Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer wont leave me alone [RESOLVED]


  • This topic is locked This topic is locked

#16
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi,

I have done the best I can with what you suggested. I couldn't find a file called "r?gsvr32.exe" only one named "regsvr32.exe". Also when I right clicked on DelDomains.inf and clicked install it kept saying that it was unsuccessful.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:55:10, on 16/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://PP3:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122910406445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O16 - DPF: {E9472078-EBA7-4885-8768-80ACF6F94553} (ClientSetup.RunSetup) - http://www.screenpag...ClientSetup.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe

and the EWIDO scan repot:

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:33:28, 16/08/2005
+ Report-Checksum: B359D4DE

+ Scan result:

No infected objects found.


::Report End
  • 0

Advertisements


#17
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi fonzy

looks like all issues here have been take care of !!!


Did you check all other user login profiles as to whether you have similar or any problems ??
  • 0

#18
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Tampabelle,

Unfortunately Winfixer2005 is still coming up under this login profile. This is the only other user profile.

Thanks

Fonzy
  • 0

#19
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#20
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
It doesn't seem to work when I try and run an online scan. Is there a different one I can try at all?

Thanks

Fonzy
  • 0

#21
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Fonzy,


There are three other online scans give in my signature at the bottom of this message. Please do a scan with any one of them.

In case none of them work, then download Firefox Mozilla Browser and install it.

Do an online scan at http://uk.trendmicro...call_launch.php
  • 0

#22
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Tampabelle,

I did a scan with Kapersky. Hope thats ok :tazz:

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:59, on 17/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://PP3:8080
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122910406445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O16 - DPF: {E9472078-EBA7-4885-8768-80ACF6F94553} (ClientSetup.RunSetup) - http://www.screenpag...ClientSetup.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe



and the kapersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 17, 2005 15:15:57
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/08/2005
Kaspersky Anti-Virus database records: 135620
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 40364
Number of viruses found: 11
Number of infected objects: 113
Number of suspicious objects: 17
Duration of the scan process: 1315 sec

