Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page How to remove Email-Worm.Win32.Rays
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 10-08-2007, 08:38 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


How to remove Email-Worm.Win32.Rays
As requested by the previous post (How to remove Email-Worm.Win32.Rays), I create a new post here.

The report of Panda ActiveScan:


Incident Status Location

Adware:adware/webhancer Not disinfected c:\program files\webHancer
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\comment.htt
Hacktool:Exploit/ActXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\comment.htt
Virus:Trj/Starter.A Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction_file\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\comment.htt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\betsy\Desktop\backup\Sa50\Library\FREEWARES\AntiVirus & Internet Securities\leaktest.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ad.yieldmanager[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atwola[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@serving-sys[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@target[2].txt
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe





Main.txt:




Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-09 10:27:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2007-10-09 02:28:00 UTC - RP343 - Deckard's System Scanner Restore Point
65: 2007-10-08 03:57:21 UTC - RP342 - Installed AVG 7.5
64: 2007-10-08 03:56:35 UTC - RP341 - Removed AVG 7.5
63: 2007-10-08 03:33:37 UTC - RP340 - System Checkpoint
62: 2007-10-04 09:40:09 UTC - RP339 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-07-11 02:56:58 UTC - RP278 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:28:43 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\RealPopup\RealPopup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKLM\..\Run: [cavUPSDBMaker] "C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe"
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: Abyss Web Server (AbyssWebServer) - Unknown owner - C:\Program Files\Abyss Web Server\abyssws.exe (file missing)
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Cavasm - c:\windows\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Comodo Anti-Virus and Anti-Spyware Service - "c:\program files\comodo\common\cavaspy\cavasm.exe" <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)

S2 AbyssWebServer (Abyss Web Server) - c:\program files\abyss web server\abyssws.exe --service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-09-09 and 2007-10-09 -----------------------------

2007-10-09 08:46:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 08:46:01 0 d-------- C:\WINDOWS\LastGood
2007-10-09 08:00:49 0 d-------- C:\Documents and Settings\WTWY\Application Data\Comodo AntiVirus
2007-10-08 11:59:29 73728 --a------ C:\WINDOWS\system32\CavEmLSP.dll <Not Verified; COMODO; Comodo AntiVirus.>
2007-10-08 11:59:23 102400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-08 11:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-08 11:59:19 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-08 11:59:12 0 d-------- C:\Program Files\Comodo
2007-10-08 11:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-05 10:01:11 0 d-------- C:\WINDOWS\system32\NtmsData
2007-10-05 08:17:39 0 d-------- C:\Documents and Settings\WTWY\Application Data\Grisoft
2007-10-04 15:35:39 0 d-------- C:\ERDNT
2007-10-03 09:19:11 0 d-------- C:\Documents and Settings\temp\Application Data\Yahoo!
2007-10-03 09:19:10 0 d-------- C:\Documents and Settings\temp\Application Data\Google
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Templates
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Start Menu
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\SendTo
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Recent
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\PrintHood
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\NetHood
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\My Documents
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Local Settings
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Favorites
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Desktop
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Cookies
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Application Data
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Sun
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Application Data\Microsoft
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Identities
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Gtek
2007-10-03 09:18:19 618496 --a------ C:\Documents and Settings\temp\NTUSER.DAT
2007-10-02 13:44:21 0 d-------- C:\Documents and Settings\wongis\Application Data\Yahoo!
2007-10-02 13:44:20 0 d-------- C:\Documents and Settings\wongis\Application Data\Google
2007-10-02 13:43:27 0 d-------- C:\Documents and Settings\wongis\Application Data\Identities
2007-10-02 13:43:27 0 d--h----- C:\Documents and Settings\wongis\Application Data\Gtek
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Templates
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Start Menu
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\SendTo
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Recent
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\PrintHood
2007-10-02 13:43:26 663552 --a------ C:\Documents and Settings\wongis\NTUSER.DAT
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\NetHood
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\My Documents
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Local Settings
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Favorites
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Desktop
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Cookies
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Application Data
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Application Data\Sun
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Application Data\Microsoft
2007-10-02 08:32:10 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-01 08:48:34 0 d-------- C:\Program Files\webHancer
2007-10-01 08:48:20 0 d-------- C:\Program Files\Adssite Advanced Toolbar
2007-10-01 08:48:20 0 d-------- C:\Documents and Settings\WTWY\Application Data\Adssite Advanced Toolbar
2007-10-01 08:41:03 0 d-------- C:\Documents and Settings\WTWY\Shared
2007-10-01 08:41:00 0 d-------- C:\Documents and Settings\WTWY\Incomplete
2007-10-01 08:39:46 0 d-------- C:\Documents and Settings\WTWY\Application Data\LimeWire
2007-09-27 09:05:21 0 d-------- C:\Documents and Settings\WTWY\Application Data\PC Tools
2007-09-26 14:53:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\RealPopup
2007-09-26 14:53:05 0 d-------- C:\Program Files\RealPopup
2007-09-26 14:27:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-26 14:13:50 0 d-------- C:\Program Files\Startup Optimizer
2007-09-26 14:13:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 14:12:44 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2007-09-26 14:12:44 0 d-------- C:\Program Files\ZNsoft Corporation
2007-09-26 13:59:45 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-09-26 10:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-09-26 10:50:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-09-10 09:33:59 0 d-------- C:\Program Files\PNA


-- Find3M Report ---------------------------------------------------------------

2007-10-09 10:09:29 0 d-------- C:\Program Files\Messenger
2007-10-04 11:57:47 0 d-------- C:\Program Files\Google
2007-10-01 08:37:08 0 d-------- C:\Program Files\Java
2007-09-26 14:31:06 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [10/08/2007 11:59 AM]
"cavUPSDBMaker"="C:\Program Files\Comodo\Comodo AntiVirus\UPSDBMaker.exe" [10/08/2007 11:59 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [02/24/2005 12:50 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
monln.dll 10/08/2007 11:59 AM 216576 C:\WINDOWS\system32\monln.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printer Monitor.lnk
backup=C:\WINDOWS\pss\Printer Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WTWY^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\WTWY\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe




-- End of Deckard's System Scanner: finished at 2007-10-09 10:29:25 ------------
Attached Files
File Type: txt extra.txt (7.4 KB, 2 views)
Last edited by ahjin; 10-08-2007 at 08:49 PM.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-10-2007, 09:50 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Bound
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-10-2007, 10:25 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
Hello ahjin,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Close any open browsers.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Adssite Advanced Toolbar
webHancer

**Is the Add or Remove programs panel even populating a list?

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders

c:\program files\ webHancer
C:\Program Files\ Adssite Advanced Toolbar
C:\Documents and Settings\WTWY\Application Data\ Adssite Advanced Toolbar
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\ comment.htt
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\ comment.htt
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\ comment.htt
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\ comment.htt
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\ comment.htt
C:\Documents and Settings\Administrator\Desktop\SA50\ comment.htt

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post the results of the Kaspersky scan, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-11-2007, 09:01 PM   #4 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Ried,
Sorry for the late reply due to the blackout yesterday while scanning.
I have to continue a new scan this morning.

This is the report from the scan:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 12, 2007 10:58:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/10/2007
Kaspersky Anti-Virus database records: 431168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 178489
Number of viruses found: 6
Number of infected objects: 150
Number of suspicious objects: 0
Duration of the scan process: 02:05:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Admin.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\Leave Taken 2007.xls Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\New Microsoft Excel Worksheet.xls Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\Leave Roster.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\Auction.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\Auction Letters.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\Auction3A.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\may.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\Database.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\JOB REGISTER 2005.xls Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\Thian.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\WTWY Data.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\Database.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\Memo.doc Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\~WRL0002.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\EstateAgency.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\00Tender Progress\Sale by tender Progress final.xls Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\0256.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\0264(2).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\0287.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\0292(6).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\0327(3).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\0345.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\0354(3).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\0354(4).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\03544.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\0397.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\0398.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\0399.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\0400.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\0401.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\New Folder.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\New Folder (2).exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\Sale by Tender.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\comment.htt Infected: Trojan.VBS.Starter.a skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\dc400.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\free soft.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\Library\Library.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Desktop\SA50\sa50.exe Infected: Email-Worm.Win32.Rays skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007101120071012\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFD2B6.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\cavasm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\monln.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\WTWY\Local Settings\Temp\Temporary Directory 1 for make up call (uncensored).zip\setup.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Documents and Settings\WTWY\Local Settings\Temp\Temporary Directory 1 for make up call (uncensored).zip\setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Documents and Settings\WTWY\Local Settings\Temp\Temporary Directory 1 for make up call (uncensored).zip\setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\Documents and Settings\WTWY\Local Settings\Temp\Temporary Directory 1 for make up call (uncensored).zip\setup.exe NSIS: infected - 3 skipped
C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7\whCC-TRAFE7[1].exe RarSFX: infected - 4 skipped
C:\Documents and Settings\WTWY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\WTWY\ntuser.dat.LOG Object is locked skipped
C:\Inetpub\wwwroot\db\desktop.ini Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\botinfs.cnf Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\bots.cnf Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\deptodoc.btr Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\doctodep.btr Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\fpdbw.ico Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\linkinfo.btr Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\service.cnf Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\service.lck Object is locked skipped
C:\Inetpub\wwwroot\db\_vti_pvt\services.cnf Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ibdata1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile0 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\ib_logfile1 Object is locked skipped
C:\Program Files\MySQL\MySQL Server 5.0\data\SA60.err Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068350.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068351.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068362.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068369.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068389.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068390.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068391.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068392.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068393.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068394.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068398.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068400.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\A0068401.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP333\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068404.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068409.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068431.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068432.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068451.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068453.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068454.exe Infected: not-a-virus:PSWTool.Win32.MailPassView.130 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP334\A0068457.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068459.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068472.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068489.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068498.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068502.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068504.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068505.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP335\A0068528.dll Infected: not-a-virus:AdWare.Win32.BHO.ha skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0068620.dll Infected: not-a-virus:AdWare.Win32.Agent.ma skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0068626.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0068629.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP337\A0068630.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP338\A0070636.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP338\A0070869.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP338\A0070870.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070915.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070916.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070917.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070943.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070944.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070945.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0070950.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0071952.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0071957.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0071958.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0071959.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP339\A0071960.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP340\A0071961.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP340\A0071962.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP340\A0071963.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072118.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072122.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072124.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072125.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072126.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP342\A0072127.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP345\A0073283.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP345\A0073284.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP345\A0073285.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP345\A0073286.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP345\A0074299.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP346\A0074334.exe Infected: Email-Worm.Win32.Rays skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP346\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{E6140F25-E48A-4F15-B58C-5DEBD0F446C9}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Logfiles\W3SVC1\ex071012.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ib10 Object is locked skipped
C:\WINDOWS\Temp\ib11 Object is locked skipped
C:\WINDOWS\Temp\ib7 Object is locked skipped
C:\WINDOWS\Temp\ib8 Object is locked skipped
C:\WINDOWS\Temp\ib9 Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-11-2007, 09:45 PM   #5 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
More and more files is infected... ...
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-12-2007, 08:27 AM   #6 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
Hello ahjin,

Please take a look at the folders I highlighted in blue. This is where the infection is, each of those entries listed below. Did you download these yourself? They need to be deleted.

Quote:
C:\Documents and Settings\Administrator\Desktop\SA50\ Admin\Admin.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\Leave Roster.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\ Auction\Auction.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\Auction Letters.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\Auction3A.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\may.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\ Database\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Database\Database.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\Thian.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\WTWY Data.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\ EstateAgency\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\ Database\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\Database.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\EstateAgency.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\0256.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\0264(2).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\0287.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\0292(6).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\0327(3).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\0345.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\0354(3).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\0354(4).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\03544.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\0397.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\0398.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\0399.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\0400.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\0401.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\New Folder.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\New Folder (2).exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\Sale by Tender.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\ Library\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\comment.htt ------>Trojan.VBS.Starter.a
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\dc400.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\free soft.exe ------>Email-Worm.Win32.Rays
C:\Documents and Settings\Administrator\Desktop\SA50\Library\Library.exe ------>Email-Worm.Win32.Rays
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-12-2007, 11:38 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Reid,
Those are the data of my company.
They are the data which we use, create and refer to daily. Those are the information so substantial and important that cannot be deleted.
Is there any way to completely heal it?

Regards,
Ahjin
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-12-2007, 11:42 AM   #8 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
That's what I suspected.

How long have those folders been on the system? Where did you acquire them from?

What exactly is this .exe file?

C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Admin.exe
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2007, 06:46 AM   #9 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Those files are infected by the virus for more than 2 years!
They are left infected by the previous responsible person.
We do have backup but unfortunately they are backup infected by the worm also.
The .exe files are created by the worms everytime we open a document or folder, for eg. I open a folder or file at C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007, it will auto generate C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe and C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt in corresponding folder.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2007, 08:01 AM   #10 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
Obviously Comodo's AV cannot handle this infection.

I'd like you to download Kaspersky free trial from here: http://www.kaspersky.com/trials?chapter=146481750

Do not install it yet! First, uninstall Comodo AV.

Now proceed with the installation of Kaspersky Free Trial:
  • Select Complete Installation.
  • Select Activate 30 Day Trial.
  • Select Auto under "Update Mode" and click Update Now.
  • When the Update is complete click "Close" then "Next".
  • On the next screen click "Next".
  • Click "Next" again to bypass the Password screen.
  • Select Basic Protection and click "Next".
  • Then click Finish to Restart your computer.

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Open Kaspersky:
  • On the left side click Scan.
  • Then click My Computer.
  • Click the box next to System Restore to remove the check.
  • Then on the Right Side click Scan.
  • When the scan is complete right click and select Select All.
  • Then click the Actions button and select Disinfect.
  • If this option is not available select Neutralize.

Please post the report here.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2007, 08:31 AM   #11 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Ried,
I will follow your instruction when I get back to my office on Tuesday (This Monday is Public Holiday in Malaysia).
Thanks for reply.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-13-2007, 09:06 PM   #12 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
That will be fine. I'll remain subcribed.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 11:14 AM   #13 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Ried,
I scanned the pc in Safe Mode as requested.
Below is the report:

deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Admin\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\ADMIN\STAFF MATTERS\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\Leave Roster.exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\2007.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Admin\Staff Matters\Leave Roster\2007\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\Auc Progress\Auc Progress.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\Auc Progress\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\Auc_1\Auc_1.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\Auc_1\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\may.exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\Auction Letters.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction Letters\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\Auction3A.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction3A\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction_file\Auction_file.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Auction\may\Auction_file\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Database\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Database\Database.exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\0256.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0256\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\0264(2).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0264\0264(2)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0281\0281.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0281\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0281\0281(2)\0281(2).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0281\0281(2)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\0287.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0287\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0291\0291.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0291\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0291\0291(2)\0291(2).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0291\0291(2)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\0292(6).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0292\0292(6)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\0327(3).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0327\0327(3)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\0345.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0345\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\0354(3).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(3)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\0354(4).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\0354(4)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\03544.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0354\03544\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0384\0384.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0384\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\0397.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0397\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\0398.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0398\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\0399.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0399\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\0400.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0400\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\0401.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0401\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402\0402.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0404\0404.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0404\comment.htt
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder\New Folder.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\New Folder (2)\New Folder (2).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\Sale by Tender.exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\0110\0110.EXE
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\0110\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\0110\0110(2)\0110(2).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\SALE BY TENDER\0110\0110(2)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\Tender File (0110 to 0198)\0117\0117(5)\0117(5).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\Tender File (0110 to 0198)\0117\0117(5)\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\TENDER FILE (0110 TO 0198)\0117\0117(6)\0117(6)\0117(5).exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\TENDER FILE (0110 TO 0198)\0117\0117(6)\0117(6)\Sale by Tender.exe
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\ESTATEAGENCY\SALE BY TENDER\TENDER FILE (0110 TO 0198)\0117\0117(6)\0117(6)\Tender File (0110 to 0198).exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\Library.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\free soft.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\comment.htt
deleted: virus Email-Worm.Win32.Rays File: C:\Documents and Settings\Administrator\Desktop\SA50\Library\free soft\dc400\dc400.exe
deleted: Trojan program Trojan.VBS.Starter.a File: C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\FLOOR PLAN2_1\comment.htt
deleted: adware not-a-virus:AdWare.Win32.BHO.ha File: C:\Documents and Settings\WTWY\Local Settings\Temp\Temporary Directory 1 for make up call (uncensored).zip\setup.exe//data0006//stream//data0004//PE_Patch.UPX//UPX
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 11:21 AM   #14 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Late night now, I scan only 1 infected folder after the scan in Safe Mode, no thread is detected, I think my pc is clean.
I will double check again tomorrow morning by performing a full scan.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 08:23 PM   #15 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Reid,
I run through the 5 steps process again this morning, I think it is still infected.

The report of Panda ActiveScan:


Incident Status Location

Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt
Virus:Trj/Starter.A Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\comment.htt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\EstateAgency.exe
Hacktool:Exploit/ActiveXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\comment.htt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\Sale by Tender.exe
Hacktool:Exploit/ActXComp Not disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\template\comment.htt
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\template\template.exe
Virus:W32/Wukill.A.worm Disinfected C:\Documents and Settings\Administrator\Desktop\SA50\sa50.exe
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\betsy\Desktop\backup\Sa50\Library\FREEWARES\AntiVirus & Internet Securities\leaktest.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ad.yieldmanager[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@atwola[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@bs.serving-sys[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@go[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@serving-sys[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@statse.webtrendslive[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\WTWY\Cookies\wtwy@target[2].txt




main.txt:

Deckard's System Scanner v20070905.67
Run by Administrator on 2007-10-17 10:17:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:17:54 AM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ALLUSE~1\DOCUME~1\HIJACK~1\ADMINI~1.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ap.dell.com/content/defa...=my&l=en&s=gen
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [RealPopup] "C:\Program Files\RealPopup\RealPopup.exe" BOOT
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{00431EC9-BD2A-4007-A137-30C5EFA8F171}: NameServer = 202.188.0.133,202.188.1.5
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Abyss Web Server (AbyssWebServer) - Unknown owner - C:\Program Files\Abyss Web Server\abyssws.exe (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" -r (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


-- Files created between 2007-09-17 and 2007-10-17 -----------------------------

2007-10-17 10:07:53 0 d-------- C:\ie-spyad_zo
2007-10-17 09:59:01 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2007-10-17 09:59:00 0 d-------- C:\Program Files\SpywareBlaster
2007-10-16 11:13:54 0 d-------- C:\WINDOWS\CSC
2007-10-16 09:59:34 81549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-10-16 09:59:34 82061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-10-16 09:58:58 0 d-------- C:\Program Files\Kaspersky Lab
2007-10-16 09:58:56 8224 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-16 09:58:56 498208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-16 09:58:16 0 d-------- C:\kav
2007-10-11 13:59:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-11 13:59:50 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-09 08:46:03 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-09 08:00:49 0 d-------- C:\Documents and Settings\WTWY\Application Data\Comodo AntiVirus
2007-10-08 11:59:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-10-08 11:59:19 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
2007-10-08 11:59:12 0 d-------- C:\Program Files\Comodo
2007-10-08 11:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-10-05 10:01:11 0 d-------- C:\WINDOWS\system32\NtmsData
2007-10-05 08:17:39 0 d-------- C:\Documents and Settings\WTWY\Application Data\Grisoft
2007-10-04 15:35:39 0 d-------- C:\ERDNT
2007-10-03 09:19:11 0 d-------- C:\Documents and Settings\temp\Application Data\Yahoo!
2007-10-03 09:19:10 0 d-------- C:\Documents and Settings\temp\Application Data\Google
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Templates
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Start Menu
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\SendTo
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Recent
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\PrintHood
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\NetHood
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\My Documents
2007-10-03 09:18:20 0 d--h----- C:\Documents and Settings\temp\Local Settings
2007-10-03 09:18:20 0 dr------- C:\Documents and Settings\temp\Favorites
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Desktop
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Cookies
2007-10-03 09:18:20 0 dr-h----- C:\Documents and Settings\temp\Application Data
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Sun
2007-10-03 09:18:20 0 d---s---- C:\Documents and Settings\temp\Application Data\Microsoft
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Identities
2007-10-03 09:18:20 0 d-------- C:\Documents and Settings\temp\Application Data\Gtek
2007-10-03 09:18:19 618496 --a------ C:\Documents and Settings\temp\NTUSER.DAT
2007-10-02 13:44:21 0 d-------- C:\Documents and Settings\wongis\Application Data\Yahoo!
2007-10-02 13:44:20 0 d-------- C:\Documents and Settings\wongis\Application Data\Google
2007-10-02 13:43:27 0 d-------- C:\Documents and Settings\wongis\Application Data\Identities
2007-10-02 13:43:27 0 d--h----- C:\Documents and Settings\wongis\Application Data\Gtek
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Templates
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Start Menu
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\SendTo
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Recent
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\PrintHood
2007-10-02 13:43:26 663552 --a------ C:\Documents and Settings\wongis\NTUSER.DAT
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\NetHood
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\My Documents
2007-10-02 13:43:26 0 d--h----- C:\Documents and Settings\wongis\Local Settings
2007-10-02 13:43:26 0 dr------- C:\Documents and Settings\wongis\Favorites
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Desktop
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Cookies
2007-10-02 13:43:26 0 dr-h----- C:\Documents and Settings\wongis\Application Data
2007-10-02 13:43:26 0 d-------- C:\Documents and Settings\wongis\Application Data\Sun
2007-10-02 13:43:26 0 d---s---- C:\Documents and Settings\wongis\Application Data\Microsoft
2007-10-02 08:32:10 0 d-------- C:\WINDOWS\system32\appmgmt
2007-10-01 08:41:03 0 d-------- C:\Documents and Settings\WTWY\Shared
2007-10-01 08:41:00 0 d-------- C:\Documents and Settings\WTWY\Incomplete
2007-10-01 08:39:46 0 d-------- C:\Documents and Settings\WTWY\Application Data\LimeWire
2007-09-27 09:05:21 0 d-------- C:\Documents and Settings\WTWY\Application Data\PC Tools
2007-09-26 14:53:08 0 d-------- C:\Documents and Settings\Administrator\Application Data\RealPopup
2007-09-26 14:53:05 0 d-------- C:\Program Files\RealPopup
2007-09-26 14:27:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-26 14:13:50 0 d-------- C:\Program Files\Startup Optimizer
2007-09-26 14:13:33 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-26 14:12:44 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2007-09-26 14:12:44 0 d-------- C:\Program Files\ZNsoft Corporation
2007-09-26 13:59:45 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-09-26 11:30:53 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2007-09-26 10:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2007-09-26 10:50:06 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-10-17 09:16:49 0 d-------- C:\Program Files\Messenger
2007-10-04 11:57:47 0 d-------- C:\Program Files\Google
2007-10-04 11:38:39 0 d-------- C:\Program Files\PNA
2007-10-01 08:37:08 0 d-------- C:\Program Files\Java
2007-09-26 14:31:06 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [06/28/2007 12:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPopup"="C:\Program Files\RealPopup\RealPopup.exe" [02/24/2005 12:50 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/14/2004 12:24 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printer Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printer Monitor.lnk
backup=C:\WINDOWS\pss\Printer Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^WTWY^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]
path=C:\Documents and Settings\WTWY\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe




-- End of Deckard's System Scanner: finished at 2007-10-17 10:18:18 ------------


I do not why no extra.txt is produced after I run dss.exe.
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 11:38 PM   #16 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
Hello ahjin. I hope you enjoyed your holiday.

dss.exe only produces the extra.txt on it's initial run, or via a command switch.

Yes, the infected files are still there. Do you see this file on your system?:

C:\WINDOWS\Mstray.exe

-------------------------------------------------------

We're going to use a different scanner. DrWeb tends to be quite aggressive, so please configure it exactly as follows for this first run. Right now, I just want to have a look, not clean anything.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, we need to change the default settings.
  • In the Menu Bar, Go to Options>Change Settings.
  • Click on the Actions tab
  • Using the drop down menus, change each item under Objects and Malware to Report
  • Next, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'No to All' if it asks if you want to cure/move the file.
  • After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the contents of the log from Dr.Web you saved previously in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-16-2007, 11:59 PM   #17 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Hi Ried,
Do I have to close all the av software?
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 12:15 AM   #18 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
That would be a good idea. If you do so, ensure you are disconnected from the internet.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 02:41 AM   #19 (permalink)
Registered User
 
Join Date: Oct 2007
Posts: 366
OS: xp


Re: How to remove Email-Worm.Win32.Rays
Here is the log:

comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian;Archive contains infected objects;;
Thian.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency;Archive contains infected objects;;
EstateAgency.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender;Archive contains infected objects;;
Sale by Tender.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender;Win32.HLLM.Wukill;;
0274.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274;Archive contains infected objects;;
0274(8).exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8);Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8)\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8);Archive contains infected objects;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50;Archive contains infected objects;;
sa50.exe;C:\Documents and Settings\Administrator\Desktop\SA50;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Database\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Database;Archive contains infected objects;;
Database.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Database;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data;Archive contains infected objects;;
WTWY Data.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian;Archive contains infected objects;;
Thian.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Database\WTWY Data\Thian;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency;Archive contains infected objects;;
EstateAgency.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender;Archive contains infected objects;;
Sale by Tender.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender;Win32.HLLM.Wukill;;
0274.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274;Archive contains infected objects;;
0274(8).exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8);Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8)\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0274\0274(8);Archive contains infected objects;;
0402.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402;Archive contains infected objects;;
0402.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\0402\0402;Archive contains infected objects;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\template\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\template;Archive contains infected objects;;
template.exe;C:\Documents and Settings\Administrator\Desktop\SA50\EstateAgency\Sale by Tender\template;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation;Archive contains infected objects;;
Valuation.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS;Archive contains infected objects;;
VALUATION REPORTS.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS;Win32.HLLM.Wukill;;
31800-31849.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\31800-31849;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\31800-31849\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\31800-31849;Archive contains infected objects;;
32200-32249.exe;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\32200-32249;Win32.HLLM.Wukill;;
comment.htt\vbscript.1;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\32200-32249\comment.htt;Trojan.AppActXComp;;
comment.htt;C:\Documents and Settings\Administrator\Desktop\SA50\Valuation\VALUATION REPORTS\32200-32249;Archive contains infected objects;;
ShowFolder[2].htm;C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\13CAHO3N;Win32.HLLM.Graz;;
ShowFolder[4].htm;C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\Q36F21MB;Win32.HLLM.Graz;;
ShowFolder[4].htm;C:\Documents and Settings\WTWY\Local Settings\Temporary Internet Files\Content.IE5\T7EQWWB7;Win32.HLLM.Graz;;
ahjin is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-17-2007, 08:00 AM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 27,000
OS: WinXP and Vista


Re: How to remove Email-Worm.Win32.Rays
Let's see if DrWeb can clean these. Again, configure DrWeb exactly as follows. Should it move the entire folder or document, we can restore it back.
[list]Doubleclick the drweb-cureit.exe file and Allow to run the express scan[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%DoctorWebquarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:21 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85