Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winfixer/adware problems


  • Please log in to reply

#16
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
C:\loscript\m logon script.bat is an MS-DOS Batch file that was created 1/16/2002

Should I nuke it?
  • 0

Advertisements


#17
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts

C:\loscript\m logon script.bat is an MS-DOS Batch file that was created 1/16/2002

Should I nuke it?

View Post

How about zipping it and whatever else is in the folder and sending it to me here.


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Edited by Canoeingkidd, 18 August 2005 - 03:43 PM.

  • 0

#18
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
L2Mfix 1.03c

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER




Logfile of HijackThis v1.99.1
Scan saved at 12:37:41 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINNT\system32\spxzip.exe
C:\WINNT\system32\spxzip.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [spxzip] C:\WINNT\system32\spxzip.exe
O4 - HKCU\..\RunOnce: [spxzip] C:\WINNT\system32\spxzip.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#19
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Is that the entire L2mfix log? Did you get any errors while running it?

Edit: Reboot and run option #1 again and post that log.

Edited by Canoeingkidd, 17 August 2005 - 11:07 AM.

  • 0

#20
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
L2MFIX find log 1.03c
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network and Dial-up Connections"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{A470F8CF-A1E8-4f65-8335-227475AA5C46}"="Add encryption item to context menus in explorer"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{EAB841A0-9550-11CF-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{1AEB1360-5AFC-11D0-B806-00C04FD706EC}"="Office Graphics Filters Thumbnail Extractor"
"{9DBD2C50-62AD-11D0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{500202A0-731E-11D0-B829-00C04FD706EC}"="LNK file thumbnail interface delegator"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8C-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{fe1290f0-cfbd-11cf-a330-00aa00c16e65}"="Directory Namespace"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{969223c0-26aa-11d0-90ee-444553540000}"="Shell Extension"
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
atmtd.dll Sat Aug 13 2005 11:20:30p A.... 687,592 671.48 K
browseui.dll Sat Jun 18 2005 12:16:18a A.... 1,017,856 994.00 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
faxui.dll Wed Jul 13 2005 3:22:02a A.... 138,000 134.77 K
icm32.dll Wed Jun 29 2005 3:30:56a A.... 246,032 240.27 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
kerberos.dll Wed Jun 15 2005 12:22:48a A.... 208,144 203.27 K
mscms.dll Wed Jun 29 2005 3:30:56a A.... 69,904 68.27 K
mshtml.dll Mon Jul 18 2005 4:22:12p A.... 2,699,264 2.57 M
s32evnt1.dll Thu Jul 28 2005 2:52:18p A.... 91,856 89.70 K
shdocvw.dll Sat Jun 18 2005 12:15:18a A.... 1,338,368 1.27 M
shlwapi.dll Wed May 25 2005 10:14:58a A.... 408,576 399.00 K
spoolss.dll Wed Jul 13 2005 3:22:02a A.... 81,168 79.27 K
tapisrv.dll Sat Jul 2 2005 7:30:14a A.... 175,888 171.77 K
umpnpmgr.dll Wed Jun 29 2005 2:45:16a A.... 89,360 87.27 K
win32spl.dll Wed Jul 13 2005 3:22:02a A.... 88,848 86.77 K
wininet.dll Fri Jun 17 2005 11:49:00p A.... 574,976 561.50 K
wirelanb.dll Sat Aug 13 2005 11:45:30p A.... 417,792 408.00 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K

25 items found: 25 files, 0 directories.
Total of file sizes: 10,971,096 bytes 10.46 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is D05C-AF71

Directory of C:\WINNT\System32

08/17/2005 01:31p <DIR> DLLCACHE
08/08/2005 09:28a 401,408 ??anregw.exe
06/05/2003 10:26a 32 {C13CEE4F-F9F6-41FF-8F26-F314E45948BA}.dat
06/05/2003 10:25a 32 {179423FD-DA7F-408C-8B17-5B406273C026}.dat
06/05/2003 10:24a 32 {D00E7E94-7AF0-4226-B6C7-9FC394F3C832}.dat
06/05/2003 10:21a 32 {BA4E2572-35BF-487B-9BA8-AEA07ADB6EC8}.dat
06/05/2003 10:21a 32 {566D2E1D-8C5B-4F09-819A-E45CA4A497D2}.dat
06/05/2003 10:21a 32 {3A52CFF6-32B1-4E7A-B250-243ED3A8A06E}.dat
06/05/2003 10:19a 32 {02624135-A0EE-4970-AD64-945BDAB38F39}.dat
8 File(s) 401,632 bytes
1 Dir(s) 126,064,640 bytes free
  • 0

#21
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
I think we got VX2 which is the heart of your problems.

Are you going to send me C:\loscript\m logon script.bat?


Update ewido:
  • Launch ewido by double-clicking the icon on your desktop.
  • The program will now go to the main screen.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Click on Start update.
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed close Ewido. Do not scan with it yet.

Go to "Start" > "Control Panel" > "Add or Remove Programs" and remove the following:
E2Give Browser Add On


Please run HijackThis, do a scan, and place a check next to the following items to be fixed (if present):

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [spxzip] C:\WINNT\system32\spxzip.exe
O4 - HKCU\..\RunOnce: [spxzip] C:\WINNT\system32\spxzip.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat


Close all browsers and windows except HijackThis and click "Fix checked".


Also, do you know where these came from? Point to factory.halcyon.net of course:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net



Now reboot into Safe mode by tapping the F8 key while your computer starts up and selecting "Safe Mode" from the menu that appears. (You will not be able to access the internet while in Safe mode).

Folders and files with a tilde (~) and a number at the end means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the file in bold (if present):
C:\WINNT\system32\spxzip.exe

Delete the folders in bold (if present):
C:\Program Files\E2G\
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\


Scan with Ewido trojan scanner:
  • Run Ewido.
  • Click on scanner.
  • Click Complete System Scan.
  • Let the program scan the machine.
  • When it finds a bad file, it will ask you what you want to do with it. You must make a selection before you continue scanning.
    • Ewido has been detecting false positives lately, so do not select "Perform action with all infections".
    • Unless it is a file you know to be legitimate, select remove and click OK.
    • If you know the file is legitimate, select none and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
    • Click Save report.
    • Save the report to your desktop.
Reboot back to normal mode and post a new HijackThis log and the new log from ewido.
  • 0

#22
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I had trouble zipping the C:\loscript\m logon script.bat file so I got frustrated and just deleted it. I am pretty sure it was a script that logged me in to a previous work server. I ran the script to see and it had the name of the work server. It is gone; however, it still shows up on the HJT scan. Also, the O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe keep coming back on the HJT scan.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:40:59 PM, 8/17/2005
+ Report-Checksum: A7C1D65B

+ Scan result:

C:\Documents and Settings\Administrator\COOKIES\charlie@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\COOKIES\charlie@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DESKTOP\l2mfix\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GLSJQVO1\ei[1].exe -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MVSIEZA8\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050816-213458-655.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050816-215511-464.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050816-215724-834.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\HijackThis\backups\backup-20050817-101210-738.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\IECu3820.BUD/WINNT/Downloaded Program Files/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\RECYCLER\NPROTECT\00085956.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\RECYCLER\NPROTECT\00086577.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086614.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086645.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086682.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086883.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086916.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086939.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00086968.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087009.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087031.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087032.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087033.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087034.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087035.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087036.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087037.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087039.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087040.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087041.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087042.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/GJTUNAME.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/il50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/ksdgr1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/NJDLL.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/ospdx32.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/svvsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/wzaueng1.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087043.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087044.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087045.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087046.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087047.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087048.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087049.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00087050.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-2025429265-1383384898-1060284298-500\Dc1.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\WINNT\TEMP\b.com -> TrojanDropper.Agent.pb : Error during cleaning
C:\WINNT\TEMP\ei.exe -> TrojanDownloader.Small.bgl : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 6:28:13 PM, on 8/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by roberson, 17 August 2005 - 04:31 PM.

  • 0

#23
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Looking better...

Run Killbox:
  • Double-click KillBox.exe to start KillBox.
  • Select the "Delete on Reboot" option.
  • Copy/paste the following file to the "Full Path of File to Delete" box:
    • C:\WINNT\TEMP\b.com
  • Click the red button with a white X on it.
  • At the prompt entitled "Delete on Reboot" select yes.
  • At the prompt entitled "Delete next Reboot" select no.
  • Copy/paste the following file to the "Full Path of File to Delete" box:
    • C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
  • Click the red button with a white X on it.
  • At the prompt entitled "Delete on Reboot" select yes.
  • At the prompt entitled "Delete next Reboot" select yes.
  • Your computer will reboot.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually but please mention that you got it in your next reply.

Please run HijackThis, do a scan, and place a check next to the following items to be fixed:

O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat


Close all browsers and windows except HijackThis and click "Fix checked".


Download Cleanup from Here (Alternate site if the above is not working Go Here)
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • Run Cleanup
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

Post a new HijackThis log with the mwav log. Also, do you know why you computer is configured to use factory.halcyon.net as a DNS server?? ISP or work related maybe? It showed up halfway through our little battle here.
  • 0

#24
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
factory.halcyon.net is my previous job's network. I no longer need it and it can be deleted.


File C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe tagged as "not-a-virus:AdWare.MediaBack.e". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
Object "Ebates MoneyMaker Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "BigTrafficNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CasinoClient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CasinoClient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CasinoClient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "addestroyer Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "e2give Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "my way speedbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "prutect Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SurfSideKick Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WebSearch Toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SearchSeekFind Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SurfAccuracy Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CasinoClient Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "WeatherBug Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "HelpExpress Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "aurora Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BAC5960-44C9-11D1-ABEC-00A0C9274B91}" refers to invalid object "M:\Crystal\craxddt.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0BAC5CF0-44C9-11D1-ABEC-00A0C9274B91}" refers to invalid object "M:\Crystal\craxddt.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BD4B4E61-F7B8-11D0-964D-00A0C9273C2A}" refers to invalid object "M:\Crystal\craxdui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C3B6AE45-16D1-11D2-9495-00A0247AF13D}" refers to invalid object "M:\macsql\Macole.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC1A3B56-1655-11D2-9494-00A0247AF13D}" refers to invalid object "M:\macsql\Macole.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E3B2A734-054A-11D2-947B-00A0247AF13D}" refers to invalid object "M:\macsql\Macole.dll". Action Taken: No Action Taken.
File C:\WINNT\ttext.dll tagged as "not-a-virus:AdWare.ToolBar.ImiBar.g". Action Taken: No Action Taken.
File C:\WINNT\system32\InstallerV4.exe tagged as "not-a-virus:AdWare.SafeSurfing.o". Action Taken: No Action Taken.
File C:\WINNT\system32\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\WINNT\system32\wirelanb.dll tagged as "not-a-virus:AdWare.SafeSurfing.q ". Action Taken: No Action Taken.
File C:\WINNT\system32\ymwsv.dll.tcf tagged as "not-a-virus:AdWare.Adstart.c". Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\DESKTOP\l2mfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00000FA3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00207489.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00375965 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00394291 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\004557BD infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00485BFA infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\004F66FD infected by "Email-Worm.Win32.Sobig.e" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\006C648F infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0072238A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00833609 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\008D33FF infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00967163 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00970E05 infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\009731F4 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00A018F2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00A02FE9 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00A916E8 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00DA60A2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00E734A3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00EE5C8D infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00F13299 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\014E0290 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01617E7A infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01624DA6 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\017013F1 infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01782461 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01854C53 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\018E7D94 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01927444 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0199483D infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01A74764 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01AC1E95 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01BA6C19 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01C22D97 infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01C7140B infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01CC1B4F infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01D27F85 infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01DC7D7B infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01DD145F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01EA3C50 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01EF7965 infected by "Email-Worm.Win32.Swen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01F43A45 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\01FA0E3E infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02073630 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02131EE0 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0218081E infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02220613 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\022810EF infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02285A0C infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\023501FE infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\024229EF infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\024663A9 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02493C97 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0288058F infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02AF544A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02CA4BF3 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02F143C8 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03092B14 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03132909 infected by "Email-Worm.Win32.NetSky.x" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03223AE6 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03280EDF infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03992DC8 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03996276 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03BA428C infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03BE2AA0 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03CA2392 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\042245DF infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04295612 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0444640D infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0469591F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\046F2D18 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\047559D7 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04792B0D infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\048143B1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04832902 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\048D26F7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0491159F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\049624ED infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\049E3D90 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04A3214E infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04AB6582 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04BA485C.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04CB44B3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04D41718 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04D60753 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04D86CA5 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E00549 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E16A9A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E5110D infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E65941 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04EB688F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04F23C88 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04F30133 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04FC3A7D infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05077D1D infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05117B13 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\051453BE infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\052004CD infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\053602AC infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05432A9E infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0575486F infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05763174 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\057F4665 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\059F6A41 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05B7536F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05EA401A infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06467E5A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06856DB8 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\069C139E infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06A43103 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06A93B90 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06BC377A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06CC28D7 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06E922B7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06EE01DA infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06F974A5 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0700489E infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070A4693 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070E5D1D infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\071801C8 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\071A4DAC infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07393528 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\075F43F8 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\076117BB infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07756548 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\077F633D infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\078A6FA1 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\078D2095 infected by "Email-Worm.Win32.Tanatos.b.dam" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\079B017A infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07A11588 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07A14FF2 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07AB137D infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07BD00F9 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07C80D5D infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07D750DC infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07E6073C infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07EB4CC6 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07EC5B35 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07F90327 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07FD6D0E infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0800571F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0805766D infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\081F0A41 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0826084F infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08290836 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\082B220B infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\082C147F infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\082E62D8 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\083436D1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08395A25 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\083B5DA8 infected by "Email-Worm.Win32.NetSky.