Infected Object Name - Virus Name
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/30 Dec 2004 16:23 from kate_lawson69@hotmail.com:Protected Mail /msg_sales.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/30 Dec 2004 16:23 from kate_lawson69@hotmail.com:Protected Mail /msg_sales.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/15 Dec 2004 10:06 from 20041210201243.1491.qmail@jobsite.co.uk:R/your_product.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Dec 2004 20:26 from hostmaster@aol.com:Re: Confirmation/aol_1237.scr Infected: Email-Worm.Win32.Sober.i
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/10 Dec 2004 10:11 from sysop@informatik.tu-muenchen.de:Re: Your /your_website.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/08 Dec 2004 09:59 from enquiries@parryanddrewettsurbiton.co.uk:R/document.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/08 Dec 2004 07:16 from emmacoates619@hotmail.com:Re: Secure deli/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/08 Dec 2004 07:16 from emmacoates619@hotmail.com:Re: Secure deli/message.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/07 Dec 2004 15:57 from competitions@faxattack.com:Mail Delivery .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/07 Dec 2004 15:57 from competitions@faxattack.com:Mail Delivery /message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/06 Dec 2004 16:56 from re-mail_system@chauffeured-parking.com:Ma/auto__mail.chauffeured-parking6419.word.bat Infected: Email-Worm.Win32.Sober.i
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/01 Dec 2004 20:51 from support@symantec.com:Re: Virus Sample/datfiles_sales.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/01 Dec 2004 20:51 from support@symantec.com:Re: Virus Sample/datfiles_sales.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/30 Nov 2004 21:24 from austria@msdirectservices.com:sales@partyp/instruction.zip/instruction.html .com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/30 Nov 2004 21:24 from austria@msdirectservices.com:sales@partyp/instruction.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/26 Nov 2004 12:49 from noreply@paypal.com:Thank you!/details.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/26 Nov 2004 12:49 from noreply@paypal.com:Thank you!/details.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/25 Nov 2004 19:47 from pixiequeen_1@hotmail.com:Hi/Bill.zip/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/25 Nov 2004 19:47 from pixiequeen_1@hotmail.com:Hi/Bill.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/25 Nov 2004 04:28 from famille.d.perrin@wanadoo.fr:Mail Delivery.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/25 Nov 2004 04:28 from famille.d.perrin@wanadoo.fr:Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/23 Nov 2004 21:22 from ld.com@mail.moneysupermarket.com:Mail Del.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/23 Nov 2004 21:22 from ld.com@mail.moneysupermarket.com:Mail Del/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Nov 2004 20:55 from pdesadvert@gmx.net:Re: Bad Request/msg_sales.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Nov 2004 20:55 from pdesadvert@gmx.net:Re: Bad Request/msg_sales.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/15 Nov 2004 15:49 from The Post Office:Returned mail: Data forma/document.zip/document.doc .pif Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/15 Nov 2004 15:49 from The Post Office:Returned mail: Data forma/document.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 22:38 from System Administrator:Undeliverable: Mail /14 Nov 2004 22:30 from PP Sales:Mail Delivery (failure gqjzqsnjk.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 22:38 from System Administrator:Undeliverable: Mail /14 Nov 2004 22:30 from PP Sales:Mail Delivery (failure gqjzqsnjk/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/15 Nov 2004 06:50 from daking1117@aol.com:News/report01.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/15 Nov 2004 06:50 from daking1117@aol.com:News/report01.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 22:43 from offers@admin.burtonmenswear.co.uk:Mail De.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 22:43 from offers@admin.burtonmenswear.co.uk:Mail De/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 22:25 from soporte@proein.com:Re: Free [bleep]/www.freeporn4all.doc.pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:56 from aemon@btinternet.com:Mail Delivery (failu.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:56 from aemon@btinternet.com:Mail Delivery (failu/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:46 from abuse@gov.us:Illegal Website/list.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:46 from abuse@gov.us:Illegal Website/list.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:46 from mandingo@telusplanet.com:Mail Delivery (f.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:46 from mandingo@telusplanet.com:Mail Delivery (f/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:35 from Debbie Wood:Important/document.zip/document.txt .scr Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:35 from Debbie Wood:Important/document.zip Infected: Email-Worm.Win32.Mabutu.a
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:32 from 1@de-mail02.uk.bosch.com:Re: file/file.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 21:32 from 1@de-mail02.uk.bosch.com:Re: file/file.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 20:18 from mts@lebanon-online.com.lb:Mail Delivery (.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 20:18 from mts@lebanon-online.com.lb:Mail Delivery (/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 20:11 from dcoder@dsp-worx.de:here/bill.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 20:11 from dcoder@dsp-worx.de:here/bill.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 19:48 from cgcrnv@yahoo.com:Private document/about_you.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 19:48 from cgcrnv@yahoo.com:Private document/about_you.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 19:45 from pdgamma@gmx.net:Re: Proof of concept/part_01.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/14 Nov 2004 19:45 from pdgamma@gmx.net:Re: Proof of concept/part_01.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/13 Nov 2004 09:08 from Halifax:Important bank mail from Halifax .rtf Infected: Trojan-Spy.HTML.Bankfraud.hs
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/09 Nov 2004 22:51 from mspss@gto.net.om:Mail Delivery (failure s.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/09 Nov 2004 22:51 from mspss@gto.net.om:Mail Delivery (failure s/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/06 Nov 2004 09:58 from bugin1970@aol.com:message/message.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/06 Nov 2004 09:58 from bugin1970@aol.com:message/message.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/04 Nov 2004 19:44 from Mail Administrator:hi/attachment.zip/attachment.zip/attachment.html .pif Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/04 Nov 2004 19:44 from Mail Administrator:hi/attachment.zip/attachment.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/04 Nov 2004 19:44 from Mail Administrator:hi/attachment.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/03 Nov 2004 12:02 from richard.court@hartwell.co.uk:Mail System /instruction.com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/02 Nov 2004 23:53 from noreply@sales:Mail Account/account.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/02 Nov 2004 23:53 from noreply@sales:Mail Account/account.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/02 Nov 2004 22:21 from 3dnathan.miller@foundationsystems.co.uk:F.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/02 Nov 2004 22:21 from 3dnathan.miller@foundationsystems.co.uk:F/message.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/02 Nov 2004 10:42 from Mail Delivery Subsystem:Status/Attachment.pif Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/28 Oct 2004 16:05 from valerie_halton@redcar-cleveland.gov.uk:Do/details.exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 19:39 from System Administrator:Undeliverable: Mail /27 Oct 2004 19:29 to marcie@ntlworld.com:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 19:39 from System Administrator:Undeliverable: Mail /27 Oct 2004 19:29 to marcie@ntlworld.com:Mail Delivery (failure /message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 21:29 from Administrator:Delivery failed/mail.zip/mail.htm .scr Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 21:29 from Administrator:Delivery failed/mail.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 20:32 from info@adtennis.com:Mail Delivery (failure .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 20:32 from info@adtennis.com:Mail Delivery (failure /message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 19:33 from sarahclo@hotmail.com:Mail Delivery System.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 19:33 from sarahclo@hotmail.com:Mail Delivery System/message.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 19:33 from markyo21@yahoo.com:Delivery (sales@partyp/msg19275.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 16:50 from System Administrator:Undeliverable: Re: O/27 Oct 2004 16:42 to david@webermann.co.uk:Re: Order/data02.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/27 Oct 2004 08:59 from System Administrator:Undeliverable: Funny/27 Oct 2004 08:54 from PP Sales:Funny/your_text.pif Infected: Email-Worm.Win32.NetSky.ac
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/26 Oct 2004 20:24 from CFML / Greg Shepherd: [CFML] L1: v MK Don.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/24 Oct 2004 22:12 from rumbie@swi.galileo.com:Delivery Bot (sale/message15784.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/24 Oct 2004 20:38 from mark_bisset@yahoo.com:Mail Delivery failu/mail25980.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 17:42 from welshangel1985@hotmail.com:Re: thanks!/bill_sales.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 17:42 from welshangel1985@hotmail.com:Re: thanks!/bill_sales.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 17:13 from 37323737343037@ramailer.realage.com:Mail .rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 17:13 from 37323737343037@ramailer.realage.com:Mail /message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 16:16 from System Administrator:Undeliverable: Funny/21 Oct 2004 16:02 to 3djackie.whyte@scottishopera.org.uk:Funny/your_text.pif Infected: Email-Worm.Win32.NetSky.ac
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 16:14 from dschevin@aol.com:Document/Bill.zip/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 16:14 from dschevin@aol.com:Document/Bill.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 16:05 from product-announce1@amazon.co.uk:Document/Details.zip/Details.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 16:05 from product-announce1@amazon.co.uk:Document/Details.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 15:54 from eastenders@bbc.co.uk:Re: Hello/summary2004.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/21 Oct 2004 15:54 from eastenders@bbc.co.uk:Re: Hello/summary2004.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 16:26 from sales@tierra-mallorca.com:Important/Informations.zip/Informations.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 16:26 from sales@tierra-mallorca.com:Important/Informations.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 16:04 from cazhooper@hotmail.com:Do you?/d4334938_sales.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 13:44 from neil.readyhoof@ntlworld.com:Re: Delivery /message_sales.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 12:52 from 0027322930@mail6.hotchilli.net:Re: Here i/document_full.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 09:22 from p4philip@hotmail.com:Hi/Important.zip/Important.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/20 Oct 2004 09:22 from p4philip@hotmail.com:Hi/Important.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 21:25 from enquiry@choice.co.uk:Re: approved/document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 21:25 from enquiry@choice.co.uk:Re: approved/document.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 20:28 from 0002e8ce@spapp01.screenpages.net:Re: Re: /message_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 20:03 from rthomson@aol.com:Unknown Exception (sales.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 20:03 from rthomson@aol.com:Unknown Exception (sales/message.pif Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 19:28 from private.sales@angliaautotrader.co.uk:Re: /document09.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:50 from abuse@gov.us:Illegal Website/details.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:50 from abuse@gov.us:Illegal Website/details.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:48 from jimbodavis86@hotmail.com:Hi/Part-2.zip/Part-2.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:48 from jimbodavis86@hotmail.com:Hi/Part-2.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:27 from silke.seibert@firstreisebuero-oppau.de:Hi/Bill.zip/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 18:27 from silke.seibert@firstreisebuero-oppau.de:Hi/Bill.zip Infected: Email-Worm.Win32.NetSky.aa
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 17:54 from example@msn.com:Re: Re: improved/information.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 17:54 from example@msn.com:Re: Re: improved/information.zip Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 17:26 from funemails2@mx19139.tt03.com:Delivery (sal/message6671.zip Infected: Email-Worm.Win32.NetSky.r
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 15:59 from denise@need1now.co.uk:Mail Delivery (fail.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 15:59 from denise@need1now.co.uk:Mail Delivery (fail/message.scr Infected: Email-Worm.Win32.NetSky.q
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 15:49 from john.coles@btinternet.com:delivery failed/letter.zip/letter.zip/letter.txt .exe Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 15:49 from john.coles@btinternet.com:delivery failed/letter.zip/letter.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 15:49 from john.coles@btinternet.com:delivery failed/letter.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Inbox/19 Oct 2004 12:34 from 000064f6@hotmail.com:Re: Your document/your_document.pif Infected: Email-Worm.Win32.NetSky.d
C:\Documents and Settings\sales\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.NetSky.d
C:\WINNT\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost
F:\QADATA\RPM\BACKUP.PST/Personal Folders/Inbox/12 Mar 2004 14:56 from sf@classic-line.ch:Re: Your letter/your_letter.pif Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\RPM\BACKUP.PST/Personal Folders/Inbox/01 Mar 2004 14:06 from unsub-user@tradebroadcast.net:Re: Your pi/your_picture.pif Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\RPM\BACKUP.PST/Personal Folders/Inbox/01 Mar 2004 13:47 from root@ask-raq01.ask-port.com:Re: My detail/my_details.pif Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\RPM\BACKUP.PST/Personal Folders/Inbox/01 Mar 2004 12:30 from jerh48@yahoo.com:Re: Hello/your_picture.pif Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\RPM\BACKUP.PST/Personal Folders/Inbox/01 Mar 2004 11:24 from rowenawardbarrow@hotmail.com:Re: Your tex/your_text.pif Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\RPM\BACKUP.PST Infected: Email-Worm.Win32.NetSky.d
F:\QADATA\CRDATA\MESSAGE.SCR Infected: Email-Worm.Win32.NetSky.q
F:\QADATA\CRDATA\MESSAGE.PIF Infected: Email-Worm.Win32.NetSky.r

Scan process completed.
  • 0

#23
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi fonzy,

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKCU\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe"

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Reboot the PC in Safe Mode.

Locate and delete the file - C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe


Reboot the PC in Normal Mode. Let me know how your PC is behaving !!!!


Also please note that Kaspersky has picked infections in the mails received by you and lying in your inbox. Most of the infections are in the attachments of the mails. You may seriously consider deleting the infected mails.
  • 0

#24
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Tampabelle,

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 13:10:09, on 18/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://PP3:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122910406445
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} (VacPro.internazionale_ver11) - http://advnt01.com/d...onale_ver11.CAB
O16 - DPF: {E9472078-EBA7-4885-8768-80ACF6F94553} (ClientSetup.RunSetup) - http://www.screenpag...ClientSetup.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PARTYPIECES.CO.UK
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: eTrust InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
O23 - Service: eTrust InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
O23 - Service: eTrust InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe

I couldn't find the file:

C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe

However, it looks like Winfixer has gone.

Thanks

Fonzy
  • 0

#25
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Fonzy,

So you are not having any issues (Winfoxer or any other) in any of your login profiles ???
  • 0

Advertisements


#26
fonzy

fonzy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Tampabelle,

Winfixer has definately gone and everything seems to be fine. Does it look ok to you?

Thanks

Fonzy
  • 0

#27
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Fonzy,

CONGRATULATIONS !!!!!!!!!!! Your PC is clean now :tazz:



I would recommend the following steps to keep your PC clean –

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!
  • 0

#28
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP