:46 pm
Advertisement
Register to Remove

Re: Further help please

Unread postby Shaba » May 4th, 2008, 5:09 am

Hi Angelicusblue

Do you mean by complete re-install of windows reformatting of hard disk and installing windows afterwards?

"B. I ran Sophos and it detected:
Mal/Behav-066 - Virus/spywhere
MyWebSearch - Adware/PUA
So am I problem free or is there more I should do?"

Did it remove those and if not, where they are located now?

"2. Previously I used ZoneAlarm firewall (free option). Is this a good choice? With Sohos anti-virus and Zone Alarm, do they work ok together and do I need anything in addition to that?"

They should work ok, yes.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Further help please

Unread postby Angelicusblue » May 5th, 2008, 5:53 am

Hi MRU Teacher

On question 1 - I didn't reformat the hard drive, but installed new copy of Windows.
Does it look from the HiJackThis log that I am bug free or is there still a problem?

1 B. The 2 infections found by Sophos are in quarantine. Should I remove them?

There has since also been another worrying occurance - my internet connection - before re-installing windows the configuration for the internet connect kept on being modified. Today the same thing happened. I had to reset the password before I could connect again. This bothers me. Am I still infected?

Please let me know soon if I will need to reformat the hard drive, or if I will be able to dis-infect without doing that- if you can tell at this stage, that is...

Thank you.
Angelicusblue
Active Member
 
Posts: 10
Joined: April 18th, 2008, 3:46 pm

Re: Further help please

Unread postby Shaba » May 5th, 2008, 9:02 am

Hi

"Does it look from the HiJackThis log that I am bug free or is there still a problem?"

Log is clean, yes.

"1 B. The 2 infections found by Sophos are in quarantine. Should I remove them?"

Yes.

"There has since also been another worrying occurance - my internet connection - before re-installing windows the configuration for the internet connect kept on being modified. Today the same thing happened. I had to reset the password before I could connect again. This bothers me. Am I still infected?"

I don't think that it's due to infections, maybe due to router or drivers etc.

Let's run one online scan next, however:

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Image
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Further help please

Unread postby Angelicusblue » May 7th, 2008, 5:01 pm

Hi MRU Mentor

Below is, as requested, a fresh HiJackThis log, and a Kas Scan Log.

So please could you confirm what further action I should take.

The Kaspersky scan said it found 11 viruses, 34 infected objects and 1 suspicious object. How do I get rid of these infections then?

Thank you

HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 21:59:01, on 07/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magictaxi.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA3715D2-6D1F-4240-8F1E-0385490BF9E5}: NameServer = 212.104.130.9 212.104.130.65
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Kas Scan Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 07, 2008 9:56:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/05/2008
Kaspersky Anti-Virus database records: 744315
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 84515
Number of viruses found: 11
Number of infected objects: 34
Number of suspicious objects: 1
Duration of the scan process: 04:50:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\Logs\Agent-20080507-225808.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Router\Logs\Router-20080507-225758.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\02a8498052953b4e3f0550fa71db3bff_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\66ac761c8d13373167da42218f15ee6c_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\92593fc095417d2c45b625eaa8022c5e_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\f89f69854d8ce4f99af37917ae155340_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\History\History.IE5\MSHist012008050720080508\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Annelise Arnold\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Annelise Arnold\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold.ANNELISE-70UG7Z\Local Settings\Application Data\Microsoft\CD Burning\Downloads\Nero-7.5.9.0A_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Annelise Arnold.ANNELISE-70UG7Z\Local Settings\Application Data\Microsoft\CD Burning\Downloads\Nero-7.5.9.0A_eng.exe RAR: infected - 1 skipped
C:\Documents and Settings\Annelise Arnold.ANNELISE-70UG7Z\Local Settings\Temp\NeroDemo11606\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\xyz All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0005 Infected: Packed.Win32.PolyCrypt.d skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0028/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0028/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0028/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0028 Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream/data0029 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe NSIS: infected - 7 skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/09 Nov 2004 08:42 from Kaffwoodham:Re: Incoming Message/Alive_condom.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/10 Nov 2004 08:48 from Kaffwoodham:Re: Hello/Document.hta Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/11 Nov 2004 16:19 from Kaffwoodham:Re: Yahoo!/Joke.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 09:27 from Kaffwoodham:Re: Thank you!/Half_Live.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 12:56 from Kaffwoodham:Re: Hi.html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 12:56 from Kaffwoodham:Re: Hi/You_are_dismissed.zip Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/16 Nov 2004 08:25 from Kaffwoodham:Site changes/Alive_condom.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 08:44 from Gregsgrimace:Site changes/Message.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 13:57 from Gregsgrimace:Re: Thank you!/Manufacture.cpl Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 14:43 from Gregsgrimace:Re: Document/Readme.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/18 Nov 2004 11:06 from Gregsgrimace:Encrypted document/You_will_answer_to_me.exe Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/19 Nov 2004 09:44 from Gregsgrimace:Notification/You_will_answer_to_me.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/19 Nov 2004 15:32 from Gregsgrimace:Forum notify/Document.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst MailMSMaill: infected - 12, suspicious - 1 skipped
C:\Documents and Settings\xyz Annelise Arnold\My Documents\Downloads\Cdvdpro.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\Documents and Settings\xyz Annelise Arnold\My Documents\Downloads\Cdvdpro.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Documents and Settings\xyz Annelise Arnold\My Documents\Downloads\Cdvdpro.exe/stream Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Documents and Settings\xyz Annelise Arnold\My Documents\Downloads\Cdvdpro.exe NSIS: infected - 3 skipped
C:\Downloads old\Nero-7.5.9.0A_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Downloads old\Nero-7.5.9.0A_eng.exe RAR: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP8\A0004427.DLL Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP8\A0004428.DLL Infected: not-a-virus:AdWare.Win32.MySearch.f skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP8\A0004429.DLL Infected: not-a-virus:AdWare.Win32.MyWay.p skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP8\A0004430.EXE Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ANNELISE-XP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT056fc.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT0570c.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Angelicusblue
Active Member
 
Posts: 10
Joined: April 18th, 2008, 3:46 pm

Re: Further help please

Unread postby Shaba » May 8th, 2008, 8:59 am

Hi

Delete these:

C:\Documents and Settings\Annelise Arnold.ANNELISE-70UG7Z\Local Settings\Application Data\Microsoft\CD Burning\Downloads\Nero-7.5.9.0A_eng.exe (optional)
C:\Documents and Settings\Annelise Arnold.ANNELISE-70UG7Z\Local Settings\Temp\NeroDemo11606\Toolbar.exe (optional)
C:\Documents and Settings\xyz Annelise Arnold\Desktop\plants_files\WarezP2P.exe
C:\Documents and Settings\xyz Annelise Arnold\My Documents\Downloads\Cdvdpro.exe
C:\Downloads old\Nero-7.5.9.0A_eng.exe (optional)

Empty Recycle Bin.

Delete these mail via Outlook:

C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/09 Nov 2004 08:42 from Kaffwoodham:Re: Incoming Message/Alive_condom.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/10 Nov 2004 08:48 from Kaffwoodham:Re: Hello/Document.hta Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/11 Nov 2004 16:19 from Kaffwoodham:Re: Yahoo!/Joke.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 09:27 from Kaffwoodham:Re: Thank you!/Half_Live.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 12:56 from Kaffwoodham:Re: Hi.html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/15 Nov 2004 12:56 from Kaffwoodham:Re: Hi/You_are_dismissed.zip Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/16 Nov 2004 08:25 from Kaffwoodham:Site changes/Alive_condom.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 08:44 from Gregsgrimace:Site changes/Message.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 13:57 from Gregsgrimace:Re: Thank you!/Manufacture.cpl Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/17 Nov 2004 14:43 from Gregsgrimace:Re: Document/Readme.vbs Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/18 Nov 2004 11:06 from Gregsgrimace:Encrypted document/You_will_answer_to_me.exe Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/19 Nov 2004 09:44 from Gregsgrimace:Notification/You_will_answer_to_me.com Infected: Email-Worm.Win32.Bagle.z skipped
C:\Documents and Settings\xyz Annelise Arnold\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Inbox/Inbox Old 2/19 Nov 2004 15:32 from Gregsgrimace:Forum notify/Document.com Infected: Email-Worm.Win32.Bagle.z skipped


All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Further help please

Unread postby Shaba » May 13th, 2008, 9:02 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware