My turn

**Horse** · 10-04-2006, 11:04 AM

Guys and Girls, I keep receiving these odd emails quoted below.

Quote:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

I have Zone Alarm, Spyware Blaster, Spyware Guard and AVG on my system. Also have Win Patrol and Snoopfree running.

Please check if there is anything amiss on my system as with my current knowledge I cant find anything. Thanks a bunch.

Logfile of HijackThis v1.99.1
Scan saved at 08:03:45, on 04/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\System32\SnoopFreeSvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINNT\SnoopFreeUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\HJK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fnb.co.za/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Absa
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\WHEELM~1\wh_exec.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.od2.com
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MediaBar) - http://sib1.od2.com/common/musicmana...agerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2C32885-7702-4D8B-8C42-8F34412DA775}: NameServer = 168.210.2.2 196.14.239.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINNT\System32\SnoopFreeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Ried · 10-04-2006, 11:14 AM

Hello Horse,

We'll use the Kaspersky online scanner as it is better at detecting e-mail worms.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

-------------------------------------

I'd also like you to run combofix:

Download combofix from one of these locations:

**Save it to your desktop**
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Please post that log in your next reply as well.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

**Horse** · 10-05-2006, 10:18 AM

Here we go Ma'am, Combofix and Kaspersky logs as requested

KASPERSKY ONLINE SCANNER REPORT
Thursday, October 05, 2006 5:17:59 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/10/2006
Kaspersky Anti-Virus database records: 228861
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 93893
Number of viruses found: 3
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:08:59

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\Temp\ZLT00341.TMP Object is locked skipped
C:\WINNT\Temp\ZLT05211.TMP Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\DEREKV.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\ModemLog_SoftV92 Data Fax Modem #2.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBE2A.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF2676.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:16 to derekv@absamail.co.za:hello/body.txt.exe Infected: Email-Worm.Win32.Warezov.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:02 from secur@niet.com:Mail server report./Update-KB2953-x86.zip/Update-KB2953-x86.exe Infected: Email-Worm.Win32.Warezov.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:02 from secur@niet.com:Mail server report./Update-KB2953-x86.zip Infected: Email-Worm.Win32.Warezov.gen skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 3 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\E09A2FB6d01 Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\AE5A19DCd01 Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\Derek\Derek File\Security Programs\avgas-setup-7.5.0.47.exe.part Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\log\plugin150_08.trace Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Program Files\Excite\PrvtMsgr\bin\x8Idle0.dll Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP399\A0089785.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped
C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP408\A0090607.dll Infected: not-a-virus:AdWare.Win32.Comet.az skipped
C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP409\change.log Object is locked skipped

Scan process completed.

Administrator - 06-10-05 17:43:19.90 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\My Documents\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\taskmgr.com

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

No new files created in this timespan

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-01 19:21 -------- d-------- C:\Program Files\KeyWallet
2006-09-26 19:18 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-04 20:03 -------- d-------- C:\Program Files\SereneScreen
2006-09-03 20:16 -------- d-------- C:\Program Files\Starware316
2006-09-03 20:02 -------- d-------- C:\Program Files\Screensavers.com
2006-08-30 19:06 -------- d-------- C:\Program Files\Maxis
2006-08-30 19:02 11973 --a------ C:\WINNT\system32\drivers\secdrv.sys
2006-08-30 18:51 -------- d-------- C:\Program Files\Ubisoft
2006-08-30 18:29 -------- d-------- C:\Program Files\Ubi Soft
2006-08-21 14:21 16896 --a------ C:\WINNT\system32\fltlib.dll
2006-08-21 11:14 23040 --a------ C:\WINNT\system32\fltmc.exe
2006-08-21 11:14 128896 --------- C:\WINNT\system32\drivers\fltmgr.sys
2006-08-20 16:52 9767450 --a------ C:\WINNT\system32\besidestilllwaters.scr
2006-08-20 16:52 9264395 --a------ C:\WINNT\system32\besidestilllwaters.exe
2006-08-20 16:52 78336 --a------ C:\WINNT\pysoft_uninstaller.exe
2006-08-20 15:54 361984 --a------ C:\WINNT\system32\Wild Growth Enchantment.scr
2006-08-20 15:53 4190967 --a------ C:\WINNT\system32\WildGrowth-88791.exe
2006-08-09 19:29 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-07-27 15:24 679424 --a------ C:\WINNT\system32\inetcomm.dll
2006-07-21 10:24 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-15 10:17 1311335 --a------ C:\WINNT\system32\aquarium.scr
2006-07-07 15:38 623 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_UI.log
2006-07-07 15:38 2125 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_PROTOCOL.log
2006-07-07 15:38 113 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_API.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"
"WheelMouse"="C:\\WHEELM~1\\wh_exec.exe"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"SnoopFreeUI"="SnoopFreeUI.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\SpywareGuard.lnk"
"backup"="C:\\WINNT\\pss\\SpywareGuard.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SPYWAR~1\\sgmain.exe "
"item"="SpywareGuard"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINNT\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINNT\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINNT\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinPatrol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinPatrol"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\WinPatrol.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"W3SVC"=dword:00000002
"TrkWks"=dword:00000002
"stisvc"=dword:00000002
"SNMP"=dword:00000002
"SMTPSVC"=dword:00000002
"seclogon"=dword:00000002
"RemoteRegistry"=dword:00000002
"PolicyAgent"=dword:00000002
"NtmsSvc"=dword:00000002
"IISADMIN"=dword:00000002
"helpsvc"=dword:00000002
"ERSvc"=dword:00000002
"BITS"=dword:00000002

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20060501-123922-871
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20060417-200036-540
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
backup-20060417-200036-864
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
backup-20060330-180245-978
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
backup-20060330-180245-758
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
backup-20060313-195003-752
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20051117-203716-659
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
backup-20051117-203716-961
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
backup-20051117-203717-418
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2C32885-7702-4D8B-8C42-8F34412DA775}: NameServer = 168.210.2.2 196.14.239.2
backup-20050629-181124-490
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
backup-20050323-063828-872
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20050321-135524-736
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Completion time: 05/10/2006 17:45:23.70
ComboFix.txt

Ried · 10-05-2006, 10:03 PM

Hiya,

Let's see if F-Secure will clean this for us:

Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.

**Horse** · 10-07-2006, 09:50 AM

Try as I may I cannot get f-secure to work for me. It keeps stalling at the component download stage. Is there any other way to clean these blocked infected files?

sUBs · 10-07-2006, 10:08 AM

Quote:

Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service

Hello Horse,

Have you checked the authencity of the above email? The message looks a bit suspect & may be just a hoax.

Nevertheless, let's take a deeper look & see if we cna find any lurkers. Please do the following:

* Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck this box only - List Modules (listed under 'Running Proceses')
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

* Download gmer from http://www.gmer.net & extract the contents to desktop
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say NO.
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log.

* Click Gmer's Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document.

Kindly post the above 3 logs

**Horse** · 10-07-2006, 11:02 AM

Hi Subs

Thanks. The mail is authentic - it comes from my ISP. I will download the programs and post the logs as soon as I can.

sUBs · 10-07-2006, 06:05 PM

Horse, the email may not be authentic. Fredmh showed me this writeup from F-Secure > http://www.f-secure.com/v-descs/warezov_w.shtml

Please verify with your ISP

**Horse** · 10-08-2006, 01:40 AM

Ok, you are right, with a second approach and speaking to a different person, I have advised that your presumption is correct. I can see in the Kaspersky scan that there are three instances of this worm. I must re-iterate that I cannot get F-secure to work for me.

In the meanwhile I have posted the three logs as requested. I attached Startdreck because of its size.

GMER

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-08 09:56:02
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.11 ----

SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwDeleteKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSaveKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetValueKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSuspendThread
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwUnloadKey
SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINNT\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINNT\system32\drivers\klif.sys IoIsOperationSynchronous

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8AC0658] socketlock.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8AC0658] socketlock.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F8AC0658] socketlock.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F8AC0658] socketlock.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F8AC0658] socketlock.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys

---- Threads - GMER 1.0.11 ----

Thread 4:120 82B07F48
Thread 4:124 82B57A70
Thread 4:128 82B57A70
Thread 4:316 82B07F48

---- EOF - GMER 1.0.11 ----

GMERAutoStart

GMER 1.0.11.11390 - http://www.gmer.net
Autostart 2006-10-08 09:57:18
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
klogon@DLLName = C:\WINNT\system32\klogon.dll
WgaLogon@DLLName = WgaLogon.dll
wzcnotif@DLLName = wzcdlg.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
AVP /*Kaspersky Anti-Virus 6.0*/@ = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
NVSvc /*NVIDIA Driver Helper Service*/@ = %SystemRoot%\System32\nvsvc32.exe
Pml Driver HPZ12 /*Pml Driver HPZ12*/@ = C:\WINNT\system32\HPZipm12.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINNT\system32\wdfmgr.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINNT\system32\ZONELABS\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@IgfxTrayC:\WINNT\System32\igfxtray.exe = C:\WINNT\System32\igfxtray.exe
@HotKeysCmdsC:\WINNT\System32\hkcmd.exe = C:\WINNT\System32\hkcmd.exe
@WheelMouseC:\WHEELM~1\wh_exec.exe = C:\WHEELM~1\wh_exec.exe
@NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
@nwiznwiz.exe /install = nwiz.exe /install
@Synchronization Manager%SystemRoot%\system32\mobsync.exe /logon = %SystemRoot%\system32\mobsync.exe /logon
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
@HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
@Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
@WinPatrolC:\Program Files\BillP Studios\WinPatrol\winpatrol.exe /*file not found*/ = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe /*file not found*/
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@kav"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@ /*file not found*/ = /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINNT\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{81559C35-8464-49F7-BB0E-07A383BEF910}C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{5a61f7a0-cde1-11cf-9113-00aa00425c62} /*IIS Shell Extension*/C:\WINNT\System32\inetsrv\w3ext.dll = C:\WINNT\System32\inetsrv\w3ext.dll
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) =
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINNT\System32\nvshell.dll = C:\WINNT\System32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINNT\System32\nvshell.dll = C:\WINNT\System32\nvshell.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL
@{AB77609F-2178-4E6F-9C4B-44AC179D937A} /*a² Context Menu Shell Extension*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINNT\System32\extmgr.dll = C:\WINNT\System32\extmgr.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{81559C35-8464-49F7-BB0E-07A383BEF910} /*SpywareGuard*/C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus*/C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
@{4A368E80-174F-4872-96B5-0B27DDD11DB2}C:\Program Files\SpywareGuard\dlprotect.dll = C:\Program Files\SpywareGuard\dlprotect.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\MA2_6.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.pdf@Location = C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.fnb.co.za/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINNT\system32\msvidctl.dll
its@CLSID = C:\WINNT\System32\itss.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINNT\System32\itss.dll
msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINNT\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINNT\System32\wiascr.dll

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup >>>
ERUNT AutoBackup.lnk = ERUNT AutoBackup.lnk
SpywareGuard.lnk = SpywareGuard.lnk

---- EOF - GMER 1.0.11 ----

sUBs · 10-08-2006, 07:04 PM

Horse, logs look clean. I think the worm never had the chance to infect the machine. Just get rid of those infected emails that Kaspersky found.

Outlook - Personal Folders -Deleted Items
* 02 Oct 2006 18:16 to derekv@absamail.co.za:hello/body.txt.exe
* 02 Oct 2006 18:02 from secur@niet.com:Mail server report.

**Horse** · 10-08-2006, 10:15 PM

Thanks will do.

10-04-2006, 11:14 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 24,048 OS: WinXP and Vista	Hello Horse, We'll use the Kaspersky online scanner as it is better at detecting e-mail worms. Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply ------------------------------------- I'd also like you to run combofix: Download combofix from one of these locations: http://www.techsupportforum.com/sectools/combofix.exe http://download.bleepingcomputer.com/sUBs/combofix.exe Save it to your desktop Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Please post that log in your next reply as well. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-05-2006, 10:18 AM	#3 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Here we go Ma'am, Combofix and Kaspersky logs as requested KASPERSKY ONLINE SCANNER REPORT Thursday, October 05, 2006 5:17:59 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 4/10/2006 Kaspersky Anti-Virus database records: 228861 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 93893 Number of viruses found: 3 Number of infected objects: 7 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:08:59 Infected Object Name / Virus Name / Last Action C:\WINNT\system32\config\system.LOG Object is locked skipped C:\WINNT\system32\config\software.LOG Object is locked skipped C:\WINNT\system32\config\default.LOG Object is locked skipped C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped C:\WINNT\system32\config\SAM.LOG Object is locked skipped C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped C:\WINNT\system32\config\SECURITY Object is locked skipped C:\WINNT\system32\config\SOFTWARE Object is locked skipped C:\WINNT\system32\config\SYSTEM Object is locked skipped C:\WINNT\system32\config\DEFAULT Object is locked skipped C:\WINNT\system32\config\SAM Object is locked skipped C:\WINNT\system32\drivers\SnopFree.sys Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINNT\system32\h323log.txt Object is locked skipped C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped C:\WINNT\Temp\ZLT00341.TMP Object is locked skipped C:\WINNT\Temp\ZLT05211.TMP Object is locked skipped C:\WINNT\Debug\PASSWD.LOG Object is locked skipped C:\WINNT\SchedLgU.Txt Object is locked skipped C:\WINNT\CSC\00000001 Object is locked skipped C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINNT\Internet Logs\DEREKV.ldb Object is locked skipped C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINNT\WindowsUpdate.log Object is locked skipped C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINNT\ModemLog_SoftV92 Data Fax Modem #2.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Temp\~DFBE2A.tmp Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Temp\~DF2676.tmp Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:16 to derekv@absamail.co.za:hello/body.txt.exe Infected: Email-Worm.Win32.Warezov.gen skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:02 from secur@niet.com:Mail server report./Update-KB2953-x86.zip/Update-KB2953-x86.exe Infected: Email-Worm.Win32.Warezov.gen skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/02 Oct 2006 18:02 from secur@niet.com:Mail server report./Update-KB2953-x86.zip Infected: Email-Worm.Win32.Warezov.gen skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 3 skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\E09A2FB6d01 Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\Cache\AE5A19DCd01 Object is locked skipped C:\Documents and Settings\Administrator\My Documents\Derek\Derek File\Security Programs\avgas-setup-7.5.0.47.exe.part Object is locked skipped C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\log\plugin150_08.trace Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\history.dat Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\googlesafebrowsing.db Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\parent.lock Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\cert8.db Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\key3.db Object is locked skipped C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\26k1o0e3.default\formhistory.dat Object is locked skipped C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Program Files\Excite\PrvtMsgr\bin\x8Idle0.dll Infected: not-a-virus:AdWare.Win32.IWon.a skipped C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP399\A0089785.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP408\A0090607.dll Infected: not-a-virus:AdWare.Win32.Comet.az skipped C:\System Volume Information\_restore{9984A1CC-D2E5-4212-8129-06E402D0F1B8}\RP409\change.log Object is locked skipped Scan process completed. Administrator - 06-10-05 17:43:19.90 Service Pack 2 ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Administrator\My Documents\Desktop" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINNT\system32\taskmgr.com ((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 )))))))))))))))))))))))))))))))))) No new files created in this timespan (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-10-01 19:21 -------- d-------- C:\Program Files\KeyWallet 2006-09-26 19:18 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys 2006-09-04 20:03 -------- d-------- C:\Program Files\SereneScreen 2006-09-03 20:16 -------- d-------- C:\Program Files\Starware316 2006-09-03 20:02 -------- d-------- C:\Program Files\Screensavers.com 2006-08-30 19:06 -------- d-------- C:\Program Files\Maxis 2006-08-30 19:02 11973 --a------ C:\WINNT\system32\drivers\secdrv.sys 2006-08-30 18:51 -------- d-------- C:\Program Files\Ubisoft 2006-08-30 18:29 -------- d-------- C:\Program Files\Ubi Soft 2006-08-21 14:21 16896 --a------ C:\WINNT\system32\fltlib.dll 2006-08-21 11:14 23040 --a------ C:\WINNT\system32\fltmc.exe 2006-08-21 11:14 128896 --------- C:\WINNT\system32\drivers\fltmgr.sys 2006-08-20 16:52 9767450 --a------ C:\WINNT\system32\besidestilllwaters.scr 2006-08-20 16:52 9264395 --a------ C:\WINNT\system32\besidestilllwaters.exe 2006-08-20 16:52 78336 --a------ C:\WINNT\pysoft_uninstaller.exe 2006-08-20 15:54 361984 --a------ C:\WINNT\system32\Wild Growth Enchantment.scr 2006-08-20 15:53 4190967 --a------ C:\WINNT\system32\WildGrowth-88791.exe 2006-08-09 19:29 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys 2006-07-27 15:24 679424 --a------ C:\WINNT\system32\inetcomm.dll 2006-07-21 10:24 72704 --a------ C:\WINNT\system32\hlink.dll 2006-07-15 10:17 1311335 --a------ C:\WINNT\system32\aquarium.scr 2006-07-07 15:38 623 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_UI.log 2006-07-07 15:38 2125 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_PROTOCOL.log 2006-07-07 15:38 113 --a------ C:\Documents and Settings\Administrator\Application Data\Hewlett-PackardHP Photosmart 3300 series1150397108_API.log (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SoundMan"="SOUNDMAN.EXE" "IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe" "WheelMouse"="C:\\WHEELM~1\\wh_exec.exe" "NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "nwiz"="nwiz.exe /install" "Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\ 73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\ 00 "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd" "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "SnoopFreeUI"="SnoopFreeUI.exe" "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\"" "WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000005 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="RUNDLL32.EXE C:\\WINNT\\System32\\NVMCTRAY.DLL,NvTaskbarInit" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce] "^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop" "tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\ 33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^SpywareGuard.lnk] "path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\SpywareGuard.lnk" "backup"="C:\\WINNT\\pss\\SpywareGuard.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\SPYWAR~1\\sgmain.exe " "item"="SpywareGuard" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk" "backup"="C:\\WINNT\\pss\\HP Digital Imaging Monitor.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe " "item"="HP Digital Imaging Monitor" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk" "backup"="C:\\WINNT\\pss\\HP Image Zone Fast Start.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s" "item"="HP Image Zone Fast Start" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="apdproxy" "hkey"="HKLM" "command"="\"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="HPWuSchd2" "hkey"="HKLM" "command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINNT\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WinPatrol] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WinPatrol" "hkey"="HKLM" "command"="\"C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\WinPatrol.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services] "W3SVC"=dword:00000002 "TrkWks"=dword:00000002 "stisvc"=dword:00000002 "SNMP"=dword:00000002 "SMTPSVC"=dword:00000002 "seclogon"=dword:00000002 "RemoteRegistry"=dword:00000002 "PolicyAgent"=dword:00000002 "NtmsSvc"=dword:00000002 "IISADMIN"=dword:00000002 "helpsvc"=dword:00000002 "ERSvc"=dword:00000002 "BITS"=dword:00000002 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20060501-123922-871 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k backup-20060417-200036-540 O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe backup-20060417-200036-864 O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe backup-20060330-180245-978 O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe backup-20060330-180245-758 O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe backup-20060313-195003-752 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k backup-20051117-203716-659 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab backup-20051117-203716-961 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab backup-20051117-203717-418 O17 - HKLM\System\CCS\Services\Tcpip\..\{B2C32885-7702-4D8B-8C42-8F34412DA775}: NameServer = 168.210.2.2 196.14.239.2 backup-20050629-181124-490 O1 - Hosts: 64.91.255.87 www.dcsresearch.com backup-20050323-063828-872 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = backup-20050321-135524-736 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Completion time: 05/10/2006 17:45:23.70 ComboFix.txt __________________ Please Read Before You Post A Log Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

10-05-2006, 10:03 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 24,048 OS: WinXP and Vista	Hiya, Let's see if F-Secure will clean this for us: Click here to use the F-Secure Online Scanner It's explained there with images how to allow the ActiveX to start the scan, so read that first. Then click the F-Secure Online Scanner Next Generation Beta link. Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan. Click the Full System Scan button. It will start to download scanner components and databases. This can take a while. The main scan will start. Once the scan finished scanning, click the Automatic cleaning (recommended) button It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure. The cleaning can take a while, so please be patient. Then click the Show report button and copy and paste what's present under results in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

10-07-2006, 09:50 AM	#5 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Try as I may I cannot get f-secure to work for me. It keeps stalling at the component download stage. Is there any other way to clean these blocked infected files? __________________ Please Read Before You Post A Log Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

10-07-2006, 11:02 AM	#7 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Hi Subs Thanks. The mail is authentic - it comes from my ISP. I will download the programs and post the logs as soon as I can. __________________ Please Read Before You Post A Log Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

10-07-2006, 06:05 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Horse, the email may not be authentic. Fredmh showed me this writeup from F-Secure > http://www.f-secure.com/v-descs/warezov_w.shtml Please verify with your ISP __________________

10-08-2006, 01:40 AM	#9 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Ok, you are right, with a second approach and speaking to a different person, I have advised that your presumption is correct. I can see in the Kaspersky scan that there are three instances of this worm. I must re-iterate that I cannot get F-secure to work for me. In the meanwhile I have posted the three logs as requested. I attached Startdreck because of its size. GMER GMER 1.0.11.11390 - http://www.gmer.net Rootkit 2006-10-08 09:56:02 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.11 ---- SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwClose SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateKey SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateSymbolicLinkObject SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwCreateThread SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwDeleteKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwDeleteValueKey SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwEnumerateKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwEnumerateValueKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwFlushKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwInitializeRegistry SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwLoadKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwLoadKey2 SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwNotifyChangeKey SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwOpenKey SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwOpenSection SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryMultipleValueKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQuerySystemInformation SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwQueryValueKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwReplaceKey SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwRestoreKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwResumeThread SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSaveKey SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetContextThread SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationFile SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetInformationProcess SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetSecurityObject SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSetValueKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwSuspendThread SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwUnloadKey SSDT \??\C:\WINNT\system32\drivers\klif.sys ZwWriteVirtualMemory SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[284] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[285] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[286] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[287] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[288] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[289] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[290] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[291] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[292] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[293] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[294] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[295] SSDT \??\C:\WINNT\system32\drivers\klif.sys SSDT[296] Code \??\C:\WINNT\system32\drivers\klif.sys FsRtlCheckLockForReadAccess Code \??\C:\WINNT\system32\drivers\klif.sys IoIsOperationSynchronous ---- Devices - GMER 1.0.11 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8AC0658] socketlock.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8AC0658] socketlock.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F8AC0658] socketlock.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F8AC0658] socketlock.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F8AC0658] socketlock.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F4BE82A0] vsdatant.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F4BE82A0] vsdatant.sys ---- Threads - GMER 1.0.11 ---- Thread 4:120 82B07F48 Thread 4:124 82B57A70 Thread 4:128 82B57A70 Thread 4:316 82B07F48 ---- EOF - GMER 1.0.11 ---- GMERAutoStart GMER 1.0.11.11390 - http://www.gmer.net Autostart 2006-10-08 09:57:18 Windows 5.1.2600 Service Pack 2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> igfxcui@DLLName = igfxsrvc.dll klogon@DLLName = C:\WINNT\system32\klogon.dll WgaLogon@DLLName = WgaLogon.dll wzcnotif@DLLName = wzcdlg.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> AVG Anti-Spyware Guard /AVG Anti-Spyware Guard/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe Avg7Alrt /AVG7 Alert Manager Server/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe Avg7UpdSvc /AVG7 Update Service/@ = C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe AVP /Kaspersky Anti-Virus 6.0/@ = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r Fax /Fax/@ = %systemroot%\system32\fxssvc.exe MDM /Machine Debug Manager/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" NVSvc /NVIDIA Driver Helper Service/@ = %SystemRoot%\System32\nvsvc32.exe Pml Driver HPZ12 /Pml Driver HPZ12/@ = C:\WINNT\system32\HPZipm12.exe ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys Spooler /Print Spooler/@ = %SystemRoot%\system32\spoolsv.exe UMWdf /Windows User Mode Driver Framework/@ = C:\WINNT\system32\wdfmgr.exe vsmon /TrueVector Internet Monitor/@ = C:\WINNT\system32\ZONELABS\vsmon.exe -service HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @SoundManSOUNDMAN.EXE = SOUNDMAN.EXE @IgfxTrayC:\WINNT\System32\igfxtray.exe = C:\WINNT\System32\igfxtray.exe @HotKeysCmdsC:\WINNT\System32\hkcmd.exe = C:\WINNT\System32\hkcmd.exe @WheelMouseC:\WHEELM~1\wh_exec.exe = C:\WHEELM~1\wh_exec.exe @NvCplDaemonRUNDLL32.EXE NvQTwk,NvCplDaemon initialize = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize @nwiznwiz.exe /install = nwiz.exe /install @Synchronization Manager%SystemRoot%\system32\mobsync.exe /logon = %SystemRoot%\system32\mobsync.exe /logon @CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd @KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k @AVG7_CCC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP @HP Software UpdateC:\Program Files\HP\HP Software Update\HPWuSchd2.exe = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe @Zone Labs Client"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" @SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" @WinPatrolC:\Program Files\BillP Studios\WinPatrol\winpatrol.exe /file not found/ = C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe /file not found/ @!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized @kav"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" @ /file not found/ = /file not found/ HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINNT\system32\ctfmon.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>> @{81559C35-8464-49F7-BB0E-07A383BEF910}C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll @{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /Web Folders/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL @{42042206-2D85-11D3-8CFF-005004838597} /Microsoft Office HTML Icon Handler/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll @{5a61f7a0-cde1-11cf-9113-00aa00425c62} /IIS Shell Extension/C:\WINNT\System32\inetsrv\w3ext.dll = C:\WINNT\System32\inetsrv\w3ext.dll @{42071714-76d4-11d1-8b24-00a0c9068ff3} /Display Panning CPL Extension/(null) = @{1CDB2949-8F65-4355-8456-263E7C208A5D} /Desktop Explorer/C:\WINNT\System32\nvshell.dll = C:\WINNT\System32\nvshell.dll @{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /Desktop Explorer Menu/C:\WINNT\System32\nvshell.dll = C:\WINNT\System32\nvshell.dll @{32683183-48a0-441b-a342-7c2a440a9478} /Media Band/(null) = @{00020D75-0000-0000-C000-000000000046} /Microsoft Office Outlook Desktop Icon Handler/C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL @{0006F045-0000-0000-C000-000000000046} /Microsoft Office Outlook Custom Icon Handler/C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL @{AB77609F-2178-4E6F-9C4B-44AC179D937A} /a² Context Menu Shell Extension/(null) = @{596AB062-B4D2-4215-9F74-E9109B0A8153} /Previous Versions Property Page/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /Previous Versions/C:\WINNT\System32\twext.dll = C:\WINNT\System32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /Extensions Manager Folder/C:\WINNT\System32\extmgr.dll = C:\WINNT\System32\extmgr.dll @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /Autoplay for SlideShow/(null) = @{81559C35-8464-49F7-BB0E-07A383BEF910} /SpywareGuard/C:\Program Files\SpywareGuard\spywareguard.dll = C:\Program Files\SpywareGuard\spywareguard.dll @{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /AVG7 Shell Extension/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll @{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /AVG7 Find Extension/C:\Program Files\Grisoft\AVG Free\avgse.dll = C:\Program Files\Grisoft\AVG Free\avgse.dll @{E0D79304-84BE-11CE-9641-444553540000} /WinZip/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79305-84BE-11CE-9641-444553540000} /WinZip/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79306-84BE-11CE-9641-444553540000} /WinZip/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{E0D79307-84BE-11CE-9641-444553540000} /WinZip/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL @{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /Web Anti-Virus/C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /Web Folders/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL HKLM\Software\Classes\\shellex\ContextMenuHandlers\ >>> AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>> AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>> AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll @{4A368E80-174F-4872-96B5-0B27DDD11DB2}C:\Program Files\SpywareGuard\dlprotect.dll = C:\Program Files\SpywareGuard\dlprotect.dll @{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINNT\System32\MA2_6.scr HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.pdf@Location = C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome @Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.fnb.co.za/ HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINNT\system32\msvidctl.dll its@CLSID = C:\WINNT\System32\itss.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINNT\System32\itss.dll msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll" mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL tv@CLSID = C:\WINNT\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINNT\System32\wiascr.dll C:\Documents and Settings\Administrator\Start Menu\Programs\Startup >>> ERUNT AutoBackup.lnk = ERUNT AutoBackup.lnk SpywareGuard.lnk = SpywareGuard.lnk ---- EOF - GMER 1.0.11 ---- __________________ Please Read Before You Post A Log* Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004 Last edited by Horse; 05-12-2009 at 12:17 PM.

10-08-2006, 07:04 PM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 23,265 OS: N/A	Horse, logs look clean. I think the worm never had the chance to infect the machine. Just get rid of those infected emails that Kaspersky found. Outlook - Personal Folders -Deleted Items * 02 Oct 2006 18:16 to derekv@absamail.co.za:hello/body.txt.exe * 02 Oct 2006 18:02 from secur@niet.com:Mail server report. __________________

10-08-2006, 10:15 PM	#11 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,214 OS: WIN XP PRO My System Blog Entries: 1	Thanks will do. __________________ Please Read Before You Post A Log Hijack This v2.02 :: Adaware :: Spybot Search & Destroy :: SpywareBlaster To Donate Please Click Here PROUD MEMBER OF ASAP SINCE NOVEMBER 2004