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\083E7810 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08415EC2 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\084216F5 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0843581A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\084A784C infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\084C14EA infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\085230B0 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\085368E3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08547642 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\085D66D8 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\085F11D0 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\087777E0 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\087E4BD9 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08841FD2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\088D707F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\088E1DC7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\088F7DDB infected by "Trojan-Dropper.Win32.Small.is" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\089571C0 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\089E6FB5 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08A22B15 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08A543AE infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08AC17A7 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08AF41A3 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08B05307 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08B5159C infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08BC6995 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08C23D8E infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08C5031E infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08CA22EA infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08CE3AD8 infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08D30F7C infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08D320DF infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08E10EE2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08E148D1 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08EE70C2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08F444BB infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08FE42B1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09123E9B infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\091B3C90 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0921209F infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09253A85 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\092C0E7E infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\095213B5 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09554065 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09651253 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09790E3D infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\097D3586 infected by "Email-Worm.Win32.Bagle.ai" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09903424 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09A338EF infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09BA55F6 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09C93547 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09CA27E4 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09DB79D2 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09E821C3 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09F873B1 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09FD7B21 infected by "Email-Worm.Win32.Tanatos.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A051BA3 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A1824F1 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A1F6B86 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A283EFC infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A3274D4 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A3E7306 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A596CA9 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A733C8C infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A8B6064 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A970A65 infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AAB064F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AB50444 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AB61A68 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0ACB28C7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0ACD281C infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0ACD714C infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AD526BD infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0ADB7AB5 infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AE578AB infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AEF76A0 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B02728A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B0C3CB9 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B0C707F infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B1D2C85 infected by "Email-Worm.Win32.Bagle.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B226E0B infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B2C6C00 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B4E0472 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B613422 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B7049C2 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B710610 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BB15113 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BC649B3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0BE44392 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C15395C infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C283547 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C355D38 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C3E1922 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C567226 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C632906 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C737AF4 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C7527E8 infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C7A3F94 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C9774B4 infected by "Email-Worm.Win32.NetSky.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C9E1CC5 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CA37790 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CB01F82 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CB15AE9 infected by "Email-Worm.Win32.NetSky.b" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CB86CA9 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CBA1D77 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CD16DDF infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CD46D5A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE635D7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CE95871 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CFB2140 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D1F6F18 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D287653 infected by "Email-Worm.Win32.Mydoom.a" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D296D0D infected by "Email-Worm.Win32.NetSky.r" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D2F4106 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D393EFB infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4666ED infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D4E0771 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D530EDF infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D5D0CD4 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6360CD infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D7009FA infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DA316E1 infected by "Email-Worm.Win32.Sobig.f" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DD17885 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DDA767A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DE14A73 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DEB4868 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DEE10C1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DF11C61 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DF8705A infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DFB552C infected by "Email-Worm.Win32.NetSky.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0DFB60BD infected by "Email-Worm.Win32.NetSky.aa" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E0C327F infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E191436 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E224D54 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E393812 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E466003 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E5A1717 infected by "Email-Worm.Win32.NetSky.y" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E5A5BEE infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E602FE7 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E665DCF infected by "Email-Worm.Win32.Bagle.ai" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E6714F2 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E702031 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E742BD1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E7A3AF3 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E7D4823 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E810EEC infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E847DBF infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E874618 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E8B0CE1 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E8E7BB4 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E9160DA infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0E981E04 infected by "Email-Worm.Win32.NetSky.q" Virus! Action Taken: No Action Taken
  • 0

