Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malaware Problem


  • Please log in to reply

#1
IndianBubble

IndianBubble

    Member

  • Member
  • PipPip
  • 42 posts
Hi,

I have been directed to post HJT log here, which is done below:

Logfile of HijackThis v1.99.1
Scan saved at 14:47:57, on 29/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\System32\mxpsp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Gigabyte\GN-WLMR101 11Mbps Wireless LAN for Windows\GN-Wake.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\PerSono\PersTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\JaiLaptop\My Documents\hj.com\HJ.com.exe
C:\WINDOWS\etb\pokapoka61.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: GN-Wake.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA901F9-FCD5-47D0-8C01-9D95DF7A3E6C}: NameServer = 203.122.63.152,203.122.63.154
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe

Msdirectx.sys is affected by Troja horse Collected.5.L. I have tried deleting it a number of times but it keeps coming back. I am not alble to run the programs. Pop-up blocker has vanished from the face of IE window.

Please help!!

Bubble
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe

O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe

O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe

Reboot into safe mode and delete:
C:\WINDOWS\System32\mxpsp.exe
C:\WINDOWS\System32\msmc.exe

Can you tell me which program this belongs to:
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
It could be antitrojan software like ATS or PC_Doorguard . If so leave it alone.

Another one that looks kind of suspicious:
C:\WINDOWS\etb\pokapoka61.exe
If you don't know what it is have it scanned here please:
http://virusscan.jotti.org/

Post back with a new HijackThis log when you are done please.

Regards,
  • 0

#3
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Dear Pieter,

I did what all you had written.

I couldn't find C:\Windows\supervisor.exe on my computer. I had ATS loaded on my computer which I removed yesterday. May be the file belonged to that program, as suggested by you.

I scanned pokapoka61.exe and this is what i found:
Arcavir: Found Trojan.Rootkit.Etb
NOD32: Found a variant of WIN32/Adware.EliteBar Application
VBA32: Found Trojan.Startpage.8 (probable variant)

I also scanned pokapoka62.exe located in the same directory as 61 and it came up with:

Non-destructive malware has been found
Kaspersky Anti-virus: Found not a virus: Adware.Toolbar.EliteBar.com
NOD32: Found a variant of WIN32/Adware.EliteBar application

I could agian see msdirectx.sys and it again showed that it is inflicted by Collected.5.L

HJT log is given below:

Logfile of HijackThis v1.99.1
Scan saved at 17:02:42, on 29/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Gigabyte\GN-WLMR101 11Mbps Wireless LAN for Windows\GN-Wake.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\PerSono\PersTray.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\usrbridg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\JaiLaptop\My Documents\hj.com\HJ.com.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: GN-Wake.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA901F9-FCD5-47D0-8C01-9D95DF7A3E6C}: NameServer = 203.122.63.152,203.122.63.154
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe

Hope we get over with this soon.

Warm regards,

Bubble
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
*Click here to download Killbox by Option^Explicit.
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\msdirectx.sys


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe

O4 - HKLM\..\Run: [SystemService] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe

O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe


Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

Doubleclick the file you made and confirm you want to merge it with the registry.
Then see if you can delete this folder and everything in it:
C:\WINDOWS\etb

Reboot once more and post a new HiJackThis log.

Regards,
  • 0

#5
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Dear Pieter,

I did what all you told me to.

I was able to delete the folder:

C:\WINDOWS\etb

HJT log is given below:

Logfile of HijackThis v1.99.1
Scan saved at 18:17:01, on 29/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\CAP4RSK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Gigabyte\GN-WLMR101 11Mbps Wireless LAN for Windows\GN-Wake.exe
C:\Program Files\PerSono\PersTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\usrbridg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\JaiLaptop\My Documents\hj.com\HJ.com.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: GN-Wake.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA901F9-FCD5-47D0-8C01-9D95DF7A3E6C}: NameServer = 203.122.63.152,203.122.63.154
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe

Warm regards,

Bubble
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Your log looks good now. :tazz:

Is your computer behaving as well?

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#7
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi Pieter,

I went check the msdirectx.sys file in the location where I had first discovered it and it was still there and AVG gave me the signal for Collected.5.L being present. I deleted the file and rebooted and it was not there..reboted again and it was still not there.

I guess we are OK now :tazz:

Thanks, you have been a great help.

How do I get my Pop-up blocker back. I was using the Yahoo! pop-up blocker or do you suggest any other good blocker.

Which anti-adware/spyware program can I install to prevent such occurence?

Thanks again and yes I have book marked your site and shall take a look at it as I am sure it will be a lot of help and will have a lot to offer.

Warm regards,

Bubble
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
The best free poupblocker I have enountered sofar is the one in the Google Toolbar.

http://toolbar.google.com/

If you like the Yahoo better,you will have to reinstall it, since that was destroyed by the infection you had.

Regards,
  • 0

#9
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi,

I have had no problem since Saturday evening but this morning I had an alert from AVG that it had again detected Collected.5.L in the file listed below:

C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP79\A0015727.SYS

I believe it is System Restore file and I had thought of deleting my restore points but thought i should consult before I do anything silly.

The file is in quarantine at the moment.

The system also has been behaving erratically since the time I was alerted.

Please advise what to do?

Warm regards,

Bubble
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
You can clean out your System Restore files like this:

- Disable System Restore
- Reboot
- Re-enable System Restore

More info and screenshots:
http://service1.syma...src=sec_doc_nam

Your computer should not act strange because of the file in System Restore alone, unless AVG has now decided to scan that entire folder for some daft reason.

Feel free to post a HijackThis log before you decide to clean out System Restore.

Regards,
  • 0

Advertisements


#11
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi Pieter,

I had thought about clearing my restore points but considered it wise to consult you.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 18:40:38, on 02/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\Program Files\Gigabyte\GN-WLMR101 11Mbps Wireless LAN for Windows\GN-Wake.exe
C:\Program Files\PerSono\PersTray.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\usrbridg.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\STRES\P3270Srv.dll
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\1ASRV\TOOLS\PROS_32.EXE
C:\Pro4\CODE\tempo.exe
C:\STRES\Hllapild.dll
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\JaiLaptop\My Documents\hj.com\HJ.com.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: GN-Wake.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA901F9-FCD5-47D0-8C01-9D95DF7A3E6C}: NameServer = 203.122.63.152,203.122.63.154
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe

I will only clear the restore points after I hear from you about this log.

Warm regards,

Bubble
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Some of these are very odd-looking in your running processes:

C:\STRES\P3270Srv.dll
C:\1ASRV\TOOLS\PROS_32.EXE
C:\Pro4\CODE\tempo.exe
C:\STRES\Hllapild.dll

Can you check when the folder C:\STRES was created ?

Also do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Regards,
  • 0

#13
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I am sorry for taking this long to come back but the Internet was down here.

The odd looking files that you mentioned are the programs that we run here. We are into travel trade and these programs pertain to reservation links with the airlines. So you now have a contact if you are planning a visit to India.

I did the scanning and the results are pasted below:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, August 03, 2005 11:46:20
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/08/2005
Kaspersky Anti-Virus database records: 133478
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 38503
Number of viruses found: 16
Number of infected objects: 173
Number of suspicious objects: 26
Duration of the scan process: 2737 sec

Infected Object Name - Virus Name
C:\Documents and Settings\JaiLaptop\Local Settings\Temp\~7768767768.tmp Infected: Trojan-Downloader.Win32.Siboco
C:\Documents and Settings\JaiLaptop\Local Settings\Temporary Internet Files\Content.IE5\WD4N4Z47\xpcmd[1].exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\Documents and Settings\JaiLaptop\Local Settings\Temporary Internet Files\Content.IE5\WD4N4Z47\xpcmd[1].exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\Documents and Settings\JaiLaptop\Local Settings\Temporary Internet Files\Content.IE5\WD4N4Z47\xpcmd[1].exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst/Archive Folders/Airline Mails/CZ/24 Jul 2003 06:22 from CHINA SOUTHERN AIRLINES:China Southern Ai.html Infected: Virus.JS.Fortnight.f
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst/Archive Folders/Airline Mails/US Airways/22 Jul 2003 06:46 from Shankar (US Airways):Temporary Phone Numb.html Infected: Virus.JS.Fortnight.f
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst/Archive Folders/Airline Mails/US Airways/23 Jul 2003 06:04 from Shankar (US Airways):SOTO FARE.html Infected: Virus.JS.Fortnight.f
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst/Archive Folders/Airline Mails/Turkish Airlines/25 Nov 2003 04:52 from DEL TKSALES:Fwd. PAN No. to TK..html Infected: Virus.JS.Flea.b
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst/Archive Folders/Galileo/15 Dec 2003 12:02 from Amit Arora:New Email I.D.html Infected: Virus.VBS.Redlof.a
C:\Documents and Settings\JaiLaptop\My Documents\archive.pst Infected: Virus.VBS.Redlof.a
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED/document_with_notice_thor.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED/document_with_notice_thor.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Wed, 16 Feb 2005 07:59:21 +0100]/UNNAMED/message_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Wed, 16 Feb 2005 07:59:21 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED/document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Thu, 17 Feb 2005 09:57:19 +0530]/UNNAMED/postcard.txt.pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Thu, 17 Feb 2005 09:57:19 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Thu, 17 Feb 2005 10:41:56 +0530]/UNNAMED/guupd02.exe Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Thu, 17 Feb 2005 10:41:56 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Fri, 18 Feb 2005 10:55:03 +0530]/UNNAMED/siupd02.scr Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Fri, 18 Feb 2005 10:55:03 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Sat, 19 Feb 2005 11:27:20 +0530]/UNNAMED/Jol03.scr Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Sat, 19 Feb 2005 11:27:20 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 04:46 from sonytravel@hotmail.com:Re: SMTP Server/document.zip/details.txt .pif Infected: Virus.Win32.FunLove.4070
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 04:46 from sonytravel@hotmail.com:Re: SMTP Server/document.zip Infected: Virus.Win32.FunLove.4070
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 09:35 from fareast@sitaindia.com:Re: message/message_stblr.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 09:35 from fareast@sitaindia.com:Re: message/message_stblr.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Tue, 1 Mar 2005 07:49:09 +0100]/UNNAMED/document_4351.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Tue, 1 Mar 2005 07:49:09 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:06 from 1e5.7d93543.2be0a2ac@aol.com:Stolen docum/document342_stnp.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:06 from 1e5.7d93543.2be0a2ac@aol.com:Stolen docum/document342_stnp.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:04 from andrew.bellew@parekhnet.com:Re: important/data.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:04 from andrew.bellew@parekhnet.com:Re: important/data.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:26 from Mail Delivery System:Your message could n.eml/[From stnp@suntour.com][Date Tue, 1 Mar 2005 18:43:52 +0530]/document_all.pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:26 from Mail Delivery System:Your message could n.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 10:02 from kingswaytravel@yahoo.co.in::tazz:/Info.zip/plniins.exe Infected: Virus.Win32.Parite.b
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 10:02 from kingswaytravel@yahoo.co.in:;)/Info.zip Infected: Virus.Win32.Parite.b
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED/msg_skylink.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED/msg_skylink.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/08 Mar 2005 11:39 from anurag.a.vasisht@aexp.com:I love you!/photo.zip/document.txt .exe Infected: Virus.Win32.Parite.b
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/Deleted Items/08 Mar 2005 11:39 from anurag.a.vasisht@aexp.com:I love you!/photo.zip Infected: Virus.Win32.Parite.b
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst/Personal Folders/AVG Virus Vault/19 Feb 2005 10:58 from Mail Delivery Subsystem:Returned mail: se/19 Feb 2005 10:40 to homebasedworking@indiatimes.com:Mail Delive.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\JaiLaptop\My Documents\outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\archive.pst/Archive Folders/Airline Mails/CZ/24 Jul 2003 06:22 from CHINA SOUTHERN AIRLINES:China Southern Ai.html Infected: Virus.JS.Fortnight.f
C:\Program Files\Synaptics\SynTP\Media\archive.pst/Archive Folders/Airline Mails/US Airways/22 Jul 2003 06:46 from Shankar (US Airways):Temporary Phone Numb.html Infected: Virus.JS.Fortnight.f
C:\Program Files\Synaptics\SynTP\Media\archive.pst/Archive Folders/Airline Mails/US Airways/23 Jul 2003 06:04 from Shankar (US Airways):SOTO FARE.html Infected: Virus.JS.Fortnight.f
C:\Program Files\Synaptics\SynTP\Media\archive.pst/Archive Folders/Airline Mails/Turkish Airlines/25 Nov 2003 04:52 from DEL TKSALES:Fwd. PAN No. to TK..html Infected: Virus.JS.Flea.b
C:\Program Files\Synaptics\SynTP\Media\archive.pst/Archive Folders/Galileo/15 Dec 2003 12:02 from Amit Arora:New Email I.D.html Infected: Virus.VBS.Redlof.a
C:\Program Files\Synaptics\SynTP\Media\archive.pst Infected: Virus.VBS.Redlof.a
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED/document_with_notice_thor.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED/document_with_notice_thor.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 15 Feb 2005 11:56:33 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 06:26 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Mon, 14 Feb 2005 16:14:35 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/15 Feb 2005 10:50 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Wed, 16 Feb 2005 07:59:21 +0100]/UNNAMED/message_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Wed, 16 Feb 2005 07:59:21 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 06:59 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED/document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Wed, 16 Feb 2005 18:45:54 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/16 Feb 2005 13:13 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Thu, 17 Feb 2005 09:57:19 +0530]/UNNAMED/postcard.txt.pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Thu, 17 Feb 2005 09:57:19 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 04:27 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Thu, 17 Feb 2005 10:41:56 +0530]/UNNAMED/guupd02.exe Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Thu, 17 Feb 2005 10:41:56 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 05:12 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 11:42:34 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 06:13 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Thu, 17 Feb 2005 15:19:45 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/17 Feb 2005 09:47 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Fri, 18 Feb 2005 10:55:03 +0530]/UNNAMED/siupd02.scr Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Fri, 18 Feb 2005 10:55:03 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/18 Feb 2005 05:26 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Sat, 19 Feb 2005 11:27:20 +0530]/UNNAMED/Jol03.scr Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml/[From "Strp" <strp@suntour.com>][Date Sat, 19 Feb 2005 11:27:20 +0530]/UNNAMED Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/19 Feb 2005 05:58 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Bagle.ay
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 04:46 from sonytravel@hotmail.com:Re: SMTP Server/document.zip/details.txt .pif Infected: Virus.Win32.FunLove.4070
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 04:46 from sonytravel@hotmail.com:Re: SMTP Server/document.zip Infected: Virus.Win32.FunLove.4070
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 09:35 from fareast@sitaindia.com:Re: message/message_stblr.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 09:35 from fareast@sitaindia.com:Re: message/message_stblr.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Tue, 1 Mar 2005 07:49:09 +0100]/UNNAMED/document_4351.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml/[From stblr@suntour.com][Date Tue, 1 Mar 2005 07:49:09 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 06:49 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:06 from 1e5.7d93543.2be0a2ac@aol.com:Stolen docum/document342_stnp.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:06 from 1e5.7d93543.2be0a2ac@aol.com:Stolen docum/document342_stnp.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:04 from andrew.bellew@parekhnet.com:Re: important/data.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 10:04 from andrew.bellew@parekhnet.com:Re: important/data.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Tue, 1 Mar 2005 18:46:01 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:54 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:26 from Mail Delivery System:Your message could n.eml/[From stnp@suntour.com][Date Tue, 1 Mar 2005 18:43:52 +0530]/document_all.pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 13:26 from Mail Delivery System:Your message could n.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 10:02 from kingswaytravel@yahoo.co.in::)/Info.zip/plniins.exe Infected: Virus.Win32.Parite.b
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/02 Mar 2005 10:02 from kingswaytravel@yahoo.co.in::(/Info.zip Infected: Virus.Win32.Parite.b
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED/msg_skylink.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED/msg_skylink.zip Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml/[From stnp@suntour.com][Date Thu, 3 Mar 2005 14:23:53 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/03 Mar 2005 08:54 from MAILER-DAEMON@jinn.spectranet.com:failure.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml/[From strp@suntour.com][Date Sat, 5 Mar 2005 12:30:28 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 06:54 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml/[From stnp@suntour.com][Date Sat, 5 Mar 2005 14:15:20 +0530]/UNNAMED Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/05 Mar 2005 08:38 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/08 Mar 2005 11:39 from anurag.a.vasisht@aexp.com:I love you!/photo.zip/document.txt .exe Infected: Virus.Win32.Parite.b
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/Deleted Items/08 Mar 2005 11:39 from anurag.a.vasisht@aexp.com:I love you!/photo.zip Infected: Virus.Win32.Parite.b
C:\Program Files\Synaptics\SynTP\Media\outlook.pst/Personal Folders/AVG Virus Vault/19 Feb 2005 10:58 from Mail Delivery Subsystem:Returned mail: se/19 Feb 2005 10:40 to homebasedworking@indiatimes.com:Mail Delive.html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Synaptics\SynTP\Media\outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP81\A0019411.exe Infected: Trojan-Clicker.Win32.Small.fw
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019769.exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019769.exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019769.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019780.exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019780.exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019780.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019781.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019783.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019784.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019802.exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019802.exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019802.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019803.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019805.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019806.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019828.exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019828.exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019828.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019829.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019831.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019832.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019865.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019866.exe Infected: Trojan.Win32.Small.i
C:\System Volume Information\_restore{C41F9EAB-83F6-4BC5-A88A-30ABF88CE043}\RP82\A0019871.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\WINDOWS\cmdxp.exe/dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\WINDOWS\cmdxp.exe/setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\WINDOWS\cmdxp.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\WINDOWS\dreese.exe Infected: Trojan-Dropper.Win32.Agent.qz
C:\WINDOWS\setup.exe Infected: Trojan-Dropper.Win32.Agent.hn
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.c

Scan process completed.

I am baffled by the results. Hope nothing serious is going on in here.

I haven't yet deleted my retore points!!

Shall wait to hear from you.

Warm regards,

Bubble
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
;) Tell your boss it might be handy to install a virusscanner on the mailserver. :)

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\cmdxp.exe
C:\WINDOWS\dreese.exe
C:\WINDOWS\setup.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Let the computer reboot.

Then use the Disk Cleanup Utility to empty all your Temp folders.

Post a new HijackThis log when you are done.

Regards,

PS i like the idea of having a STRES folder for work-related programs :tazz:
  • 0

#15
IndianBubble

IndianBubble

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Yes, I agree with you. Something needs to be done. But we all use standalone machines and our mail servers are maintained by some other organisation. We have no server as suchin our organisation. Any way out to still stop these parasites from entering the system.

I performed all the actions that you told me to and HJT log is pasted below:

Logfile of HijackThis v1.99.1
Scan saved at 14:42:39, on 03/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINDOWS\System32\CAP4RSK.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Gigabyte\GN-WLMR101 11Mbps Wireless LAN for Windows\GN-Wake.exe
C:\Program Files\PerSono\PersTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\usrbridg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP4SWK.EXE
C:\Documents and Settings\JaiLaptop\My Documents\hj.com\HJ.com.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\System32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Canon LBP3200 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP4LAK.EXE
O4 - Global Startup: Focalpoint.lnk = C:\FP\SWDIR\Fplogon.exe
O4 - Global Startup: GN-Wake.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = C:\Program Files\PerSono\PersTray.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA901F9-FCD5-47D0-8C01-9D95DF7A3E6C}: NameServer = 203.122.63.152,203.122.63.154
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IrBridge User-Level Interface (USRBRIDG) - Extended Systems, Inc. - C:\WINDOWS\system32\usrbridg.exe

And yes, we also joke that we are running STRES.

Warm regards,

Bubble
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP