Free Malware Removal Forum

by **AngusPodgorney** » January 30th, 2010, 10:56 am

System appears to be running ok. I haven't had any "hijacked search" problems since yesterday.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, January 30, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, January 29, 2010 20:00:04
Records in database: 3384767
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Objects scanned: 118755
Threats found: 21
Infected objects found: 67
Suspicious objects found: 16
Scan duration: 05:43:14

File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00303571.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0322036E.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\036E491B.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05E92B6F.tmp Infected: Email-Worm.Win32.Klez.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0C8748EE.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16383456.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\192F7AD5.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25B62116.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2ADA0BF9.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7C6566.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DCB5510.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\30253191.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31CB110D.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3234509A.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33D370E1.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38EC50EF.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\391672C0.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39472DB5.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDE4208.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FD0476D.tmp Infected: Email-Worm.Win32.Bagle.fb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43415E3E.tmp Infected: Email-Worm.Win32.Bagle.pac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A6C6F86.tmp Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D176BC0.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53934EE9.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56DB1842.tmp Infected: Email-Worm.Win32.NetSky.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B62422D.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B763E17.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B796814.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B7C1210.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B9A3311.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60D11009.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64D91BF8.tmp Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\655910D6.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65870430.tmp Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66BD714E.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68DF2867.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\706B0CFC.tmp Infected: Email-Worm.Win32.Swen 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70FB4838.tmp Infected: Email-Worm.Win32.Bagle.bj 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78B93894.tmp Infected: Email-Worm.Win32.Tanatos.b 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Infected: Email-Worm.Win32.Bagle.bj 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 13
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Bagle.eb 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Sober.y 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.a 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Sent Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.3 2
C:\Program Files\LCP\Data\pwdump2\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\Program Files\LCP\Data\pwdump2-orig\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\Program Files\LCP\Data\pwdump3\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\Program Files\LCP\Data\pwdump3e\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2096\A0206426.exe Infected: Trojan.Win32.Agent.dgbt 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2096\A0206464.sys Infected: Rootkit.Win32.TDSS.u 1

Selected area has been scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:01 AM, on 1/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Rundll32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRAM FILES\CREATIVE\SOUND BLASTER LIVE! 24-BIT\SURROUND MIXER\CTSYSVOL.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\EDWARD STAHL\Local Settings\temp\jkos-EDWARD STAHL\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: RedBox Toolbar - {e6d87380-6e47-11db-9fe1-0800200c9a66} - C:\Program Files\Studio V5\RedBox7\RedBoxBar.dll
O4 - HKLM\..\Run: [P17Helper] "C:\WINDOWS\SYSTEM32\Rundll32.exe" P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash
O4 - HKCU\..\Run: [WeatherBug Desktop] C:\PROGRAM FILES\AWS\WEATHERBUG\Weather.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe (User 'Default user')
O4 - .DEFAULT Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (User 'Default user')
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O4 - Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MSOFFI~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Subscribe in RSS Bandit - C:\Documents and Settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCo ... taller.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host.oddcast.com/hostClientIE.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - F:\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe

--
End of file - 9202 bytes

by **AngusPodgorney** » February 1st, 2010, 1:49 pm

Is that it? Are we done?

by **deltalima** » February 1st, 2010, 2:08 pm

Hi AngusPodgorney,

There Kaspersky scan revealed several viruses on your system, we will manually remove them.

There is a program called LCP installed on your computer, this can be used to obtain login passwords for systems. If you are aware of this program then there is no problem but if it has been installed without your knowledge we need to remove it.

There are 2 viruses in the system restore area and we will clean these out once your system is clean.

Next we will remove viruses that an old version of Norton has quarantined.

ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:

Code: Select all

Folder::
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

There are several viruses showing in your Thunderbird email folder.

Please open Thunderbird and empty the Junk and the Sent folders.

There are some viruses in your Inbox, you will have to manually find these.

You appear to have two Inbox's, one named incoming.verizon-3.net and one called Local Folders, both of these inbox's will need to be checked.

Please check through each email and remove any with an attachment that you cannot be sure has come from a trusted source. Once complete then empty the deleted items folder.

Now please run another Kaspersky scan and post the results back along with log.txt and let me know about the program LCP

by **AngusPodgorney** » February 2nd, 2010, 9:59 am

I haven't forgotten but I accidentally closed my Firefox window yesterday when Kaspersky was about half way through, so I let it run overnight and it locked my system up. It is running now but very slowly.

ejs

P.S. since I have to disable my regular AV/AS software while Kaspersky is running my pc is exposed the entire time Kaspersky is running correct?

by **AngusPodgorney** » February 2nd, 2010, 2:17 pm

I have no recollection of the LCP program. I do not believe I installed that.

omboFix 10-02-01.01 - EDWARD STAHL 02/01/2010 13:43:26.3.1 - x86
Running from: c:\documents and settings\EDWARD STAHL\Desktop\Combofx.exe
Command switches used :: c:\documents and settings\EDWARD STAHL\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine

.
((((((((((((((((((((((((( Files Created from 2010-01-01 to 2010-02-01 )))))))))))))))))))))))))))))))
.

2010-01-30 12:29 . 2010-01-30 12:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2010-01-29 14:53 . 2010-01-29 15:10 -------- d-----w- C:\Combofx
2010-01-22 22:01 . 2010-01-30 18:01 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WeatherBug
2010-01-22 22:01 . 2010-01-22 22:01 18944 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A16301.exe
2010-01-22 22:01 . 2010-01-22 22:01 11264 ----a-r- c:\documents and settings\EDWARD STAHL\Application Data\Microsoft\Installer\{8F931595-5561-4E26-AC78-7E9B1E3E9C98}\IconBB6A1630.exe
2010-01-22 21:23 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol\Config.sys
2010-01-22 21:23 . 2004-08-10 18:04 0 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol\Autoexec.bat
2010-01-22 21:23 . 2010-01-22 21:23 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WinPatrol
2010-01-22 21:20 . 2010-01-22 21:20 -------- d-----w- c:\program files\BillP Studios
2010-01-22 19:56 . 2010-01-22 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird
2010-01-22 19:55 . 2010-01-22 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird
2010-01-22 19:38 . 2010-01-22 19:38 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-22 19:34 . 2010-01-22 19:38 -------- d-----w- c:\documents and settings\Administrator
2010-01-21 00:12 . 2010-01-21 00:12 -------- d-----w- c:\program files\Trend Micro
2010-01-21 00:02 . 2010-01-21 00:02 -------- d-----w- c:\documents and settings\EDWARD STAHL\Local Settings\Application Data\WMTools Downloaded Files
2010-01-20 14:02 . 2010-01-20 14:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-20 13:51 . 2010-01-20 13:51 -------- d-----w- c:\program files\Lavasoft
2010-01-20 13:51 . 2010-01-28 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 22:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 16:36 . 2005-02-13 20:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-28 19:49 . 2005-10-15 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-28 19:49 . 2005-02-05 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 22:00 . 2004-10-24 22:59 -------- d-----w- c:\program files\AWS
2010-01-20 12:11 . 2008-01-11 17:27 -------- d-----w- c:\program files\Password Safe
2010-01-18 00:58 . 2009-08-05 14:19 1 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 19:46 . 2009-06-01 21:02 -------- d-----w- c:\program files\Common Files\Motive
2010-01-05 23:36 . 2007-10-31 10:38 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\WeatherBug
2010-01-05 21:39 . 2005-05-31 19:01 -------- d-----w- c:\program files\inKline Global
2010-01-04 14:48 . 2009-02-25 16:31 -------- d-----w- c:\documents and settings\EDWARD STAHL\Application Data\U3
2009-12-30 09:17 . 2009-06-18 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-12-25 03:31 . 2009-12-25 03:29 -------- d-----w- c:\program files\iTunes
2009-12-25 03:29 . 2004-11-26 01:24 -------- d-----w- c:\program files\iPod
2009-12-25 03:29 . 2007-07-01 22:35 -------- d-----w- c:\program files\Common Files\Apple
2009-12-25 03:26 . 2006-04-25 17:36 -------- d-----w- c:\program files\QuickTime
2009-12-24 14:13 . 2008-08-10 16:51 -------- d-----w- c:\program files\RegCure
2009-12-21 19:14 . 2004-08-04 10:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-18 20:41 . 2005-09-07 21:07 -------- d-----w- c:\program files\Cryptainer ME
2009-12-08 05:33 . 2009-12-08 05:33 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-12-01 15:56 . 2009-12-01 15:56 152576 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-01 15:56 . 2009-12-01 13:54 79488 ----a-w- c:\documents and settings\EDWARD STAHL\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-16 14:06 . 2009-11-16 14:06 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-11-16 14:06 . 2009-11-16 14:06 135048 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-11-16 14:03 . 2009-11-16 14:03 108792 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-11-16 13:56 . 2009-11-16 13:56 116520 ----a-w- c:\windows\system32\drivers\eamon.sys
2009-11-12 22:07 . 2009-11-12 22:07 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2005-04-04 17:18 . 2005-05-05 11:13 212992 -c--a-w- c:\program files\xAutoUpdate.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-09-11 17:34 . 2007-09-10 15:19 88 --sh--r- c:\windows\SYSTEM32\99842D7CE1.sys
2008-02-10 19:01 . 2007-09-10 15:19 2516 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ParetoLogic Anti-Spyware"="c:\program files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" [2009-08-05 2643312]
"WeatherBug Desktop"="c:\program files\AWS\WEATHERBUG\Weather.exe" [2009-10-20 1693184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 94208]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"QuickTime Task"="c:\program files\QUICKTIME\QTTASK.EXE" [2009-11-11 417792]

c:\documents and settings\EDWARD STAHL\Start Menu\Programs\Startup\
MemTurbo.lnk - c:\program files\MemTurbo30\MemTurbo.exe [2006-1-24 424960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"= "c:\program files\ParetoLogic\Anti-Spyware\PASShlExt.dll" [2009-08-05 98304]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Alpha Key Saver 3.lnk]
backup=c:\windows\pss\Alpha Key Saver 3.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^Password Safe.lnk]
backup=c:\windows\pss\Password Safe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^EDWARD STAHL^Start Menu^Programs^Startup^RedBox Reminder.lnk]
backup=c:\windows\pss\RedBox Reminder.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-03-20 21:34 213936 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 21:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
2005-11-07 07:00 118837 ----a-w- c:\program files\TOSHIBA\gigabeat room 3.0\TosGBWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\java.exe"=
"c:\\Program Files\\Audible\\Bin\\Manager.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe"= c:\documents and settings\EDWARD STAHL\Local Settings\Apps\2.0\Z79H4G8V.431\8MED0KJL.GNB\thef...app_0d221d3645bc6701_0002.0005_ab7cf4693a6927d4\The Filter.exe:127.0.0.1/255.255.255.255:Enabled:The Filter: Windows Media Player plugin
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)

R0 Spssys;Toshiba SPS Service;c:\windows\SYSTEM32\DRIVERS\spssys.sys [7/13/2008 2:05 PM 164256]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 ssoftnt4;ssoftnt4;c:\windows\SYSTEM32\DRIVERS\ssoftnt4.sys [5/21/2004 12:30 AM 114944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2007 2:13 PM 112688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-31 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-01-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-02-01 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS\Pareto_Update.exe [2009-08-05 17:39]

2010-01-31 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-02-01 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-31 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - f:\msoffi~1\Office12\EXCEL.EXE/3000
IE: Subscribe in RSS Bandit - c:\documents and settings\EDWARD STAHL\Application Data\RssBandit\iecontext_subscribebandit.htm
Trusted Zone: synchrogenix.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/rap ... loader.cab
FF - ProfilePath - c:\documents and settings\EDWARD STAHL\Application Data\Mozilla\Firefox\Profiles\t4vn3hew.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-01 13:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2731633163-1187809266-1330281862-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-01 13:58:36
ComboFix-quarantined-files.txt 2010-02-01 18:58
ComboFix2.txt 2010-01-29 15:10
ComboFix3.txt 2010-01-29 13:05

Pre-Run: 7,230,758,912 bytes free
Post-Run: 7,549,419,520 bytes free

- - End Of File - - 221139A923C55122897C9FE82BBB93AD

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, February 2, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, February 02, 2010 11:12:10
Records in database: 3398915
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Objects scanned: 118217
Threats found: 20
Infected objects found: 72
Suspicious objects found: 18
Scan duration: 05:32:36

File name / Threat / Threats count
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Infected: Email-Worm.Win32.Bagle.bj 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 15
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Bagle.eb 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Sober.y 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.a 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.ct 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Sent Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.3 2
C:\Program Files\LCP\Data\pwdump2\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\Program Files\LCP\Data\pwdump2-orig\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\Program Files\LCP\Data\pwdump3\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\Program Files\LCP\Data\pwdump3e\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\00303571.tmp.vir Infected: Email-Worm.Win32.Tanatos.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0322036E.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\036E491B.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\05E92B6F.tmp.vir Infected: Email-Worm.Win32.Klez.h 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0C8748EE.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\16383456.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\192F7AD5.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\25B62116.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2ADA0BF9.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2D7C6566.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DCB5510.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\30253191.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\31CB110D.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3234509A.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\33D370E1.tmp.vir Infected: Email-Worm.Win32.Tanatos.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\38EC50EF.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\391672C0.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39472DB5.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDE4208.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3FD0476D.tmp.vir Infected: Email-Worm.Win32.Bagle.fb 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\43415E3E.tmp.vir Infected: Email-Worm.Win32.Bagle.pac 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4A6C6F86.tmp.vir Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4D176BC0.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\53934EE9.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56DB1842.tmp.vir Infected: Email-Worm.Win32.NetSky.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B62422D.exe.vir Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B763E17.exe.vir Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B796814.dll.vir Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B7C1210.dll.vir Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5B9A3311.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60D11009.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\64D91BF8.tmp.vir Infected: Email-Worm.Win32.Tanatos.b.dam 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\655910D6.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65870430.tmp.vir Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\66BD714E.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\68DF2867.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\706B0CFC.tmp.vir Infected: Email-Worm.Win32.Swen 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\70FB4838.tmp.vir Infected: Email-Worm.Win32.Bagle.bj 1
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\78B93894.tmp.vir Infected: Email-Worm.Win32.Tanatos.b 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207139.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207140.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207141.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207142.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1

Selected area has been scanned.

by **deltalima** » February 3rd, 2010, 4:47 am

Hi AngusPodgorney,

Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs,
highlight LCP 5.04
click Remove
Close the Add or Remove Programs and the Control Panel windows.

Using Windows Explorer (to get there right-click your Start button and go to Explore), please delete this file:
C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI

This just leaves the infected email attachments, please let me know what happened when you followed my previous instructions for removing the infected emails from Thunderbird.

by **AngusPodgorney** » February 3rd, 2010, 7:56 am

I have removed the LCP program. I can not locate C:\Program Files\Common Files\Wise Installation Wizard\WIS1EFAF4929A3B48C39349234B146FDA46_5_0_4.MSI either through a search or by following the file name. There is no Wise Installation folder.