#25
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Please post a new HijackThis log also.
  • 0

Advertisements


#26
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
The end of the post must have been cut short due to length. The mwav scan found 3186 viruses but it looks like most were ones quarantined by Norton. Can I purge the quarantine? Here is the HJT log. Still seem to have the tools.exe and the logon script.bat. Computer seems to be symtom free.

Logfile of HijackThis v1.99.1
Scan saved at 2:30:16 PM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#27
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Should be safe to purges Norton's quarantine. There weren't any files below the ones listed in quarantine were there? You should be able to delete these files in safe mode....if you can't let me know.

Reboot into Safe mode by tapping the F8 key while your computer starts up and selecting "Safe Mode" from the menu that appears. (You will not be able to access the internet while in Safe mode).

Make sure Internet Explorer is closed.

Folders and files with a tilde (~) and a number at the end means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

Delete the files in bold:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
C:\WINNT\ttext.dll
C:\WINNT\system32\InstallerV4.exe
C:\WINNT\system32\wirelanb.dll
C:\WINNT\system32\ymwsv.dll.tcf
C:\loscript\m logon script.bat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\m drive.bat

Delete the folder in bold:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\


Please run HijackThis, do a scan, and place a check next to the following items to be fixed:

O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe
O4 - Global Startup: m drive.bat.lnk = C:\loscript\m logon script.bat
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net


Close all browsers and windows except HijackThis and click "Fix checked".

Reboot normally to get back to normal mode.

Enter your control panel. Double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Please download SilentRunners Here by right clicking on the link and selecting Save As. Please save the .vbs file on your desktop and run it. When it finishes, it will open a screen saying it is done. After it tells you that it is done, please open the txt file that should be on your desktop and copy all its contents into a reply to this post.

Post a new HijackThis log with the SilentRunners log. Make sure it all gets posted. :tazz:

I am leaving on vacation tommorrow. If this isn't finished up today I'll try to find someone else willing to take over.

Edited by Canoeingkidd, 18 August 2005 - 01:33 PM.

  • 0

#28
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Gotcha! :tazz:
  • 0

#29
roberson

roberson

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"\tools.exe" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe" [file not found]
"aqad.exe" = "C:\WINNT\system\aqad.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"\tools.exe" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"RxUser" = "C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe" ["Dell Computer Corporation"]
"madexe" = "C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe" ["Motive Communications, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"(Default)" = (empty string)
"StatusClient" = "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto" ["Hewlett-Packard"]
"TomcatStartup" = "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" ["Hewlett-Packard"]
"HPLJ Config" = "C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000" ["Hewlett-Packard Inc."]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Spybot\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{969223c0-26aa-11d0-90ee-444553540000}" = "Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "pgpmn.dll" ["Network Associates Technology, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]


Default executables:
--------------------

.SCR: HKLM\SOFTWARE\Classes\AutoCADScript\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINNT\NOTEPAD.EXE "%1"" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\My Documents\Images\1280X1024\sa_wkp2301_10.bmp"


Startup items in "Charlie" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"QuickBooks 2002 Delivery Agent" -> shortcut to: "C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe" [empty string]
"Wireless-B Notebook Adapter Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe" ["The Linksys Group, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINNT\ru.exe" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"{F897AA24-BDC3-11D1-B85B-00C04FB93981}_NEWTON_Charlie" -> launches: "C:\WINNT\system32\MOBSYNC.EXE /Schedule="{F897AA24-BDC3-11D1-B85B-00C04FB93981}_NEWTON_Charlie"" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{79406F24-8E95-4AF8-9FEF-2EA2B504E707}\ = "BottomFrame Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\WINNT\ttext.dll" [file not found]

HKLM\Software\Classes\CLSID\{8F7D96AA-489A-4194-AB34-21EF42507932}\ = "LeftFrame Class"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINNT\ttext.dll" [file not found]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"" ["Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINNT\system32\HPZipm12.exe" ["HP"]
Service Request Monitor, Service Request Monitor, "C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe" ["Dell Computer Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 148 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 23 seconds.
---------- (total run time: 204 seconds)




Logfile of HijackThis v1.99.1
Scan saved at 8:22:16 PM, on 8/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxUser.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1150_1300\SetConfig.exe -c Direct -p USB -pn "" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = factory.halcyon.net
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: MSSQLServer - Unknown owner - C:\MSSQL7\binn\sqlservr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SQLServerAgent - Unknown owner - C:\MSSQL7\binn\sqlagent.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#30
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hey roberson,

I will help you along while CK is out for the weekend!

There are some seriously nasty and dabgerous bugs in there!

We are gonna use an AV that is known as the best in the buisness!

The link below will provide you with exact Instructions as to how to perform the task!

I only ask that before you download the AV,that you disable Symantec from Msconfig!

This will prevent any conflicts that may make the system unstable!

You may also want to contact anyone on your mailing list as this is a mass mailing set of worms you have!

Here is the link for the AV,please follow the directions exactly as they are laid out!

http://www.bleepingc...rvs-t11662.html

Try to save a report,you may have to Copy&Paste the results to Notepad and Save them to your Desktop!

Post back with those results and a fresh HijackThis log once completed!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP