Exploit-ObscuredHtml in C:\WINDOWS\Installer

[jessesmom]

My security software keeps finding this Malware and I quarantine it. I would like to get rid of it! Windows installer seems to start by itself and then I get the message from my security software. I have been unable to download Microsoft Office updates. Please help.

[Ried]

Hello jessesmom and welcome to TSF,

Please follow the instructions in this thread and post the requested logs in your next reply:

(Updated!) IMPORTANT - Read This Before Posting A Log

One of the Security Analysts will review your logs as soon as possible.

[jessesmom]

I have tried the steps your message. I did remove two programs from my computer. I was unable to install the other programs to run them. The windows installer window comes up and then my security software finds the trojan horse. Nothing else can be installed.

[Ried]

Then please just skip to this portion:

Download Deckard's System Scanner (DSS) to your Desktop.

**This tool does not install--it is a stand alone tool.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

[jessesmom]

I have attached the file as requested and here are the results of the Deckard System Scanner:

Deckard's System Scanner v20070328.36
Run by Marleah on 2007-03-31 at 09:01:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
82: 2007-03-31 15:02:05 UTC - RP505 - Deckard's System Scanner Restore Point
81: 2007-03-30 20:15:37 UTC - RP504 - Software Distribution Service 2.0
80: 2007-03-30 19:32:36 UTC - RP503 - Installed Ad-Aware SE Personal
79: 2007-03-30 19:29:45 UTC - RP502 - Installed Ad-Aware SE Personal
78: 2007-03-30 16:39:52 UTC - RP501 - System Checkpoint


-- First Restore Point --
1: 2007-01-01 00:01:36 UTC - RP424 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Marleah.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:04:56 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tanagra\Memeo\MemeoService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\rapimgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Tanagra\Memeo\MemeoBackup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pluck Corporation\Pluck\PluckSvr.exe
C:\Program Files\Weather Add-in for MSN Search Toolbar\WeatherDataClient.exe
C:\Documents and Settings\Marleah\Local Settings\Temporary Internet Files\Content.IE5\SJS76HM9\dss[1].exe
C:\PROGRA~1\HIJACK~1\Marleah.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.time.gov/timezone.cgi?Mountain/d/-7/java
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pluck Helper - {09AF76DD-6988-4664-97D0-362F1011E311} - C:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Bsecure Popup Blocker - {E0019445-4C1F-414D-A70E-AD80F231C584} - C:\WINDOWS\system32\InetCntrl\PopupKil\BsafeBHO.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [mmtask] "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InetCntrl] C:\WINDOWS\system32\InetCntrl\InetCntrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype2.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - HKCU\..\Run: [PC SpeedScan Pro] C:\Program Files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe -m
O4 - Startup: Memeo Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Pluck - {053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7} - C:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O9 - Extra 'Tools' menuitem: Pluck - {053017A8-53F7-4EA3-AA38-A4CCAAF1F9E7} - C:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'inetcntrl0007.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Cu...ataManager.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1157689831062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://toolbox.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B3461B1-DCC6-4427-845F-AEB83D8A11E5}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: pluck - {A5DD5FEC-8239-4A12-B791-4B6067F85CCC} - C:\Program Files\Pluck Corporation\Pluck\PluckExplorerBar.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Memeo (BMUService) - Tanagra, Inc. - C:\Program Files\Tanagra\Memeo\MemeoService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 bsofrwl - c:\windows\system32\drivers\bsofrwl.sys
R1 eabfiltr - c:\windows\system32\drivers\eabfiltr.sys
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys
R3 BCM43XX (Broadcom 802.11 Network Adapter Driver) - c:\windows\system32\drivers\bcmwl5.sys
R3 btwhid - c:\windows\system32\drivers\btwhid.sys
R3 CAMCAUD (Conexant AMC Audio) - c:\windows\system32\drivers\camc6aud.sys
R3 CAMCHALA - c:\windows\system32\drivers\camc6hal.sys
R3 HSF_DPV - c:\windows\system32\drivers\hsf_dpv.sys
R3 HSFHWATI - c:\windows\system32\drivers\hsfhwati.sys
R3 MxlW2k - c:\windows\system32\drivers\mxlw2k.sys
R3 sdbus - c:\windows\system32\drivers\sdbus.sys
R3 tifm21 - c:\windows\system32\drivers\tifm21.sys
R3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys

S3 eabusb - c:\windows\system32\drivers\eabusb.sys
S3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys
S3 PNDIS5 (PNDIS5 NDIS Protocol Driver) - d:\pndis5.sys (file missing)
S3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
S3 SMCIRDA (SMC IrCC Miniport Device Driver) - c:\windows\system32\drivers\smcirda.sys
S3 SMNDIS5 (SMNDIS5 NDIS Protocol Driver) - c:\program files\verizon wireless\vzaccess manager\smndis5.sys
S3 usb_rndisx (USB RNDIS Adapter) - c:\windows\system32\drivers\usb8023x.sys
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BMUService (Memeo) - "c:\program files\tanagra\memeo\memeoservice.exe"
R3 hpqwmi (HP WMI Interface) - c:\program files\hpq\shared\hpqwmi.exe

S3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe -k usnsvc


-- Scheduled Tasks -------------------------------------------------------------

2007-03-30 12:42:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-28 and 2007-03-31 -----------------------------

2007-03-30 13:36:18 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-03-30 13:28:14 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-29 10:55:37 0 d-------- C:\Documents and Settings\Marleah\Application Data\Ascentive<ASCENT~1>
2007-03-29 10:39:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Ascentive<ASCENT~1>
2007-03-29 09:48:59 89360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2007-03-29 09:48:57 143360 --a------ C:\WINDOWS\system32\ConTest.dll
2007-03-29 09:48:57 36864 --a------ C:\WINDOWS\system32\ascbalon.dll
2007-03-29 09:48:29 0 d-------- C:\Program Files\Ascentive<ASCENT~1>
2007-03-16 14:18:54 0 d-------- C:\Program Files\iTunes
2007-03-14 18:24:21 38160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-03-14 18:24:07 182032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-03-14 18:23:52 63488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-03-14 18:23:44 10240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-03-14 18:23:43 194320 --a------ C:\WINDOWS\system32\qcut.dll
2007-03-14 18:23:34 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-03-14 18:23:34 2272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-03-14 18:22:46 0 d-------- C:\TELL ME MORE NV<TELLME~1>
2007-03-08 07:12:52 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-03-08 07:09:03 0 d-------- C:\Program Files\Apple Software Update<APPLES~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-31 09:00:51 0 d-------- C:\Documents and Settings\Marleah\Application Data\Skype
2007-03-30 12:08:02 0 d-------- C:\Program Files\MyWebSearch<MYWEBS~1>
2007-03-30 11:56:27 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-03-29 09:48:50 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-16 14:20:11 0 d-------- C:\Program Files\iPod
2007-03-07 14:42:11 38485 --a------ C:\Documents and Settings\Marleah\Application Data\Microsoft Excel.ADR<MICROS~1.ADR>
2007-03-07 14:19:07 10651 --a------ C:\Documents and Settings\Marleah\Application Data\Microsoft Excel.CAL<MICROS~1.CAL>
2007-03-07 13:30:46 0 d-------- C:\Program Files\MSECache
2007-03-03 17:02:02 0 d-------- C:\Documents and Settings\Marleah\Application Data\Real
2007-02-17 18:12:56 0 d---s---- C:\Documents and Settings\Marleah\Application Data\Microsoft<MICROS~1>
2007-02-17 18:03:53 2508 --a------ C:\Documents and Settings\Marleah\Application Data\$_hpcst$.hpc
2007-02-17 17:43:39 0 d-------- C:\Documents and Settings\Marleah\Application Data\Smith Micro<SMITHM~1>
2007-02-17 17:37:21 0 d-------- C:\Program Files\Verizon Wireless<VERIZO~1>
2007-02-17 17:32:55 0 d-------- C:\Program Files\Common Files\Motorola Shared<MOTORO~1>
2007-02-12 21:43:24 0 d-------- C:\Program Files\Organize Quick and Easy<ORGANI~1>
2007-02-12 21:43:23 0 d-------- C:\Program Files\OfficeUpdate11<OFFICE~1>
2007-02-12 21:43:10 0 d-------- C:\Program Files\HPQ
2007-02-12 21:43:08 0 d-------- C:\Program Files\Hewlett-Packard<HEWLET~1>
2007-02-12 21:43:04 0 d-------- C:\Program Files\Common Files\AOL
2007-02-10 09:33:18 0 d-------- C:\Program Files\Skype
2007-02-10 09:33:14 0 d-------- C:\Program Files\Common Files\Skype
2007-02-06 19:25:36 0 d-------- C:\Program Files\Google
2007-02-06 19:21:10 164 --a------ C:\install.dat
2007-02-03 08:30:08 0 d-------- C:\Program Files\Picasa2
2007-01-24 18:38:36 151552 --a------ C:\WINDOWS\system32\InetCntrl0007.dll<INETCN~2.DLL>
2007-01-21 00:21:46 10214 --a------ C:\Documents and Settings\Marleah\Application Data\Comma Separated Values (Windows).CAL<COMMAS~1.CAL>
2007-01-16 14:49:14 64 --a------ C:\Documents and Settings\Marleah\Application Data\dm.ini


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"LDM"="\"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe\""
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype2.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"H/PC Connection Agent"="\"C:\\wcescomm.exe\""
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"Performance Center"="C:\\Program Files\\Ascentive\\Performance Center\\APCMain.exe -m"
"PC SpeedScan Pro"="C:\\Program Files\\Ascentive\\PC SpeedScan Pro\\PCSpeedScan.exe -m"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"hpWirelessAssistant"="\"C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe\""
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"HP Software Update"="\"C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe\""
"eabconfg.cpl"="\"C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe\" /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"Logitech Utility"="Logi_MwX.Exe"
"mmtask"="\"c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe\""
"Microsoft Works Update Detection"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"="C:\\WINDOWS\\system32\\dumprep 0 -k"
"InetCntrl"="C:\\WINDOWS\\system32\\InetCntrl\\InetCntrl.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9a682285-1fa1-11da-b4d3-0010c68bf244}]
Shell\AutoRun\command E:\setupSNK.exe


-- End of Deckard's System Scanner: finished at 2007-03-31 at 09:05:32 ---------

[Ried]

Quote:

My security software keeps finding this Malware and I quarantine it.

I'm not seeing anything. C:\Windows\installer is a legit folder. What program of yours is detecting this and does it give you any more info than just that folder?

[jessesmom]

My security software is BSAFE. I get the installer when starting or restarting my computer. I can also get it at what seems to be random times. I've given you all the information I get. I have searched files for that name and it cannot be found.

If I try to install a program, BSAFE warns me and I select quarantine. Then, nothing is installed.

I am also occasionally getting messages something like: "Due to a rare network event, you will have to run in unprotected mode. Select disable to continue or you will be shutdown. I never select disable and I am never shutdown.

I also have a file which runs occasionally called wuaudt.exe. It takes up all resources and cannot be found on a search either. I don't know if it is related.

I read somewhere to delete files in the JAVA cache which I have done. It has not helped. I understand that this is a very old trojan horse.

That's about all I know. Thanks.

[Ried]

Quote:

I also have a file which runs occasionally called wuaudt.exe. It takes up all resources and cannot be found on a search either.

wuaudt.exe is the process that handles the automatic updates feature of Windows. If BSafe keeps finding malware in your C:\Windows\Installer folder and quarantining the folder, you won't be able to install anything.

I must say that I'm a bit skeptical about your BSafe. I'd like you to run an online scan and see if anything turns up. If BSafe alerts you again to the Installer folder--have it ignore that.

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post those results here.

[jessesmom]

I cannot download Active Scan. This is the error message:
Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...
____________________________________________________________
Also, as I started my system today, I realized that a file name is given. This file name changes every time. Today I got C:\Windows\Installer\MSI2B6.tmp and also MSI2B7.tmp. According to McAfee (which BSAFE is associated with):

Virus Profile: Exploit-ObscuredHtml
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 3/3/2005
Date Added: 2/2/2005
Origin: Unknown
Length: Varies
Type: Trojan
SubType: Exploit
DAT Required: 4425
Virus Characteristics
Microsoft Internet Explorer ignores certain non-ascii characters, allowing an attacker to obfuscate malicious code and still have it rendered by IE.
This detection covers HTML documents that have been crafted with the intention of evading antivirus detection. Other documents that mix HTML with non-ascii characters could also trigger this detection.
Indications of Infection
N/A This is a generic detection covering any number of differet attacks.
Method of Infection
This exploit exists as code in an HTML document, web page, or email message.
Removal Instructions
Submit a copy of the detected file to AVERT for further instructions.
_________________________________________________________________
I do not know how to get a copy of the detected file. I have no directory C:\Windows\Installer. I do a search for the file name and it is not found.

[Ried]

Unhide system files and folders and you should be able to see the C:\Windows\Installer folder:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Let's see if Kaspersky online scan will work for you:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[jessesmom]

Sorry it took so long to get back to you. I ran the Kapersky extended scan twice and I ended up with a desktop with no icons...totally locked up. Then I ran it twice without checking extended. The first time it found 1 virus and 2 infected objects before it locked up my computer. The second time it found 2 more infected objects. I was unable to view these reports because I had to turn off my computer! Finally, I decided to run until the virus was found and then stop the scan. When I did that, I was able to generate a report. I will attach the report. Thanks.

I hope the attachment worked. I got an error message, but have been getting them on your website consistently.

[Ried]

The report is not attached. Can you just copy/paste the report in your reply? We prefer that anyway unless otherwise directed.

[jessesmom]

I was finally able to get an expanded report! The results are the same as the standard report. I have copied and pasted it below. Thanks


KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 04, 2007 6:24:58 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/04/2007
Kaspersky Anti-Virus database records: 290635

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 70246
Number of viruses found 1
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 05:22:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped

C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Marleah\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Marleah\Application Data\Sun\Java\Deployment\log\plugin150_10.trace Object is locked skipped

C:\Documents and Settings\Marleah\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db\trelease2-msn-com.1021/[From aw-confirm@ebay.com][Date Sun, 1 May 2005 21:49:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db\trelease2-msn-com.1021 Mail: infected - 1 skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db30\trelease2-msn-com.1021/[From aw-confirm@ebay.com][Date Sun, 1 May 2005 21:49:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db30\trelease2-msn-com.1021 Mail: infected - 1 skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\History\History.IE5\MSHist012007040320070404\index.dat Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Temp\hsperfdata_Marleah\4008 Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Temp\~DF3C7D.tmp Object is locked skipped

C:\Documents and Settings\Marleah\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Marleah\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Marleah\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Hp\hpcoretech\hpcmerr.log Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\chandir.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\chandir.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\chn.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\chn.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\D0000000.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\inuse.txt Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\L0000004.FCS Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\main.log Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_die.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_die.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_dnd.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_dnd.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_ext.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_ext.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_rcv.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\prs_rcv.idx Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\storydb.dat Object is locked skipped

C:\Program Files\Logitech\Desktop Messenger\8876480\Users\Marleah\Data\storydb.idx Object is locked skipped

C:\Program Files\Tanagra\Memeo\MemeoService.exe.log-2007-4-4.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\InetCntrl\applog.txt Object is locked skipped

C:\WINDOWS\system32\InetCntrl\AV\bsafsavi.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Ried]

These e-maila are likely the cause. They need to be deleted.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following


C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db\trelease2-msn-com.1021/[From aw-confirm@ebay.com][Date Sun, 1 May 2005 21:49:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped

C:\Documents and Settings\Marleah\Local Settings\Application Data\Microsoft\MSN\db30\trelease2-msn-com.1021/[From aw-confirm@ebay.com][Date Sun, 1 May 2005 21:49:36 -0700]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped

[jessesmom]

I did what you told me to do and I am virus free! All problems seem to be fixed now. Thank you for sticking with me. I have sent a check to Jason!

[jessesmom]

WHOOPS! IT'S BACK!!!!!!!!!!!

When trying to install the automatic updates from Microsoft, I got 4 messages re Exploit-ObscuredHtml in C:\WINDOWS\Installer\ms???.tmp

There was a difference this time because the programs did successfully install. This is the first time I have been able to install the updates.

What should I do now? Thanks

[jessesmom]

MORE INFO: These are the automatic updates that I have been trying to install. I said that they had installed correctly, but I had them in my update balloon again, so I must have misread the screen.

Security Update for Office 2003 (KB920813)
Update for Excel 2003 (KB929058)
Security Update for Word 2003 (KB929057)
Update for Outlook 2003 Junk Email Filter (KB931764)
Update for Office 2003 (KB925251)
Update for PowerPoint 2003 (KB929060)
Security Update for Office 2003 (KB929064)

All Failed installation due to Exploit-ObscuredHTML in C:\WINDOWS\installer\ file name

File names were:

MSI13.tmp
MSI12.tmp
MSI11.tmp
MSI10.tmp
MSIE.tmp
MSID.tmp

So far, the windows installer hasn't popped up in any other applications.

Thanks!

[Ried]

Time for another online scanner:

Go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Leave the scanning options at default and press "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and post it in your next reply

[jessesmom]

I ran BitDefender. It did not find any problems. Here is the report:
BitDefender Online Scanner - Real Time Virus Report



Generated at: Fri, Apr 06, 2007 - 05:59:00


--------------------------------------------------------------------------------





Scan Info



Scanned Files
658164

Infected Files
0








Virus Detected



No virus found.

[Ried]

Let's try Kaspersky again. Run another scan there and post the results here.