I have removed all the emails manually. I have several "storage" or "archive" folders in my email that I have deleted all or most of the emails from. Running ESET on the email folders turns up nothing.

ejs

by **deltalima** » February 3rd, 2010, 2:55 pm

Hi AngusPodgorney,

Uninstall ComboFix

Click START then RUN
Now type Combofx /Uninstall in the runbox and click OK

Now please run one more Kaspersky online scan and post the results back here.

by **AngusPodgorney** » February 3rd, 2010, 10:42 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, February 3, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, February 03, 2010 14:25:14
Records in database: 3401930
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Objects scanned: 119055
Threats found: 13
Infected objects found: 30
Suspicious objects found: 20
Scan duration: 05:05:13

File name / Threat / Threats count
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Infected: Email-Worm.Win32.Bagle.bj 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 17
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Bagle.eb 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Sober.y 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.a 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.ct 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Sent Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207139.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207140.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207141.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2099\A0207142.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207347.rbf Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207348.rbf Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207350.rbf Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207352.rbf Infected: not-a-virus:PSWTool.Win32.PWDump.3 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207356.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.k 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207356.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.2 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2101\A0207356.MSI Infected: not-a-virus:PSWTool.Win32.PWDump.3 2

Selected area has been scanned.

by **deltalima** » February 4th, 2010, 8:13 am

Hi AngusPodgorney,

There are still some infections showing.

Create a new, clean System Restore point which you can use in case of future system problems:

Press Start >> All Programs >> Accessories >>System Tools >> System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
Now remove old, infected System Restore points:
Next click Start >> Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

The infected mail items are showing under the profile for user EDWARD STAHL, please confirm that this is the account that you use when you have removed emails.

Please check again that all the items in the Junk local folder have been removed.

Please now run another Kaspersky scan and post the results back here.

by **AngusPodgorney** » February 4th, 2010, 7:16 pm

I know it doesn't look like it according to the report but I have deleted virtually everything from my mailboxes, including the "Junk" folder.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, February 4, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 04, 2010 14:46:18
Records in database: 3408916
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Objects scanned: 114227
Threats found: 10
Infected objects found: 16
Suspicious objects found: 19
Scan duration: 04:27:40

File name / Threat / Threats count
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Infected: Email-Worm.Win32.Bagle.bj 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\incoming.verizon-3.net\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Exploit.HTML.Iframe.FileDownload 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 16
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Bagle.eb 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Sober.y 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Trojan-Spy.HTML.Bayfraud.p 4
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.a 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.r 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Junk Infected: Email-Worm.Win32.Zhelatin.ct 1
C:\Documents and Settings\EDWARD STAHL\Application Data\Thunderbird\Profiles\5xm2ga6h.default\Mail\Local Folders\Sent Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 2

Selected area has been scanned.

by **deltalima** » February 5th, 2010, 8:11 am

Hi AngusPodgorney,

For whatever reason those infected emails cannot be accessed from Thunderbird so I propose to continue the clean up.

Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.

Download the latest version of Java Runtime Environment (JRE) 6 Here
Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
Click the orange Download JRE button to the right
Select the Windows platform from the dropdown menu
Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
Click on the link to download Windows Offline Installation & save the file to your desktop
Close any programs you may have running - especially your web browser
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version: Adobe Reader 9.3
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed Uncheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Delete the GMER icon from your desktop, it will be named 98wlzedl.exe

Uninstall ComboFix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK

Remove all used tools

Please download OTC and save it to desktop.

Double-click OTC.exe..
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide

Malwarebytes' Anti-Malware Scanning Guide

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.[/list]Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

by **AngusPodgorney** » February 5th, 2010, 8:30 am

Thanks so much for your time and help, I really appreciate it. What about the Adware alert and Spybot Search & Destroy I already have? Should I use the programs you suggested instead of those,. in conjunction with or what? (I also have a pareto logic Anti spyware).

ejs

by **deltalima** » February 5th, 2010, 9:39 am

Hi AngusPodgorney,

There is no problem with running multiple anti spyware / adware tools on demand only so you may keep those programs in addition to the ones I suggest.

The most important point is to ensure that only one is configured for real time protection as more than one can cause conflicts leading to system slowness and reduced protection.

by **NonSuch** » February 9th, 2010, 10:12 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Re: Searches hijacked

Who is online