Tech Support Forum banner
Status
Not open for further replies.

Trojans on NT Server

5K views 43 replies 2 participants last post by  Ried 
#1 ·
I have an computer running NT Server (SP 6a) that is our company web server, mail server and ftp server. It recently was coming to a crawl and we tried removing the viruses / trojans, but they keep coming back.

We even put in a new hard drive and a fresh copy of NT Server, ran SP 6a, all the windows updates.

I just did all your 5 step process. Ad-Aware and Spybot found and fixed more troubles. I did 4 of the anti-virus scans (ca.com, pandasoftware.com, mcafee.com, symantec.com). I have Norton Antivirus running on the server and recently added AVG Anti-Virus as a test.

A few other things of importance:
1) We have this server re-boot itself 2X a day, so I'm sure the re-boot is the point where things kick in again.
2) While the server is up (normal and in safe mode), I am now getting frequent (after I open some files or directories or programs) Dr Watson crashes of explorer.exe with Exception number: c0000005 (access violation). It is not a crash all the way down to a re-boot, more like a re-login. A number of programs I have in the start-up laucnh again and end up running multiple times.

Here is my HijackThis log.

------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:04:32 PM, on 9/9/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
F:\PROGRA~1\1STCLA~1\inetmail.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
F:\Program Files\Apache Group\Apache\Apache.exe
F:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\Apache Group\Apache\Apache.exe
C:\WINNT\System32\loadwc.exe
F:\PROGRA~1\NavNT\vptray.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
F:\FTPServer\FTPServer.exe
F:\LaunchPad\lnchpd32.exe
C:\WINNT\System32\llssrv.exe
F:\Program Files\NavNT\rtvscan.exe
D:\Program Files\No Spam Today!\noSPAMtoday.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
F:\Program Files\Simple DNS Plus\sdnsmain.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
F:\Program Files\Simple DNS Plus\sdnsgui.exe
C:\WINNT\System32\MsgSys.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Simple DNS Plus] F:\Program Files\Simple DNS Plus\sdnsplus.exe -s
O4 - HKLM\..\Run: [SvW NT4Logon] "F:\Program Files\SvW NT4Logon\SvW NT4Logon.exe" NoUserInput
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: Queued_E-Mail_Poller.EXE.lnk = F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
O4 - Startup: Quick'n Easy FTP Server.lnk = F:\FTPServer\FTPServer.exe
O4 - Startup: Restore 'layout1.sl'.lnk = F:\Program Files\PACT Save Layout\sl.exe
O4 - Startup: lnchpd32.exe.lnk = F:\LaunchPad\lnchpd32.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: 1st Class Mail Server (1cms) - Unknown owner - F:\PROGRA~1\1STCLA~1\\inetmail.exe
O23 - Service: Apache Server (ApacheServer) - Unknown owner - F:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - F:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: No Spam Today! Service (NoSpamTodayService) - Unknown owner - D:\Program Files\No Spam Today!\noSPAMtoday.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner - C:\WINNT\csrsc.exe (file missing)
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - F:\Program Files\Simple DNS Plus\sdnsmain.exe

------------------------
1) Am I still infected? If yes, what do I do.
2) What do I do to prevent more infections?

Thank you SOOOOOOO much for your help. As you know, these problems can be a nightmare.
 
See less See more
#2 ·
These are some of the files I removed during all the pre HijackThis posting procedures -- hope this helps:

mirc.ini
LAVAN.bat
KAHOL.bat
IpcScan.exe
iL.dbx
i
edit.BAT
ddt.exe
winlgon.exe
system32.exe
protect.bat
lock.bat
nero.exe
SA1i.msg
SA2i.msg
eraseme_36265.exe
explorers.exe
csrsc.ese
i.exe
i[1].exe
setup_14678.exe
zmtB0B.tmp
pptB0D.tmp
ngen.exe
sql-smss.exe
 
#3 ·
There was a new directory this morning buried deep with these in it:

0407-house-The_Tabledancers-Spring-Limited_Edition-Vinyl-2006.zoo
cmd.exe
cygcrypt-0.dll
cygwin1.dll
dbhelp.dll
dbmsson.dll
debugIRO.txt
debugSER.txt
firedaemon.exe
Infodll.state
Infodll.state~
system.dll
TZOLIBR.dll
get.exe

I killed the related processes, deleted these files, and also now installed TrojanHunter.

HELP!
 
#4 ·
Hello marktrubo and welcome,

Unfortunately, there is nothing readily apparent in this log and I can't remove what I cannot see. :smile: We'll run a some tools and see if we can ferret out the malware.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run ewido and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions" **Please ensure it is set to Quarantine
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
**Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Also please run this online scan, to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply, please include the following:

Ewido results
Kaspersky results
New HijackThis log
 
#6 ·
Hi mark,

As Ewido is compatible with NT systems, I originally thought you'd be able to run it on Windows NT 4...but...on second thought--as Ewido is based on Windows 2000, it likely won't run on yours. My apologies. :sayno:

Please continue with the remaining instructions.
 
#7 · (Edited by Moderator)
Both were run in normal mode, not safe mode. Ran the HJT after the scan was done.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 11, 2006 12:53:36 PM
Operating System: Microsoft Windows NT, Service Pack 6a (Build 1381)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/09/2006
Kaspersky Anti-Virus database records: 222410
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
M:\

Scan Statistics:
Total number of scanned objects: 96481
Number of viruses found: 16
Number of infected objects: 165 / 0
Number of suspicious objects: 12
Duration of the scan process: 02:10:36

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\system32\scansql.exe Infected: not-a-virus:NetTool.Win32.SQLAccount.180 skipped
C:\WINNT\JET1.tmp Object is locked skipped
C:\WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01660000.VBN Infected: Trojan.BAT.NoShare.p skipped
C:\WINNT\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\WINNT\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\WINNT\Profiles\Administrator\ntuser.dat.LOG Object is locked skipped
C:\WINNT\Profiles\Administrator\Cookies\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012006091120060912\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\ntuser.dat Object is locked skipped
C:\WINNT\NETLOGON.CHG Object is locked skipped
C:\WINNT\~DFB884.tmp Object is locked skipped
C:\WINNT\SchedLog.Txt Object is locked skipped
C:\TEMP\~DFE725.tmp Object is locked skipped
D:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\XOutlook Express2\cleanup.log Object is locked skipped
D:\XOutlook Express2\Deleted Items.dbx/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED/text Infected: Trojan-Spy.HTML.Paylap.jf skipped
D:\XOutlook Express2\Deleted Items.dbx/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.jf skipped
D:\XOutlook Express2\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2\Company4.dbx Object is locked skipped
D:\XOutlook Express2\Folders.dbx Object is locked skipped
D:\XOutlook Express2\Offline.dbx Object is locked skipped
D:\XOutlook Express2\Pop3uidl.dbx Object is locked skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED/id04009.txt Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 5 Sep 2006 09:33:06 -0500]/UNNAMED/about_you_info.doc.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 5 Sep 2006 09:33:06 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED/document05.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED/document05.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx Mail MS Outlook 5: infected - 18, suspicious - 8 skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From info@travelgrenada.com][Date Thu, 23 Dec 2004 23:33:08 GMT]/auto__mail.travelgrenada4682.TXT.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From info@travelgrenada.com][Date Thu, 23 Dec 2004 23:33:08 GMT]/auto__mail.travelgrenada4682.TXT.zip Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED/addynamix_585.eml.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED/addynamix_585.eml.zip Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx Mail MS Outlook 5: infected - 5 skipped
D:\XOutlook Express2_off_060904\at_2005.dbx/[From dougdouglass@webtv.net][Date Thu, 3 Nov 2005 07:58:21 -0600]/moonlight.scr Infected: Email-Worm.Win32.NetSky.c skipped
D:\XOutlook Express2_off_060904\at_2005.dbx/[From "Rebeca" <rebeca@artnet.com.br>][Date Fri, 04 Nov 2005 09:44:45 -0400]/Fish.scr Infected: Email-Worm.Win32.Bagle.ai skipped
D:\XOutlook Express2_off_060904\at_2005.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx/[From "Raul Simmons" <EdC@compuserve.com>][Date Sun, 28 Aug 2005 01:13:34 +0800]/job.zip/payment.info .scr Infected: Net-Worm.Win32.Mytob.cq skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx/[From "Raul Simmons" <EdC@compuserve.com>][Date Sun, 28 Aug 2005 01:13:34 +0800]/job.zip Infected: Net-Worm.Win32.Mytob.cq skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED/details03.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED/details03.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED/news01.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED/news01.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED/readme_info.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED/readme_info.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED/about_you.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED/about_you.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED/msg.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED/msg.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED/document_info.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED/document_info.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED/message_imso.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED/message_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED/message.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED/data.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED/data.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED/data.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED/data.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED/report01_rebeca.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED/report01_rebeca.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED/letter43.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED/letter43.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e-30@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 10:13:14 -0500]/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e-30@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 10:13:14 -0500]/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED/Data.zip/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED/Data.zip Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From malebranchs@telcordia.com][Date Sat, 4 Dec 2004 12:13:55 -0500]/postcard.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From malebranchs@telcordia.com][Date Sat, 4 Dec 2004 12:13:55 -0500]/postcard.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED/document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED/id09509_imso.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED/id09509_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED/your_doc.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED/your_doc.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED/priv.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED/priv.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From hucakrisda@hotmail.com][Date Mon, 6 Dec 2004 12:08:03 -0500]/UNNAMED/document_orders.exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From hucakrisda@hotmail.com][Date Mon, 6 Dec 2004 12:08:03 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED/details.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED/websites01.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED/websites01.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx Mail MS Outlook 5: infected - 78 skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx/[From "Tyana" <tyana@direct-gold.com>][Date Tue, 11 May 2004 23:30:59 -0500]/UNNAMED/Loves_money.vbs Infected: Email-Worm.Win32.Bagle.z skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx/[From "Tyana" <tyana@direct-gold.com>][Date Tue, 11 May 2004 23:30:59 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.z skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED/id04009.txt Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx Mail MS Outlook 5: infected - 9, suspicious - 4 skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED/creme_de_gruyere.zip/creme_de_gruyere.jpg .scr Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED/creme_de_gruyere.zip Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From imso@Company5.com][Date Thu, 3 Jun 2004 09:04:46 -0400]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From imso@Company5.com][Date Thu, 3 Jun 2004 09:04:46 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx Mail MS Outlook 5: infected - 5 skipped
F:\FTPServer\back-up\ftpserver-v1.8-040119.zip/FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\back-up\ftpserver-v1.8-040119.zip ZIP: infected - 1 skipped
F:\FTPServer\back-up\FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\ftptrace.txt Object is locked skipped
F:\FTPServer\Old Servers & Logs\ftpserver-v1.8-040119.zip/FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\Old Servers & Logs\ftpserver-v1.8-040119.zip ZIP: infected - 1 skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\general.mmb Object is locked skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\info.mmb Object is locked skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\mark.mmb/[From support@ebay.com][Date Mon, 7 Aug 2006 04:05:11 +0180]/html Infected: Trojan-Spy.HTML.Bayfraud.kx skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\mark.mmb Mail: infected - 1 skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Comapny1.com\Store\xx_general.mmb Mail: infected - 4 skipped
F:\Program Files\1st Class Mail Server_ZZ\logfiles\1cislog09112006.txt Object is locked skipped
F:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
F:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Comapny1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb Mail: infected - 4 skipped
F:\Program Files\Copy of 1st Class Mail Server\Comapnay1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From support@ebay.com][Date Mon, 7 Aug 2006 04:05:11 +0180]/html Infected: Trojan-Spy.HTML.Bayfraud.kx skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb Mail: infected - 7 skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb Mail: infected - 4 skipped

Scan process completed.

=================

Logfile of HijackThis v1.99.1
Scan saved at 1:02:15 PM, on 9/11/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
F:\PROGRA~1\1STCLA~1\inetmail.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
F:\Program Files\Apache Group\Apache\Apache.exe
F:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\atiptaxx.exe
F:\Program Files\Apache Group\Apache\Apache.exe
F:\PROGRA~1\NavNT\vptray.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\TrojanHunter 4.6\THGuard.exe
F:\Program Files\RFA\rfagent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
F:\FTPServer\FTPServer.exe
F:\LaunchPad\lnchpd32.exe
F:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
F:\Program Files\Simple DNS Plus\sdnsmain.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
F:\SysInternals\Process Explorer v6.03\procexp.exe
F:\Program Files\Simple DNS Plus\sdnsgui.exe
D:\Program Files\No Spam Today!\noSPAMtoday.exe
F:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\MsgSys.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Simple DNS Plus] F:\Program Files\Simple DNS Plus\sdnsplus.exe -s
O4 - HKLM\..\Run: [SvW NT4Logon] "F:\Program Files\SvW NT4Logon\SvW NT4Logon.exe" NoUserInput
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [rfagent] "F:\Program Files\RFA\rfagent.exe"
O4 - Startup: Queued_E-Mail_Poller.EXE.lnk = F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
O4 - Startup: Quick'n Easy FTP Server.lnk = F:\FTPServer\FTPServer.exe
O4 - Startup: Restore 'layout1.sl'.lnk = F:\Program Files\PACT Save Layout\sl.exe
O4 - Startup: lnchpd32.exe.lnk = F:\LaunchPad\lnchpd32.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.msnbc.msn.com
O15 - Trusted Zone: http://www.techsupportforum.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: 1st Class Mail Server (1cms) - Unknown owner - F:\PROGRA~1\1STCLA~1\\inetmail.exe
O23 - Service: Apache Server (ApacheServer) - Unknown owner - F:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - F:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - F:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton SpeedDisk - Unknown owner - F:\PROGRA~1\NORTON~1\System\SDSRV.EXE
O23 - Service: No Spam Today! Service (NoSpamTodayService) - Unknown owner - D:\Program Files\No Spam Today!\noSPAMtoday.exe
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - F:\Program Files\Simple DNS Plus\sdnsmain.exe
 
#8 ·
Hi Mark,

As you can see by the Kaspersky results, you have a few e-mail worms. You're going to need to go into all these folders and delete the contents:

D:\XOutlook Express2\Company2.dbx
D:\XOutlook Express2_off_060904\at_2004.dbx
D:\XOutlook Express2_off_060904\Mook.dbx
D:\XOutlook Express2_off_060904\at_2005.dbx
D:\XOutlook Express2_off_060904\Company2 (1).dbx
D:\XOutlook Express2_off_060904\sw_2004.dbx
F:\Program Files\1st Class Mail Server\Company1.com\Store\mark.mmb
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb

If you have e-mails that need to be saved, then you can look for the individual e-mails listed in the Kaspersky scan and delete them individually. (I've stripped the Kaspersky results for you):
D:\XOutlook Express2\Deleted Items.dbx/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED/text Infected: Trojan-Spy.HTML.Paylap.jf skipped
D:\XOutlook Express2\Deleted Items.dbx/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.jf skipped
D:\XOutlook Express2\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED/id04009.txt Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 5 Sep 2006 09:33:06 -0500]/UNNAMED/about_you_info.doc.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 5 Sep 2006 09:33:06 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From ccc@vallnet.com][Date Tue, 5 Sep 2006 09:33:14 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED/document05.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED/document05.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:28 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Wed, 6 Sep 2006 09:21:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2\Company2.dbx Mail MS Outlook 5: infected - 18, suspicious - 8 skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From info@travelgrenada.com][Date Thu, 23 Dec 2004 23:33:08 GMT]/auto__mail.travelgrenada4682.TXT.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From info@travelgrenada.com][Date Thu, 23 Dec 2004 23:33:08 GMT]/auto__mail.travelgrenada4682.TXT.zip Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED/addynamix_585.eml.zip/message_text.txt .pif Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED/addynamix_585.eml.zip Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx/[From re-mail_system@addynamix.com][Date Fri, 24 Dec 2004 00:40:36 UTC]/UNNAMED Infected: Email-Worm.Win32.Sober.i skipped
D:\XOutlook Express2_off_060904\at_2004.dbx Mail MS Outlook 5: infected - 5 skipped
D:\XOutlook Express2_off_060904\at_2005.dbx/[From dougdouglass@webtv.net][Date Thu, 3 Nov 2005 07:58:21 -0600]/moonlight.scr Infected: Email-Worm.Win32.NetSky.c skipped
D:\XOutlook Express2_off_060904\at_2005.dbx/[From "Rebeca" <rebeca@artnet.com.br>][Date Fri, 04 Nov 2005 09:44:45 -0400]/Fish.scr Infected: Email-Worm.Win32.Bagle.ai skipped
D:\XOutlook Express2_off_060904\at_2005.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx/[From "Raul Simmons" <EdC@compuserve.com>][Date Sun, 28 Aug 2005 01:13:34 +0800]/job.zip/payment.info .scr Infected: Net-Worm.Win32.Mytob.cq skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx/[From "Raul Simmons" <EdC@compuserve.com>][Date Sun, 28 Aug 2005 01:13:34 +0800]/job.zip Infected: Net-Worm.Win32.Mytob.cq skipped
D:\XOutlook Express2_off_060904\dg_2005.dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED/details03.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED/details03.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Tue, 30 Nov 2004 18:10:50 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED/news01.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED/news01.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jay@islandsuntimes.com][Date Tue, 30 Nov 2004 18:11:09 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED/readme_info.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED/readme_info.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@info][Date Wed, 1 Dec 2004 08:34:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED/about_you.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED/about_you.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From rashah@paypal.com][Date Wed, 1 Dec 2004 14:34:39 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED/msg.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED/msg.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -000546-3x@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:23:48 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED/document_info.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED/document_info.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From .archie@tropitan.biz][Date Wed, 1 Dec 2004 17:23:59 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED/message_imso.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED/message_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -67@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 17:24:03 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED/message.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED/message.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -3r@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 18:53:05 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED/data.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED/data.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From postmaster@auvl.de][Date Wed, 1 Dec 2004 19:48:40 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED/data.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED/data.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From z@giraffe.xyzdns.net][Date Wed, 1 Dec 2004 19:48:43 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED/report01_rebeca.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED/report01_rebeca.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From kathleen.a.rudolph@usps.org][Date Wed, 1 Dec 2004 20:26:14 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED/letter43.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED/letter43.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From jaycin@comcast.net][Date Wed, 1 Dec 2004 20:26:26 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From o@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 08:12:11 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e-30@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 10:13:14 -0500]/document.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e-30@giraffe.xyzdns.net][Date Fri, 3 Dec 2004 10:13:14 -0500]/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED/Data.zip/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED/Data.zip Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mguilbert@earthlink.net][Date Fri, 3 Dec 2004 10:01:12 -0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.aa skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From malebranchs@telcordia.com][Date Sat, 4 Dec 2004 12:13:55 -0500]/postcard.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From malebranchs@telcordia.com][Date Sat, 4 Dec 2004 12:13:55 -0500]/postcard.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED/document.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED/document.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From mailer-daemon@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 09:24:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED/id09509_imso.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED/id09509_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From john@gohelios.com][Date Mon, 6 Dec 2004 09:24:45 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED/your_doc.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED/your_doc.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From e1cn9ki-0005o5-iv@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:03:38 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED/priv.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED/priv.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From -00007w-09@giraffe.xyzdns.net][Date Mon, 6 Dec 2004 10:04:06 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From hucakrisda@hotmail.com][Date Mon, 6 Dec 2004 12:08:03 -0500]/UNNAMED/document_orders.exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From hucakrisda@hotmail.com][Date Mon, 6 Dec 2004 12:08:03 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED/details.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From noreply@help][Date Mon, 6 Dec 2004 12:08:13 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From valerie1516@yahoo.com][Date Mon, 6 Dec 2004 12:08:17 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip/details.txt .pif Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED/document_imso.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From reinhold@islandsuntimes.com][Date Wed, 1 Dec 2004 18:53:23 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED/details.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED/details.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From abuse@gov.us][Date Tue, 7 Dec 2004 08:44:02 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED/websites01.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED/websites01.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx/[From x@giraffe.xyzdns.net][Date Tue, 7 Dec 2004 08:44:16 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Mook.dbx Mail MS Outlook 5: infected - 78 skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx/[From "Tyana" <tyana@direct-gold.com>][Date Tue, 11 May 2004 23:30:59 -0500]/UNNAMED/Loves_money.vbs Infected: Email-Worm.Win32.Bagle.z skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx/[From "Tyana" <tyana@direct-gold.com>][Date Tue, 11 May 2004 23:30:59 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.z skipped
D:\XOutlook Express2_off_060904\Mortgage_Direct-Gold (1).dbx Mail MS Outlook 5: infected - 2 skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From renigade@mediaone.net][Date Mon, 28 Aug 2006 09:02:44 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED/id04009.txt Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.3 NO_REAL_NAME From: does not include a real name][Date Mon, 28 Aug 2006 09:42:10 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 0.2 NO_REAL_NAME From: does not include a real name][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx/[From 1.0 FROM_ENDS_IN_NUMS From: ends in numbers][Date Tue, 29 Aug 2006 09:31:07 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\Company2 (1).dbx Mail MS Outlook 5: infected - 9, suspicious - 4 skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED/creme_de_gruyere.zip/creme_de_gruyere.jpg .scr Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED/creme_de_gruyere.zip Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From <stay@treedimensions.co.nz>][Date Sun, 14 Nov 2004 14:48:46 +0200]/UNNAMED Infected: Email-Worm.Win32.Mabutu.a skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From imso@Company5.com][Date Thu, 3 Jun 2004 09:04:46 -0400]/UNNAMED/message.scr Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx/[From imso@Company5.com][Date Thu, 3 Jun 2004 09:04:46 -0400]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
D:\XOutlook Express2_off_060904\sw_2004.dbx Mail MS Outlook 5: infected - 5 skipped
F:\FTPServer\back-up\ftpserver-v1.8-040119.zip/FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\back-up\ftpserver-v1.8-040119.zip ZIP: infected - 1 skipped
F:\FTPServer\back-up\FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\Old Servers & Logs\ftpserver-v1.8-040119.zip/FTPServer.exe Infected: not-a-virus:Server-FTP.Win32.FileZilla.a skipped
F:\FTPServer\Old Servers & Logs\ftpserver-v1.8-040119.zip ZIP: infected - 1 skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\mark.mmb/[From support@ebay.com][Date Mon, 7 Aug 2006 04:05:11 +0180]/html Infected: Trojan-Spy.HTML.Bayfraud.kx skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\mark.mmb Mail: infected - 1 skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Company1.com\Store\xx_general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\1st Class Mail Server\Comapny1.com\Store\xx_general.mmb Mail: infected - 4 skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Comapny1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\general.mmb Mail: infected - 4 skipped
F:\Program Files\Copy of 1st Class Mail Server\Comapnay1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED/website.zip Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From phiferb@ten-nash.ten.k12.tn.us][Date Tue, 29 Aug 2006 09:30:57 -0500]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb/[From support@ebay.com][Date Mon, 7 Aug 2006 04:05:11 +0180]/html Infected: Trojan-Spy.HTML.Bayfraud.kx skipped
F:\Program Files\Copy of 1st Class Mail Server\Company1.com\Store\mark.mmb Mail: infected - 7 skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From "Automatic Email Delivery Software" <postmaster@Company1.com>][Date Sat, 12 Aug 2006 05:20:50 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED/Company1.com Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb/[From nakts@latnet.lv][Date Sat, 12 Aug 2006 12:14:38 -0400]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m skipped
F:\Program Files\x1st Class Mail Server\Company1.com\Store\general.mmb Mail: infected - 4 skipped

--------------------------------------------

Download McAfee Avert Stinger to your desktop.

Open the folder that contains the downloaded Stinger file, and double click Stinger.exe to run it.
  • Click the Scan Now button to begin scanning the specified drives/directories.
  • By default, Stinger will repair all infected files found.

Please let me know if it found anything.

----------------------------

Run another online scan at Kaspersky and post the results here, along with an update on how your system is performing.
 
#9 ·
1) Deleted the files you mentioned.
2) Thanks for "fixing" my post. :)
3) Ran McAfee Avert Stinger, it did not fing anything:
McAfee AVERT Stinger Version 2.6.0. built on Apr 5 2006Copyright (C) 2005 Networks Associates Technology, Inc. All Rights Reserved.Virus data file v1000 created on Feb 2 2006.Ready to scan for 55 viruses, trojans and variants.Scan initiated on Mon Sep 11 20:03:38 2006 Number of clean files: 148597

4) New Kaspersky Scan -- I ran it last night, saw some more stuff in mail files, deleted them and ran again this morning.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 12, 2006 8:02:59 AM
Operating System: Microsoft Windows NT, Service Pack 6a (Build 1381)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/09/2006
Kaspersky Anti-Virus database records: 222664
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
M:\

Scan Statistics:
Total number of scanned objects: 85024
Number of viruses found: 1
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:22:48

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\JET1.tmp Object is locked skipped
C:\WINNT\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\WINNT\Profiles\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\WINNT\Profiles\Administrator\ntuser.dat.LOG Object is locked skipped
C:\WINNT\Profiles\Administrator\Cookies\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\History\History.IE5\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\History\History.IE5\MSHist012006091220060913\index.dat Object is locked skipped
C:\WINNT\Profiles\Administrator\ntuser.dat Object is locked skipped
C:\WINNT\NETLOGON.CHG Object is locked skipped
C:\WINNT\~DFA2C4.tmp Object is locked skipped
C:\WINNT\SchedLog.Txt Object is locked skipped
C:\TEMP\~DFE359.tmp Object is locked skipped
D:\Program Files\No Spam Today!\noSPAMtoday.log Object is locked skipped
D:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\FTPServer\ftptrace.txt Object is locked skipped
F:\Program Files\1st Class Mail Server\company1.com\Store\general.mmb/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED/text Infected: Trojan-Spy.HTML.Paylap.jf skipped
F:\Program Files\1st Class Mail Server\company1.com\Store\general.mmb/[From PayPal <service@paypal.com>][Date Mon, 11 Sep 2006 02:54:37 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.jf skipped
F:\Program Files\1st Class Mail Server\company1.com\Store\general.mmb Mail: infected - 2 skipped
F:\Program Files\1st Class Mail Server\company1.com\Store\info.mmb Object is locked skipped
F:\Program Files\1st Class Mail Server\company1.com\Temp\TMP4FB7.tmp Object is locked skipped
F:\Program Files\1st Class Mail Server\company1.com\Temp\TMP4FFE.tmp Object is locked skipped
F:\Program Files\1st Class Mail Server_ZZ\logfiles\1cislog09122006.txt Object is locked skipped
F:\Program Files\Apache Group\Apache\logs\access.log Object is locked skipped
F:\Program Files\Apache Group\Apache\logs\error.log Object is locked skipped


--------------
5) Scan-wise, it looks better, but something is still wrong. I am still getting the explorer.exe crashes often when I access folders or files (see the top of my original post). Also, after a scare yesterday where I saw new red icon in my system tray that was for DamWare's mini remote -- and I went to click it and my cursor jumped (someone was logged on to my computer!) -- I wrote a little program to delete the files scans had found in the last few days in c:\winnt\system & c:\winnt\system32 every 5 seconds. It increments a counter and it keeps ticking up -- making me thing something is still up. The files that keep getting created seem to be c:\winnt\system32\SA1i.msg & c:\winnt\system32\SA2i.msg -- I can't find anything about them, but 1 of the scans from something showed those as trouble. My delete program is looking for these files in c:\winnt\system32\ & c:\winnt\system\ every 5 seconds and deleting them if they exist:

bdcli100.exe
csrsc.exe
cygcrypt-0.dll
cygwin1.dll
dbhelp.dll
dbmsson.dll
debugIRO.txt
debugSER.txt
DNTUS26.exe
DWRCK.DLL
DWRCS.exe
DWRCSET.DLL
DWRCShell.dll
DWRCShell64.dll
DWRCST.exe
DWRCST.exe.manifest
edit.BAT
eraseme_36265.exe
explorers.exe
firedaemon.exe
get.exe
hxdef100.exe
hxdef100.zip
i.exe
i[1].exe
iL.dbx
Infodll.state
Infodll.state~
IpcScan.exe
KAHOL.bat
LAVAN.bat
lock.bat
nero.exe
pptB0D.tmp
protect.bat
psexec.exe
SA1i.msg
SA2i.msg
scansql.exe
setup_14678.exe
sql-smss.exe
TZOLIBR.dll
zmtB0B.tmp

I will update the program to log which files are deleted and when. The reason I think it is SA1i.msg & SA2i.msg is I get a message on a pass that they can't be deleted due to a sharing violation, but it gets them on the next pass.
 
#28 ·
1) 5) Scan-wise, it looks better, but something is still wrong. I am still getting the explorer.exe crashes often when I access folders or files (see the top of my original post). Also, after a scare yesterday where I saw new red icon in my system tray that was for DamWare's mini remote -- and I went to click it and my cursor jumped (someone was logged on to my computer!) -- I wrote a little program to delete the files scans had found in the last few days in c:\winnt\system & c:\winnt\system32 every 5 seconds. It increments a counter and it keeps ticking up -- making me thing something is still up. The files that keep getting created seem to be c:\winnt\system32\SA1i.msg & c:\winnt\system32\SA2i.msg -- I can't find anything about them, but 1 of the scans from something showed those as trouble. My delete program is looking for these files in c:\winnt\system32\ & c:\winnt\system\ every 5 seconds and deleting them if they exist:

bdcli100.exe
csrsc.exe
cygcrypt-0.dll
cygwin1.dll
dbhelp.dll
dbmsson.dll
debugIRO.txt
debugSER.txt
DNTUS26.exe
DWRCK.DLL
DWRCS.exe
DWRCSET.DLL
DWRCShell.dll
DWRCShell64.dll
DWRCST.exe
DWRCST.exe.manifest
edit.BAT
eraseme_36265.exe
explorers.exe
firedaemon.exe
get.exe
hxdef100.exe
hxdef100.zip
i.exe
i[1].exe
iL.dbx
Infodll.state
Infodll.state~
IpcScan.exe
KAHOL.bat
LAVAN.bat
lock.bat
nero.exe
pptB0D.tmp
protect.bat
psexec.exe
SA1i.msg
SA2i.msg
scansql.exe
setup_14678.exe
sql-smss.exe
TZOLIBR.dll
zmtB0B.tmp

I will update the program to log which files are deleted and when. The reason I think it is SA1i.msg & SA2i.msg is I get a message on a pass that they can't be deleted due to a sharing violation, but it gets them on the next pass.
Is your program still finding these files?
 
#10 ·
Hi,

As this is an NT4 OS, we are limited on the tools we can use to clean it.

I was trying to hold off on using Dr Web as it can be quite agressive, but the time has come.

Should it 'move' anything legit, we can easily move them back (restore them) provided you follow the directions below exactly as given.

Please halt the program you wrote that is deleting files, so Dr Web can do it's job. :smile:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

DamWare's mini remote
Did you mean DameWare mini remote? As you work for a company, that could very well be legit.
 
#11 ·
1) Stopped my prog.
2) Ran Quick scan -- did not find anything.
3) Ran full scan:
xsys.dll;C:\WINNT\system32;Tool.Moo;Incurable.Moved.;
Libparse.exe;C:\WINNT\system32;Program.PrcView.3621;Incurable.Moved.;
4) Rebooted. Still getting those exporer.exe crashes.
5) Ya, I mean't DameWare mini remote. And NO it was not legit!
 
#12 ·
Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.


Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post that log here
 
#13 ·
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows NT 4.0
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"BrowserWebCheck" = "loadwc.exe" [MS]
"SchedulingAgent" = "mstinit.exe /logon" [MS]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"Simple DNS Plus" = "F:\Program Files\Simple DNS Plus\sdnsplus.exe -s" ["JH Software"]
"SvW NT4Logon" = ""F:\Program Files\SvW NT4Logon\SvW NT4Logon.exe" NoUserInput" ["SvW Development"]
"vptray" = "F:\PROGRA~1\NavNT\vptray.exe" ["Symantec Corporation"]
"RegistryMechanic" = (empty string)
"AVG7_CC" = "F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"THGuard" = ""F:\Program Files\TrojanHunter 4.6\THGuard.exe"" ["Mischel Internet Security"]
"rfagent" = ""F:\Program Files\RFA\rfagent.exe"" ["KsL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "F:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = (no title provided)
-> {HKLM...CLSID} = "URL Exec Hook"
\InProcServer32\(Default) = "url.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "C:\WINNT\System32\awgina.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\System32\NavLogon.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "F:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "F:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\ACD Wallpaper.bmp"


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup
"Queued_E-Mail_Poller.EXE" -> shortcut to: "F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE" [null data]
"Quick'n Easy FTP Server" -> shortcut to: "F:\FTPServer\FTPServer.exe" ["Pablo Software Solutions"]
"Restore 'layout1.sl'" -> shortcut to: "F:\Program Files\PACT Save Layout\sl.exe /r C:\WINNT\Profiles\Administrator\Desktop\layout1.sl" [null data]
"lnchpd32.exe" -> shortcut to: "F:\LaunchPad\lnchpd32.exe f:\launchpad\mst.lpd /h /d:180" ["Cypress Technologies"]
"Shortcut to marks_trojan_delete.EXE" -> shortcut to: "F:\vdsprogs\marks_trojan_delete.EXE" [null data]
"Shortcut to mook_error_check.EXE" -> shortcut to: "F:\vdsprogs\mook_error_check.EXE" [null data]

C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 12


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

1st Class Mail Server, 1cms, "F:\PROGRA~1\1STCLA~1\\inetmail.exe" [null data]
Apache Server, ApacheServer, ""F:\Program Files\Apache Group\Apache\Apache.exe" --ntservice" [null data]
License Logging Service, LicenseService, "C:\WINNT\System32\llssrv.exe" [MS]
No Spam Today! Service, NoSpamTodayService, "D:\Program Files\No Spam Today!\noSPAMtoday.exe" [empty string]
pcAnywhere Host Service, awhost32, "F:\Program Files\Symantec\pcAnywhere\awhost32.exe" ["Symantec Corporation"]
Simple DNS Plus, sdnsplus, "F:\Program Files\Simple DNS Plus\sdnsmain.exe" ["JH Software"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
pcAnywhere Remote Printing\Driver = "awmon.dll" ["Symantec Corporation"]
PDF Port\Driver = "C:\WINNT\System32\pdfports.dll" ["Adobe Systems Incorporated."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 61 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 13 seconds.
---------- (total run time: 131 seconds)


==========================

StartDreck (build 2.1.7 public stable) - 2006-09-13 @ 05:20:01 (GMT -04:00)
Platform: Win NT 4.0.1381 Service Pack 6
Internet Explorer: 6.0.2800.1106
Logged in as Administrator at WEBBOY

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*BrowserWebCheck=loadwc.exe
*SchedulingAgent=mstinit.exe /logon
*AtiPTA=atiptaxx.exe
*Simple DNS Plus=F:\Program Files\Simple DNS Plus\sdnsplus.exe -s
*SvW NT4Logon="F:\Program Files\SvW NT4Logon\SvW NT4Logon.exe" NoUserInput
*vptray=F:\PROGRA~1\NavNT\vptray.exe
*RegistryMechanic=
*AVG7_CC=F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
*THGuard="F:\Program Files\TrojanHunter 4.6\THGuard.exe"
*rfagent="F:\Program Files\RFA\rfagent.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="F:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\Plus!\MICROS~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
+NetMeeting/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Web Publishing Wizard/{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie5x86.inf,PerUserStub
+MSN Messenger Service 2.2/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUserIE
+Internet Connection Wizard/{5A8D6EE0-3E18-11D0-821E-444553540000}
*StubPath=rundll32.exe advpack.dll,LaunchINFSectionEx %SystemRoot%\INF\icw.inf,PerUserStub,,36
+Synchronization Manager/{6295DF27-35EE-11d1-8707-00C04FD93327}
*StubPath=rundll32.exe %SystemRoot%\System32\mobsync.dll,RunDllRegister /p
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
+Internet Explorer 6 and Internet Tools/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=F:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Internet Explorer
»Current User
*Local Page=C:\WINNT\System32\blank.htm
*Search Page=http://www.msn.com/access/allinone.htm
*Start Page=http://www.msnbc.msn.com/
+SearchUrl
*provider=
»Default User
*Search Page=http://www.msn.com/access/allinone.htm
*Start Page=file:C:\Program Files\Plus!\Microsoft Internet\docs\home.htm
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=userinit,nddeagnt.exe
»Files
»Autostart Folders
»Current User
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\Queued_E-Mail_Poller.EXE.lnk
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\Quick'n Easy FTP Server.lnk
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\Restore 'layout1.sl'.lnk
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\lnchpd32.exe.lnk
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\Shortcut to marks_trojan_delete.EXE.lnk
*C:\WINNT\Profiles\Administrator\Start Menu\Programs\Startup\Shortcut to mook_error_check.EXE.lnk
»Default User
»Local Machine
*C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=5
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server Version 4.00"
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server Version 4.00 [VGA mode]" /basevideo /sos
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=20
*C:\autoexec.bat
*C:\WINNT\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
*C:\WINNT\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\System32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\WINNT\System32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\System32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\System32\winhlp32.exe
*C:\WINNT\winhlp32.exe
+C:\WINNT\System32\EXTRACT.EXE
*C:\WINNT\extract.exe
+C:\Perl\bin\perlglob.exe
*C:\Perl\bin\perlglob.bat
»System/Drivers
»Running Processes
+0=<idle>
+2=<unkown>
+25=\SystemRoot\System32\smss.exe
+33=\??\C:\WINNT\system32\csrss.exe
+39=\??\C:\WINNT\system32\winlogon.exe
+47=C:\WINNT\system32\services.exe
+50=C:\WINNT\system32\lsass.exe
+72=C:\WINNT\system32\spoolss.exe
+70=F:\PROGRA~1\1STCLA~1\inetmail.exe
+110=F:\Program Files\Apache Group\Apache\Apache.exe
+113=F:\Program Files\Symantec\pcAnywhere\awhost32.exe
+120=F:\Program Files\Apache Group\Apache\Apache.exe
+263=C:\WINNT\System32\llssrv.exe
+281=D:\Program Files\No Spam Today!\noSPAMtoday.exe
+287=C:\WINNT\System32\LOCATOR.EXE
+295=C:\WINNT\system32\RpcSs.exe
+298=F:\Program Files\Simple DNS Plus\sdnsmain.exe
+313=c:\winnt\system32\pstores.exe
+316=C:\WINNT\system32\MSTask.exe
+380=C:\WINNT\System32\MsgSys.EXE
+231=C:\WINNT\System32\WBEM\winmgmt.exe
+230=C:\WINNT\System32\nddeagnt.exe
+384=C:\WINNT\Explorer.EXE
+239=C:\WINNT\System32\loadwc.exe
+441=C:\WINNT\System32\atiptaxx.exe
+242=F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
+276=F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
+433=F:\FTPServer\FTPServer.exe
+222=F:\LaunchPad\lnchpd32.exe
+401=F:\Program Files\Simple DNS Plus\sdnsgui.exe
+445=D:\PROGRA~1\WINZIP\winzip32.exe
+409=C:\WINNT\Profiles\Administrator\Desktop\StartDreck\StartDreck.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
 
#14 ·
I realize these online scans are time consuming, but I'll need you to run another online scan--this time at Trend Micro. Post the results here please.

-------------------------------------------

Download and Install UnHackMe (Supported Windows NT4/2000/XP.) and Unzip to a folder.

Double click "unhackme300b2.exe" to install

Bring up UnHackMe

Click the "Check Me Now" button

When finished, if a Rootkit is found it will show you the results.

Click the "Stop" button and reboot

Please let me know if it found anything.

-----------------------------
 
#16 ·
Mark, I'm running out of tools we can use to try to ferret out the spawning file(s) or registry entry(s). :sad:

Let's see if this tool will run on your system. (It certainly will not harm it--the worst that will happen is a dos box will appear then shut down)

Download combofix from one of these locations:
**Save it to your desktop**
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


*this scan should only takes a few minutes.


------------------------------------

If that tool will not run, I'd like you to try this one:

Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet--it must be run in Safe Mode.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

----------------------------------

Create an Uninstall List:
Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here.
 
#18 · (Edited)
Change of plans, Mark. Please use this set of instructions instead:

Export this key & attach in next reply
HKEY_LOCAL_MACHINE\system\currentcontrolset\services

Download & run GetSystemInfo.exe
It shall produce a log for you to post back here.

Download & Run this file - http://www.techsupportforum.com/sectools/datfindV2.zip
Post that text here as well.
 
#20 · (Edited)
Hi Mark,

Delete these files:

C:\ie.bat
C:\ie2.bat


**If they resist deletion, and you cannot boot into Safe Mode remotely, you can use HijackThis to delete those files:

Double click on HijackThis.exe to run it. Click on Open the Misc Tools section click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, copy and paste each file path in the"file name:" field:

When you have selected the file, Click the "Open" Button Click Click No at the next prompt (do not allow reboot yet)

Repeat the above steps for the second file. No reboot yet.

-------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSpool]
Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

-------------------------------------------

Reboot the system.

-------------------------------------------

I'd like you to download and install a different AV for the purpose of rooting out this infection:

Download, install and update BitDefender 8 Free Edition. (Operating platform: Windows 98/NT-SP6/Me/2000/XP IE 4.0(+))

Do not scan yet.

It's never a good idea to have more than 1 AV installed on a system--but with the infection present, I am hesitant to leave you unprotected during the process of installing and updating BibDefender, as you are working on this system remotely and cannot disconnect it from the internet.

-------------------------------

Uninstall AVG via the Add/Remove programs in the Control Panel.

Reboot the system.

-------------------------------

Scan with Bitdefender and post those results here along with a new HijackThis log.
 
#22 ·
I thought that may have been the case, but those are also associated with some 'bad guys'. I figured if you created them, you'd tell me. :winkgrin:

Yes, the rest is the same. Please proceed.
 
#23 ·
//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 14/09/2006 10:10:43
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
D:\
F:\
Folders : 7073
Files : 439498
Archives : 77774
Packed files : 23611
Identified viruses : 2
Infected files : 7
Warnings : 0
Suspect files : 1
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 16
Scan time : 02:58:20
Scan speed (files/sec) : 41

Virus definitions : 454188
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 6
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

D:\XOutlook Express2\company_at.dbx=>(message 25)=>[Subject: Good day][Date: Thu, 14 Sep 2006 10:14:41 +0800]=>(MIME part)=>text.txt.scr Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_at.dbx=>(message 25)=>[Subject: Good day][Date: Thu, 14 Sep 2006 10:14:41 +0800]=>(MIME part)=>text.txt.scr Disinfection failed
D:\XOutlook Express2\company_at.dbx=>(message 25)=>[Subject: Good day][Date: Thu, 14 Sep 2006 10:14:41 +0800]=>(MIME part)=>text.txt.scr Move failed
D:\XOutlook Express2\company_at.dbx=>(message 26)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:43 +0800]=>(MIME part)=>Update-KB1000-x86.exe Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_at.dbx=>(message 26)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:43 +0800]=>(MIME part)=>Update-KB1000-x86.exe Disinfection failed
D:\XOutlook Express2\company_at.dbx=>(message 26)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:43 +0800]=>(MIME part)=>Update-KB1000-x86.exe Move failed
D:\XOutlook Express2\company_dg.dbx=>(message 28)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:38 +0800]=>(MIME part)=>message.log.exe Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_dg.dbx=>(message 28)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:38 +0800]=>(MIME part)=>message.log.exe Disinfection failed
D:\XOutlook Express2\company_dg.dbx=>(message 28)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:38 +0800]=>(MIME part)=>message.log.exe Move failed
D:\XOutlook Express2\company_dg.dbx=>(message 29)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:45 +0800]=>(MIME part)=>Update-KB3312-x86.exe Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_dg.dbx=>(message 29)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:45 +0800]=>(MIME part)=>Update-KB3312-x86.exe Disinfection failed
D:\XOutlook Express2\company_dg.dbx=>(message 29)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:45 +0800]=>(MIME part)=>Update-KB3312-x86.exe Move failed
D:\XOutlook Express2\company_sw.dbx=>(message 9)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:49 +0800]=>(MIME part)=>test.msg.exe Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_sw.dbx=>(message 9)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:49 +0800]=>(MIME part)=>test.msg.exe Disinfection failed
D:\XOutlook Express2\company_sw.dbx=>(message 9)=>[Subject: Server Report][Date: Thu, 14 Sep 2006 10:14:49 +0800]=>(MIME part)=>test.msg.exe Move failed
D:\XOutlook Express2\company_sw.dbx=>(message 10)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:48 +0800]=>(MIME part)=>Update-KB5296-x86.exe Infected Generic.Stration.3049ED2B
D:\XOutlook Express2\company_sw.dbx=>(message 10)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:48 +0800]=>(MIME part)=>Update-KB5296-x86.exe Disinfection failed
D:\XOutlook Express2\company_sw.dbx=>(message 10)=>[Subject: Mail server report.][Date: Thu, 14 Sep 2006 10:01:48 +0800]=>(MIME part)=>Update-KB5296-x86.exe Move failed
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 6687)=>[Subject: Fw: M S Sale][Date: Mon, 18 Aug 2003 14:29:54 -0400]=>(MIME part)=>Checking.zip.exe Infected Win32.BugBear.B@mm.Damaged
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 6687)=>[Subject: Fw: M S Sale][Date: Mon, 18 Aug 2003 14:29:54 -0400]=>(MIME part)=>Checking.zip.exe Disinfection failed
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 6687)=>[Subject: Fw: M S Sale][Date: Mon, 18 Aug 2003 14:29:54 -0400]=>(MIME part)=>Checking.zip.exe Move failed
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 8608)=>[Subject: Re: ~$ployee Handbook2][Date: Mon, 24 Jun 2002 10:00:49 -0400]=>(MIME part)=>(message body) Suspect Exploit.Iframe.Vulnerability
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 8608)=>[Subject: Re: ~$ployee Handbook2][Date: Mon, 24 Jun 2002 10:00:49 -0400]=>(MIME part)=>(message body) Disinfection failed
D:\XOutlook Express2_off_060904\Sent Items (1).dbx=>(message 8608)=>[Subject: Re: ~$ployee Handbook2][Date: Mon, 24 Jun 2002 10:00:49 -0400]=>(MIME part)=>(message body) Move failed


==================================


Logfile of HijackThis v1.99.1
Scan saved at 1:28:36 PM, on 9/14/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
F:\PROGRA~1\1STCLA~1\inetmail.exe
C:\WINNT\System32\nddeagnt.exe
C:\WINNT\Explorer.EXE
F:\Program Files\Apache Group\Apache\Apache.exe
F:\Program Files\Symantec\pcAnywhere\awhost32.exe
F:\Program Files\Apache Group\Apache\Apache.exe
C:\WINNT\System32\loadwc.exe
C:\WINNT\System32\atiptaxx.exe
F:\PROGRA~1\NavNT\vptray.exe
F:\Program Files\Softwin\BitDefender8\bdnagent.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
F:\FTPServer\FTPServer.exe
F:\LaunchPad\lnchpd32.exe
C:\WINNT\System32\llssrv.exe
F:\Program Files\NavNT\rtvscan.exe
D:\Program Files\No Spam Today!\noSPAMtoday.exe
C:\WINNT\System32\LOCATOR.EXE
C:\WINNT\system32\RpcSs.exe
F:\Program Files\Simple DNS Plus\sdnsmain.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
F:\Program Files\Simple DNS Plus\sdnsgui.exe
C:\WINNT\System32\MsgSys.EXE
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
f:\program files\softwin\bitdefender8\bdmcon.exe
C:\WINNT\System32\ddhelp.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Simple DNS Plus] F:\Program Files\Simple DNS Plus\sdnsplus.exe -s
O4 - HKLM\..\Run: [SvW NT4Logon] "F:\Program Files\SvW NT4Logon\SvW NT4Logon.exe" NoUserInput
O4 - HKLM\..\Run: [vptray] F:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [BDMCon] "F:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "F:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - Startup: Queued_E-Mail_Poller.EXE.lnk = F:\mookmail_quickmerge\Queued_E-Mail_Poller.EXE
O4 - Startup: Quick'n Easy FTP Server.lnk = F:\FTPServer\FTPServer.exe
O4 - Startup: Restore 'layout1.sl'.lnk = F:\Program Files\PACT Save Layout\sl.exe
O4 - Startup: lnchpd32.exe.lnk = F:\LaunchPad\lnchpd32.exe
O4 - Startup: Shortcut to marks_trojan_delete.EXE.lnk = F:\vdsprogs\marks_trojan_delete.EXE
O4 - Startup: Shortcut to mook_error_check.EXE.lnk = F:\vdsprogs\mook_error_check.EXE
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: http://www.kaspersky.com
O15 - Trusted Zone: http://www.msnbc.msn.com
O15 - Trusted Zone: http://www.techsupportforum.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4846/mcfscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 198.6.1.2 198.6.100.53
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: 1st Class Mail Server (1cms) - Unknown owner - F:\PROGRA~1\1STCLA~1\\inetmail.exe
O23 - Service: Apache Server (ApacheServer) - Unknown owner - F:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - F:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - F:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton SpeedDisk - Unknown owner - F:\PROGRA~1\NORTON~1\System\SDSRV.EXE
O23 - Service: No Spam Today! Service (NoSpamTodayService) - Unknown owner - D:\Program Files\No Spam Today!\noSPAMtoday.exe
O23 - Service: Simple DNS Plus (sdnsplus) - JH Software - F:\Program Files\Simple DNS Plus\sdnsmain.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
 
#24 ·
Let's see if these tools will reveal anything:

Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

------------------------------

Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
 
#25 ·
Trouble with Blacklight:

The procedure entry point ExpandEnvironmentStribgForUserW could not be located in the dynamic link library USERENV.dll

Trouble with Rootkit Revealer:

An error occured in CMD.EXE that prevents RTookKitRevealer from accurately analyzing your system. If CMD.EXE is available on your system, please report this failure.

:confused:
 
#26 ·
Hi Mark,

Check the permissions on cmd.exe. (Right click and select Properties). Ensure that it is not set to 'read only'.

It's also possible the rootkit changed a registry for "DisableCMD".

You can try to fix that issue in order to run RKR, or just move on and use Sophos Anti-rootkit as it is also compatible with NT4:


Download Sophos Anti-rootkit. Here you will find information about it if needed http://www.sophos.com/support/knowledgebase/article/7026.html

Unzip it to the C: drive. Open the folder and double click sargui.exe to start the tool.

Post the results here please.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top