Options
[Solved]Gah! Hijacked again!
I'm coming here for help after several days of trying to deal with it on my own, only to have my browser hijacked again.
So today, a couple of days after running AVG's scan, AdAware, and Spybot - Search and Destroy, here's what AVG and HiJack This! (in Safe Mode) are telling me:
AVG reports Reading error in Partition table (MBR)
AVG reports Reading error in Boot sector of disk C:
AVG found Win32/PEPatch in
C:\syst.exe (Could not remove virus or delete file)
win32[1].exe (several copies in my user and Local Settings\Temporary Internet Files\Content IE5 folders) - Could not remove/delete
C:\Temp\metasploit.exe
AVG found multiple copies of Exploit in
new[1].htm (in my user and Local Settings\Temporary Internet Files\Content IE5 folders) - Could not remove/delete
AVG found Trojan horse BackDoor.Generic3.VKC in
C:\System Volume Information\_restore{BD69489E -6362... (infected Embedded object and Archive)
C:\temp\term.exe:\flu100.exe
C:\temp\term.exe
AVG found Trojan horse BAckDoor.Generic3.VKX in
C:\WINDOWS\IIS\iisset
C:\Program Files\NetMeeting\Down(0).EXE
AVG found Trojan horse BackDoor.Generic3.WMM in
C:\WINDOWS\system32\Www.LookSoft.Net*.dll (where * stands for 9 different numbers of 0-4 digits)
I then ran AdAware, which only found and removed tracking cookies from tribalfusion and revsci.
I then ran Spybot - Search and Destroy, which found and fixed CoolWWWSearch.Bootconf in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurentVersion\Run\msupdate
I reboot into safe mode and ran Hijack This!, getting this report:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:31 AM, on 11/24/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe (***Note: I do run Covenant Eyes)
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe (***reminder, I intentionally use Covenant Eyes)
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [MSUPDATE] Www.LookSoft.Net.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Upon rebooting in normal mode, I find an application with weird characters as its name running. When I go to it's task, it is svchost.exe. I can end the application (it's back when I restart the computer). When I start MS IE, it again has some gibberish (to me) in it's blue title bar, though I do recognize http://125.243.255 at the end. Also, if I allow the gibberishly-named application to continue running, it begins to spawn an IE window every so often, taking me to that http address.
If I run Hijack This! again now, I get this:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:33 PM, on 11/26/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\autoback\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
ÉèÖõ¯³öÒ³Ãæ=T.B.A+http://125.243.255.253/home.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
I had HijackThis "fix" the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
ÉèÖõ¯³öÒ³Ãæ=T.B.A+http://125.243.255.253/home.htm
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
After restarting, at one point AVG's resident virus scanner caught a virus (Trojan horse BackDoor.Generic3.VKX) on C:\Program Files\NetMeeting\Down(0).EXE. I was able to heal it. Then, after a few minutes, IE opened on its own--a sign to me that my spyware was back. I quickly ran HijackThis! again, then shutdown. As Windows shut down, I saw the "preparing updates for installation" message. Subsequent startups had IE popping immediately.
Logfile of HijackThis v1.99.1
Scan saved at 1:24:49 AM, on 11/27/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Any help to get rid of this stuff once and for all would be greatly appreciated!
So today, a couple of days after running AVG's scan, AdAware, and Spybot - Search and Destroy, here's what AVG and HiJack This! (in Safe Mode) are telling me:
AVG reports Reading error in Partition table (MBR)
AVG reports Reading error in Boot sector of disk C:
AVG found Win32/PEPatch in
C:\syst.exe (Could not remove virus or delete file)
win32[1].exe (several copies in my user and Local Settings\Temporary Internet Files\Content IE5 folders) - Could not remove/delete
C:\Temp\metasploit.exe
AVG found multiple copies of Exploit in
new[1].htm (in my user and Local Settings\Temporary Internet Files\Content IE5 folders) - Could not remove/delete
AVG found Trojan horse BackDoor.Generic3.VKC in
C:\System Volume Information\_restore{BD69489E -6362... (infected Embedded object and Archive)
C:\temp\term.exe:\flu100.exe
C:\temp\term.exe
AVG found Trojan horse BAckDoor.Generic3.VKX in
C:\WINDOWS\IIS\iisset
C:\Program Files\NetMeeting\Down(0).EXE
AVG found Trojan horse BackDoor.Generic3.WMM in
C:\WINDOWS\system32\Www.LookSoft.Net*.dll (where * stands for 9 different numbers of 0-4 digits)
I then ran AdAware, which only found and removed tracking cookies from tribalfusion and revsci.
I then ran Spybot - Search and Destroy, which found and fixed CoolWWWSearch.Bootconf in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurentVersion\Run\msupdate
I reboot into safe mode and ran Hijack This!, getting this report:
Logfile of HijackThis v1.99.1
Scan saved at 7:12:31 AM, on 11/24/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe (***Note: I do run Covenant Eyes)
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe (***reminder, I intentionally use Covenant Eyes)
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [MSUPDATE] Www.LookSoft.Net.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Upon rebooting in normal mode, I find an application with weird characters as its name running. When I go to it's task, it is svchost.exe. I can end the application (it's back when I restart the computer). When I start MS IE, it again has some gibberish (to me) in it's blue title bar, though I do recognize http://125.243.255 at the end. Also, if I allow the gibberishly-named application to continue running, it begins to spawn an IE window every so often, taking me to that http address.
If I run Hijack This! again now, I get this:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:33 PM, on 11/26/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\autoback\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
ÉèÖõ¯³öÒ³Ãæ=T.B.A+http://125.243.255.253/home.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
I had HijackThis "fix" the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Edd
ÉèÖõ¯³öÒ³Ãæ=T.B.A+http://125.243.255.253/home.htm
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O23 - Service: Active HelpAssistant - Unknown owner - C:\WINDOWS\IIS\iisset (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
After restarting, at one point AVG's resident virus scanner caught a virus (Trojan horse BackDoor.Generic3.VKX) on C:\Program Files\NetMeeting\Down(0).EXE. I was able to heal it. Then, after a few minutes, IE opened on its own--a sign to me that my spyware was back. I quickly ran HijackThis! again, then shutdown. As Windows shut down, I saw the "preparing updates for installation" message. Subsequent startups had IE popping immediately.
Logfile of HijackThis v1.99.1
Scan saved at 1:24:49 AM, on 11/27/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Any help to get rid of this stuff once and for all would be greatly appreciated!
0
Comments
C:\WINDOWS\SCVHOST.exe
[STEP 2] Fix HijackThis Entries:
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
[STEP 3] Remove Malicious Files:
C:\WINDOWS\SCVHOST.exe
[STEP 4]Report Back to us:
OK, I did as suggested, but did not see a way to generate log. I'll just copy what is displayed:
File: SCVHOST.EXE
Status: INFECTED/MALWARE
MD5 f7ce55f3281b38152c0852fe98aee5a7
Packers detected: HMIMYS, NSPACK, PE_PATCH.MASKPE
Scanner results
AntiVir Found Trojan/Crypt.NSPM.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found GenPack:Generic.Malware.SBdldsp.7A1DC394
ClamAV Found nothing
Dr.Web Found BackDoor.Pigeon.516
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]
* **Locates window "NULL [class IEFrame]" on desktop.
* File length: 26225 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SCVHOST.EXE.
[ Changes to registry ]
* Creates value "only23"="C:\WINDOWS\SCVHOST.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Modifies other process memory.
* Creates a remote thread.
VirusBuster Found nothing
VBA32 Found nothing
Check.
Check
Logfile of HijackThis v1.99.1
Scan saved at 1:24:49 AM, on 11/27/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
About 3 1/2 hours ago, AVG popped up a window saying it found a virus in A0007010.exe in a subdirectory of C:\System Volume Information\_restore{....; I was able to heal that one.
Then about half an hour ago (I see from the Event History Log) AVG's Resident Shield reported Trojan horse BackDoor.Generic3.VKX on C:\Program Files\NetMeeting\Down(0).EXE. When I came to the computer, I saw that my browswer was again hijacked.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:38:24 AM, on 11/28/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =http ://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Java inetice - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\realetin.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: regsnthelp - Unknown owner - C:\WINDOWS\system32\regst.exe
C:\WINDOWS\system32\regst.exe
[STEP 2] Fix HijackThis Entries:
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O23 - Service: Java inetice - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\realetin.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: regsnthelp - Unknown owner - C:\WINDOWS\system32\regst.exe
[STEP 3] Remove Malicious Files:
c:\autoback\svchost.exe
C:\WINDOWS\SCVHOST.exe
C:\Program Files\Common Files\Microsoft Shared\MSINFO\realetin.exe
C:\Program.exe
C:\WINDOWS\system32\regst.exe
[STEP 4]Run Additional Tools:
http://cexx.org/LSPFix.exe
[STEP 5]Report Back to us:
If this problem continues to get worse with the next log, I am going to have to ask you to not reboot your computer until further notice, and then we will have to attack this in a different way.
Only Forinet reported anything - Misc/BEAV_MS06
Done.
There was no C:\Program.exe apparent (Displaying contents of system folders, showing hidden files and folders, and not hiding protected operating system files).
Other files deleted.
Looks like it wanted to keep mswsock.dll, winrnr.dll, nmNsp.dll, and rsvpsp.dll, and remove CESpy.dll. I did NOT run LSPFix.exe this time, as I run Covenant Eyes, but will do so if you confirm that my CE has been taken over or something or that LSPFix will still bring peace and love back to my computer.
I sure appreciate having your help on this!
Logfile of HijackThis v1.99.1
Scan saved at 7:15:08 AM, on 11/28/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
I will report back if I get re-infected.
I am going to ask you to go into the Windows Registry. Please DO NOT modify or delete any data in the registry unless instructed to, as it may cause vital parts of your system to malfunction. Also, before editing the Registry, you should ALWAYS save a backup, just in case you do remove something that should have stayed. You can save a registry backup by clicking on the "File" item in the toolbar and selecting "Export". Make sure you choose to export the whole registry.
To get into the registry, go to the Run command in your start menu, and type in regedit, or regedt32. Now that you are in the registry, save a backup, and do a search (in the registry) for Program.exe. Let me know the full paths of the keys that come up (they should look something like HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\).
I searched the registry and found nothing with the string Program.exe.
Logfile of HijackThis v1.99.1
Scan saved at 5:55:55 PM, on 11/28/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 3:01:38 PM, on 11/30/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Note that I can repeatedly "fix" that last line, then run HijackThis again, and it's still there. This applies whether or not I reboot.
I will post any further developments.
Exploit found in C:\Documents and Settings\Carole\Local Settings\Temporary Internet Files\Content.IE5\65SJKZY1\new[1].htm
Win32/PEPatch found in C:\Documents and Settings\Carole\Local Settings\Temporary Internet Files\Content.IE5\65SJKZY1\win32[1].exe
I am not able to view the contents of C:\System Volume Information; I get an "access denied" box when I try.
I deleted my Restore Points, rebooted into safe mode, and ran AVG, AdAware, and Spybot S&D again, then rebooted again and made a new Restore Point. I did this since it looked like my restore files we're infected.
My latest HT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:50 PM, on 11/30/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
(Still can't fix that Program.exe O23.)
Logfile of HijackThis v1.99.1
Scan saved at 12:01:58 PM, on 12/1/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\autoback\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
Regarding Down(0).EXE, http://virusscan.jotti.org/ reports:
Service load: (about 60%)
File: Down(0).exe
Status: INFECTED/MALWARE
MD5 f34917eb7c6bb88239668bbdf791fd4e
Packers detected: Analyzing...
Scanner results
AntiVir Found Trojan/Crypt.NSPM.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found BackDoor.Pigeon.516
F-Prot Antivirus Found Possibly a new variant of W32/NewMalware-BLP-based!Maximus
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware;
[ General information ]
* Decompressing UPX.
* **Locates window "NULL [class IEFrame]" on desktop.
* File length: 83337 bytes.
[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Creates directory C:\WINDOWS\TEMP\RarSFX0.
* Creates file svchest.reg.
* Creates file svchest.exe.
* Creates file C:\WINDOWS\SCVHOST.EXE.
[ Changes to registry ]
* Creates key "HKCU\Software\WinRAR SFX".
* Sets value "C%%WINDOWS%system"="C:\WINDOWS\TEMP\RarSFX0" in key "HKCU\Software\WinRAR SFX".
* Creates value "only23"="C:\WINDOWS\SCVHOST.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Attemps to NULL regedit NULL.
* Attemps to NULL C:\WINDOWS\system\svchest.exe NULL.
* Will automatically restart after boot (I'll be back...).
* Modifies other process memory.
* Creates a remote thread.
VirusBuster Found nothing
VBA32 Found BackDoor.Pigeon.516
Logfile of HijackThis v1.99.1
Scan saved at 12:44:16 AM, on 12/3/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKLM\..\Run: [MSConfigs] c:\autoback\svchost.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
[STEP 2] Remove Malicious Files:
C:\Program Files\NetMeeting\Down(0).EXE
C:\WINDOWS\SCVHOST.exe
c:\autoback\svchost.exe
[STEP 3]Report Back to us:
Logfile of HijackThis v1.99.1
Scan saved at 6:24:24 PM, on 12/3/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\idwlog.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
C:\WINDOWS\SCVHOST.exe
Once you have done that, please reboot and post a new HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 12:12:42 PM, on 12/4/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
[STEP 2] Report Back to us:
Logfile of HijackThis v1.99.1
Scan saved at 7:21:32 AM, on 12/5/2006
Platform: Windows XP SP2, v.2082 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2082)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CE\nmSvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\QuickenW\QWDLLS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\nmSvc.exe
O4 - HKLM\..\Run: [only23] C:\WINDOWS\SCVHOST.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QuickenW\BILLMIND.EXE
O4 - Global Startup: IDW Logging Tool.lnk = C:\WINDOWS\system32\idwlog.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QuickenW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Broken Internet access because of LSP provider 'cespy.dll' missing
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Indexing Helps (Indexingbox) - Unknown owner - %WINDIR%\system\svchest.exe (file missing)
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - C:\Program.exe (file missing)
I'm going to have to ask you not to reboot until you are instructed to.
Please run a scan with Housecall, Trend Micro's online virus scan. Make sure you choose to scan the whole computer for malware. When it's done scanning, please post the log it gives, along with a HijackThis log.
Do not reboot your computer yet..
I dunno. I've been resisting re-formatting and re-installing, hoping to learn a little something about fighting this stuff, but my resolve is weakening.
Incident Status Location
Adware:Adware/CWS.Searchmeup Not disinfected c:\windows\scvhost.exe
Adware:adware/startpage.cbx Not disinfected c:\windows\SCVHOST.EXE
Adware:Adware/CWS.Searchmeup Not disinfected C:\!KillBox\SCVHOST.EXE
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Re:\New_MP3_Player.zip
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Inbox\Some questions
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\Returned mail: see transcript for details\XXXXX2.com.zip[XXXXX2.com]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\Delivery reports about your e-mail\cmck@XXXXX2.com.zip[cmck@XXXXX2.com.html .pif]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\report\XXXXX2.com.zip[XXXXX2.com.htm .pif]
Virus:W32/Netsky.Q.worm Disinfected XXXXX1\Inbox\Mail Delivery failure (cmck@XXXXX2.com)\message9436.pif
Virus:W32/Bagle.AB.worm Disinfected XXXXX1\Inbox\Re: Document\Information.com
Virus:W32/Netsky.Q.worm Disinfected XXXXX1\Inbox\Delivery Bot (cmck@XXXXX2.com)\data25261.zip[data.eml .scr]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\cmck@XXXXX2.com\XXXXX2.com.zip[XXXXX2.com]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\delivery failed\XXXXX2.com.zip[XXXXX2.com]
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Sent Items\FW: Warning: could not send message for past 4 hours\Scrolling
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision
Virus:W32/Badtrans.B Disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision\FUN.MP3.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\[APGS] Post integrity
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Request\all_in_all_cmck.zip[details.txt .pif]
Virus:W32/Netsky.Z.worm Disinfected XXXXX1\Saved Mail\Create rule\Document\Details.zip[Details.txt .exe]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Hello\summary2004.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\I love you!\story.zip[data.rtf .scr]
Virus:W32/Netsky.W.worm Disinfected XXXXX1\Saved Mail\Create rule\approved\excel document_cmck.zip[doc.pif]
Virus:W32/Netsky.W.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Re: document_all\document_cmck.zip[doc.pif]
Virus:W32/Netsky.W.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: my message\message_cmck.zip[your_details.scr]
Virus:W32/Netsky.W.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: word document\document_cmck.zip[your_details.scr]
Virus:W32/Netsky.W.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: important\message.zip[your_details.scr]
Virus:W32/Bagz.H.worm Disinfected XXXXX1\Saved Mail\Create rule\waiting\readme.zip[readme.doc .exe]
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: [Fwd: Lent]\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Fw: Fw: FW: Pooh (fwd)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Wonderful Reminder Quiz\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Fw: Fw: Get your tissues!!!!]\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Fw: A Beautiful story\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: \Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Fw: THE ROOM\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: Fw: Re: Count Your Blessings\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: \Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: about having a say in the election outcome\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Infected\Fwd: MAKE YOUR VOTE COUNT\Navidad.exe
Virus:W32/Hybris Disinfected XXXXX1\Infected\Snowhite and the Seven Dwarfs - The REAL story!\midgets.scr
Virus:VBS/VBSWG.J Disinfected XXXXX1\Infected\Here you have, ;o)\AnnaKournikova.jpg.vbs
Virus:W32/Magistr.B Disinfected XXXXX1\Infected\The client thread.\service.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\ôøîéä àå÷èåáø\ATT00018.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\registro Salvador2\registro Salvador2.doc.lnk
Virus:W32/Sircam Disinfected XXXXX1\\Infected\ôøîéä àå÷èåáø\ .xls.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Comentarios al fallo Errepar C\Comentarios al fallo Errepar C.doc.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\car agreement\car agreement.doc.lnk
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Member_data2\Member_data2.xls.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\pipe\pipe.zip.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\inbound manifest\ATT00008.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\2000 Projects\ATT00017.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\HS_UpdaterV1\HS_UpdaterV1.1.zip.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\roberts\roberts.doc.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Estate Planning\Estate Planning.doc.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\HOMEOWNERS\ATT00011.dat
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\shapeType}{\sv 202}}{\sp{\sn fFlipH}{\sv \MSOOBE.EXE
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\before, You can look it \JSMENU.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\The precedence of binary\their.bat
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\laatste is voor mij \UNAXA.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\If you uninstall Home Publishing\after.com
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\[TRGPro_Users_Group] Q: Thin lines don't.\print.exe
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\à=!"# $ %\SETUP.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\” Stumbletown is an eclectic.\blending.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\\Infected\Fw: ƒFƒFƒEuƒjƒZƒ`ƒg\ATT00004.htm
Virus:W32/Klez.I Disinfected XXXXX1\\Infected\Fw: ƒFƒFƒEuƒjƒZƒ`ƒg\play.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\PTS richards front\PTS richards front.doc.lnk
Virus:W32/Netsky.P.worm Disinfected XXXXX1\\Infected\Re: Extended Mail\document_cmck.zip[document.txt .exe]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.did-it.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\LocalService\Cookies\system@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[1].txt
Potentially unwanted tool:Application/WindowHider.A Not disinfected C:\WINDOWS\IIS\Down(1).exe[svchost.exe]
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system\svchest.exe
Virus:Bck/Eggdrop.M Disinfected C:\WINDOWS\system32\regst.DLL
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: [Fwd: Lent]\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Fw: Fw: FW: Pooh (fwd)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Wonderful Reminder Quiz\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Fw: Fw: Get your tissues!!!!]\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Fw: A Beautiful story\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: \Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Fw: THE ROOM\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: Fw: Re: Count Your Blessings\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: (no subject)\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: \Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: about having a say in the election outcome\Navidad.exe
Virus:W32/Navidad Disinfected XXXXX1\Inbox\Infected\Fwd: MAKE YOUR VOTE COUNT\Navidad.exe
Virus:W32/Hybris Disinfected XXXXX1\Inbox\Infected\Snowhite and the Seven Dwarfs - The REAL story!\midgets.scr
Virus:VBS/VBSWG.J Disinfected XXXXX1\Inbox\Infected\Here you have, ;o)\AnnaKournikova.jpg.vbs
Virus:W32/Magistr.B Disinfected XXXXX1\Inbox\Infected\The client thread.\service.pif
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Sindony\Ellen.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Nathaniel\Joane.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Dorothee\Christian.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Christian\Dorothy.zip
Virus:Trj/Danmec.C Disinfected XXXXX1\Mailing Lists\X-Spam\Fraud report\Ordering information (Ref: 65316)\gje655.zip[qform.exe]
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision
Virus:W32/Badtrans.B Disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision\FUN.MP3.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\[APGS] Post integrity
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Bad Request\message.zip[details.txt .pif]
Virus:Trj/Downloader.ICT Disinfected XXXXX1\Saved Mail\Create rule\My Best Photo\Photo.zip[Photo/Photo.bmp]
Virus:W32/Mytob.P.worm Disinfected XXXXX1\Saved Mail\Create rule\hello\body.zip[body.txt .exe]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Spam\websitelist01.zip[data.rtf .scr]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Delivery Server\message.zip[details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\News\report01_cmck.zip[details.txt .pif]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: Hi\my_details.zip[document.txt .exe]
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: hello\details_cmck.zip[document.txt .exe]
Virus:Bck/Breplibot.P Disinfected XXXXX1\Saved Mail\Create rule\Photo Approval Needed\article.zip[Photo and Article.exe]
Virus:Trj/Downloader.ICT Disinfected XXXXX1\Saved Mail\Create rule\My Best Photo\Photo.zip[Photo/Photo.bmp]
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Rose\Susanna.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Syndony\Martha.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Edwarde\Jeffrye.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Avis\Anna.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Annes\Edward.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Ales\Francis.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Michael\Avice.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Judithe\Edward.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Susanna\Margrett.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Saved Mail\Create rule\Isabell\Judithe.zip
Virus:W32/Netsky.P.worm Disinfected XXXXX1\Saved Mail\Create rule\Re: approved\details.zip[details.txt .pif]
Virus:W32/Sircam Disinfected XXXXX1\\Infected\ôøîéä àå÷èåáø\ATT00018.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\registro Salvador2\registro Salvador2.doc.lnk
Virus:W32/Sircam Disinfected XXXXX1\\Infected\ôøîéä àå÷èåáø\ .xls.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Comentarios al fallo Errepar C\Comentarios al fallo Errepar C.doc.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\car agreement\car agreement.doc.lnk
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Member_data2\Member_data2.xls.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\pipe\pipe.zip.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\inbound manifest\ATT00008.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\2000 Projects\ATT00017.dat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\HS_UpdaterV1\HS_UpdaterV1.1.zip.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\roberts\roberts.doc.bat
Virus:W32/Sircam Disinfected XXXXX1\\Infected\Estate Planning\Estate Planning.doc.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\HOMEOWNERS\ATT00011.dat
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\shapeType}{\sv 202}}{\sp{\sn fFlipH}{\sv \MSOOBE.EXE
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\before, You can look it \JSMENU.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\The precedence of binary\their.bat
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\laatste is voor mij \UNAXA.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\If you uninstall Home Publishing\after.com
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\[TRGPro_Users_Group] Q: Thin lines don't.\print.exe
Virus:W32/Disemboweler Disinfected XXXXX1\\Infected\à=!"# $ %\SETUP.EXE
Virus:W32/Magistr.B Disinfected XXXXX1\\Infected\” Stumbletown is an eclectic.\blending.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\\Infected\Fw: ƒFƒFƒEuƒjƒZƒ`ƒg\ATT00004.htm
Virus:W32/Klez.I Disinfected XXXXX1\\Infected\Fw: ƒFƒFƒEuƒjƒZƒ`ƒg\play.pif
Virus:W32/Sircam Disinfected XXXXX1\\Infected\PTS richards front\PTS richards front.doc.lnk
Virus:W32/Netsky.P.worm Disinfected XXXXX1\\Infected\Re: Extended Mail\document_cmck.zip[document.txt .exe]
Incident Status Location
Adware:Adware/CWS.Searchmeup Not disinfected c:\windows\scvhost.exe
Adware:adware/startpage.cbx Not disinfected c:\windows\SCVHOST.EXE
Adware:Adware/CWS.Searchmeup Not disinfected C:\!KillBox\SCVHOST.EXE
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Re:\New_MP3_Player.zip
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Inbox\Some questions
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\Returned mail: see transcript for details\XXXXX2.com.zip[XXXXX2.com]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\Delivery reports about your e-mail\cmck@XXXXX2.com.zip[cmck@XXXXX2.com.html .pif]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\report\XXXXX2.com.zip[XXXXX2.com.htm .pif]
Virus:W32/Netsky.Q.worm Disinfected XXXXX1\Inbox\Mail Delivery failure (cmck@XXXXX2.com)\message9436.pif
Virus:W32/Bagle.AB.worm Disinfected XXXXX1\Inbox\Re: Document\Information.com
Virus:W32/Netsky.Q.worm Disinfected XXXXX1\Inbox\Delivery Bot (cmck@XXXXX2.com)\data25261.zip[data.eml .scr]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\cmck@XXXXX2.com\XXXXX2.com.zip[XXXXX2.com]
Virus:W32/Mydoom.N.worm Disinfected XXXXX1\Inbox\delivery failed\XXXXX2.com.zip[XXXXX2.com]
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Sent Items\FW: Warning: could not send message for past 4 hours\Scrolling
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision
Virus:W32/Badtrans.B Disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision\FUN.MP3.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\[APGS] Post integrity
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Carole\Application Data\Mozilla\Firefox\Profiles\mnlkn7e1.default\cookies.txt[.did-it.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\LocalService\Cookies\system@did-it[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[1].txt
Potentially unwanted tool:Application/WindowHider.A Not disinfected C:\WINDOWS\IIS\Down(1).exe[svchost.exe]
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system\svchest.exe
Virus:Bck/Eggdrop.M Disinfected C:\WINDOWS\system32\regst.DLL
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Sindony\Ellen.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Nathaniel\Joane.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Dorothee\Christian.zip
Virus:W32/Bagle.pwdzip Disinfected XXXXX1\Inbox\Christian\Dorothy.zip
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision
Virus:W32/Badtrans.B Disinfected XXXXX1\Saved Mail\MSGS\Re: RE: [APGS] Intro: our vision\FUN.MP3.pif
Hacktool:Exploit/iFrame Not disinfected XXXXX1\Saved Mail\MSGS\[APGS] Post integrity