Computer - especially IE running extremely slowly

[adaniel]

I'm trying to resolve a slowdown problem on a client's PC. I have downloaded and run latest Adaware, Spybot and CWShredder. They have a DSL connection, but at times download speed is less than 10k. Other PC's on same network are getting 60K and more.

The system will not do Windows update, nor will it allow an update of Norton definitions.

Folowing is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:47:56 PM, on 10/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esinc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINNT\firewall_anti.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123871264226
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124138123952
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Roxboro2.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe


Thanks in advance for your assistance.
adaniel

[tetonbob]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINNT\SYSTEM32\DRIVERS\ETC

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Note: There is no need to purchase Ewido. It will remain as the freeware version after the trial period, which means the guard process will no longer work, but the scanner will be just as effective.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINNT\firewall_anti.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\firewall_anti.exe
C:\WINNT\system32\winshost.exe

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Restart and run a new HijackThis scan. Save the log file and post it here.

[adaniel]

Logfile of HijackThis v1.99.1
Scan saved at 1:20:32 PM, on 10/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\IomegaAccess.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
\ROX2003SBS\Clients\Setup\applnch.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esinc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123871264226
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124138123952
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Roxboro2.local
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

=======================================

Incident Status Location

Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~33.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~37.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~3B.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~3D.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~41.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~17.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~45.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~49.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4D.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~51.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~55.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~10E.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~112.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~116.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~11A.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~12.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~147.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~208.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~239.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~23D.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~300.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~3AB.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~3CE.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~3D2.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~42F.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4C1.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4C5.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4C9.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4CD.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4D1.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4D5.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4D9.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4DD.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4E1.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4E5.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4E9.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~5CA.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~615.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~619.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~6A5.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~2.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4F.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~53.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~57.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~5F.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~64.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~68.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~6C.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~75.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~79.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~7D.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~4.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~6.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~A.exe
Virus:Trj/Downloader.EZO Disinfected C:\Documents and Settings\twarren\Local Settings\Temp\~E.exe
Virus:W32/Netsky.P.worm Disinfected [story.zip][details.txt .pif]


Thank you tetonbob. I really appreciate your help.

adaniel

[tetonbob]

Hi adaniel -

You still owe me the Ewdio scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.



Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Scan local drives for temporary files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Choose Save, NOT run, and save to your desktop
• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


Post one last HJT log as well, please.

How is the system now?

[adaniel]

Thanks, tetonbob. The system is running much faster now. Here are the results of the latest scans and the ewido.

===============================

Logfile of HijackThis v1.99.1
Scan saved at 3:29:51 PM, on 10/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esinc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123871264226
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124138123952
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Roxboro2.local
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

===========================

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CE-189F-421a-88CD-07CFE51CFF10}\Instance\InitPropertyBag'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CE-189F-421a-88CD-07CFE51CFF10}\Instance'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CE-189F-421a-88CD-07CFE51CFF10}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{014DA6CE-189F-421a-88CD-07CFE51CFF10}'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Found '' in 'C:\Program Files\BearShare'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Program Files\BearShare' in shortcut areas.
Checking for 'C:\Program Files\BearShare' in startup areas.
Cleaning 'C:\Program Files\BearShare'
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\FreePeers.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\FreePeers.ini'
Checking for 'C:\Program Files\BearShare\BearShare.ini' in shortcut areas.
Checking for 'C:\Program Files\BearShare\BearShare.ini' in startup areas.
Cleaning 'C:\Program Files\BearShare\BearShare.ini'
Checking for 'C:\Program Files\BearShare\FreePeers.dat' in shortcut areas.
Checking for 'C:\Program Files\BearShare\FreePeers.dat' in startup areas.
Cleaning 'C:\Program Files\BearShare\FreePeers.dat'
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning


==================================
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:24:20 PM, 10/11/2005
+ Report-Checksum: D7809EA8

+ Scan result:

C:\unzipped\price_new[1]\text.exe -> Worm.Bagle.cy : Cleaned with backup
C:\unzipped\price_new\text.exe -> Worm.Bagle.cy : Cleaned with backup
C:\WINNT\system32\winshost.exe -> Worm.Bagle.cy : Cleaned with backup
C:\WINNT\system32\wiwshost.exe -> Worm.Bagle.cy : Cleaned with backup
C:\WINNT\firewall_anti.exe -> Worm.Bagle.dw : Cleaned with backup
C:\WINNT\firewall_anti.exe.dll -> Worm.Bagle.dw : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@click2net[1].txt -> Spyware.Cookie.Click2net : Cleaned with backup
C:\Documents and Settings\Tommy\Cookies\tommy@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\Documents and Settings\Tommy\Cookies\tommy@ads.link4ads[2].txt -> Spyware.Cookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Tommy\Cookies\tommy@ads.link4ads[3].txt -> Spyware.Cookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Tommy\Cookies\tommy@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Tommy\Cookies\tommy@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\twarren\Cookies\twarren@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\twarren\Cookies\twarren@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\TOMMY\Tommy\Cookies\administrator@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\TOMMY\Tommy\Cookies\administrator@click2net[1].txt -> Spyware.Cookie.Click2net : Cleaned with backup


::Report End

Thanks for all your help.

adaniel

[tetonbob]

One of the bagle files is still showing in your HJT log.

Let's do this:

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


Launch KillBox.exe & select the following options:

• delete on Reboot

Select all the filenames below & then right-click & select Copy

• C:\WINNT\system32\winshost.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

Reboot into safe mode.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe

Run Killbox again, and run C:\WINNT\system32\winshost.exe through it again. If Killbox tells you it can't find it, that's a good thing.

Reboot into normal mode now.

Restart and run a new HijackThis scan. Save the log file and post it here.

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post results from Kaspersky scan, and a new HJT log, please.

[adaniel]

Thanks tetonbob,

Here are the latest logs. The Kaspersky site did not seem to indicate wheteher it cleaned or not. The link we found was not called "launch Kaspersky Anti-Virus web Scanner", but otherwise it went according to your notes.

==============================

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 18, 2005 15:42:36
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/10/2005
Kaspersky Anti-Virus database records: 145536
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
R:\
S:\

Scan Statistics:
Total number of scanned objects: 41459
Number of viruses found: 17
Number of infected objects: 237
Number of suspicious objects: 14
Duration of the scan process: 2884 sec

Infected Object Name - Virus Name
C:\Account Settings\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip/bxssacat.exe Suspicious: Password-protected-EXE
C:\Account Settings\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip Suspicious: Password-protected-EXE
C:\Account Settings\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED Suspicious: Password-protected-EXE
C:\Account Settings\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED Suspicious: Password-protected-EXE
C:\Account Settings\Outlook Express\SPAM.dbx/[From SunTrust bank <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Account Settings\Outlook Express\SPAM.dbx/[From SunTrust bank <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Account Settings\Outlook Express\SPAM.dbx Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Account Settings\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip/email-info.htm .scr Infected: Net-Worm.Win32.Mytob.bf
C:\Account Settings\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip Infected: Net-Worm.Win32.Mytob.bf
C:\Account Settings\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bf
C:\Account Settings\Outlook Express\Sent Items.dbx Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip/bxssacat.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED Suspicious: Password-protected-EXE
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED Suspicious: Password-protected-EXE
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From SunTrust bank <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx/[From SunTrust bank <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip/email-info.htm .scr Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\Sent Items.dbx Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Deleted Items.dbx/[From support@paypal.com <support@paypal.com>][Date Mon, 17 Oct 2005 23:23:43 +0200 (CEST)]/html Infected: Trojan-Spy.HTML.Paylap.fg
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.fg
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From <cmcbroom@mindspring.com>][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip/bxssacat.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From <cmcbroom@mindspring.com>][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED/[From cmcbroom@mindspring.com][Date Mon, 22 Mar 2004 10:50:31 -0500]/Information.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From <cmcbroom@mindspring.com>][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED/UNNAMED Suspicious: Password-protected-EXE
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From <cmcbroom@mindspring.com>][Date Mon, 22 Mar 2004 10:50:31 -0500]/UNNAMED Suspicious: Password-protected-EXE
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From "SunTrust bank" <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx/[From "SunTrust bank" <supprefnum57515280271787@suntrust.com>][Date Tue, 02 Nov 2004 05:10:44 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\SPAM.dbx Infected: Trojan-Spy.HTML.Sunfraud.c
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip/email-info.htm .scr Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED/email-info.zip Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Sent Items.dbx/[From "Tommy Warren" <tswarren@person.net>][Date Tue, 7 Jun 2005 13:41:26 -0400]/UNNAMED Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Sent Items.dbx Infected: Net-Worm.Win32.Mytob.bf
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\44384946 Infected: Email-Worm.Win32.Tanatos.b.dam
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33060A97 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33345665 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33417E57 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\334B7C4C Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C9B360D Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D58393C Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5AFD609D Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F3055FE Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\288F3540 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28E478E3 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29051CBF Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\293C6681 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29AF2404 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C5B3F77 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C72655E Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E505618 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E5D7E0A Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77CD060C Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07DC0260 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D0D42A9 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\24835ED9 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\316F02A0 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4BDA2B8E Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4BEA7D7C Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5A447FB1 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69682D08 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E82476A Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B552FC4 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6B934D80 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72181C53 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B914B78 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BC9153B Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C624A92 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D3A1DA5 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79AA2F22 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79B75714 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79C15509 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79C72902 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22E441C4 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25DD787F Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25E77674 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\29691098 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3F7E764B Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\778E4699 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78F5510E Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\790278FF Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\790C76F5 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20C20542 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20CC0337 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\327A53C2 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\32D24161 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C7314C8 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78C17022 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78D14210 Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\78E43DFB Infected: Email-Worm.Win32.Sobig.f
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B666A71 Infected: Email-Worm.Win32.Swen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E392740 Infected: Email-Worm.Win32.Tanatos.b.dam
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\39DD276A Infected: Email-Worm.Win32.Tanatos.b.dam
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\770C31BF Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60487A79 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D8B5A59 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5C5050CE Infected: Trojan-Dropper.VBS.Inor.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\677B23A7 Infected: Trojan-Dropper.VBS.Inor.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66F51511 Infected: Trojan-Dropper.VBS.Inor.u
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\512A1FE1 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\53452F90 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\55A74C03 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7AD54AC9 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1BFF4BB5 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EFB14A2 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\75C63BB7 Infected: Email-Worm.Win32.NetSky.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C3F2B91 Infected: Email-Worm.Win32.Dumaru.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05CB2126 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17B32FB5 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47804918 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\088743D1 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7C0416B9 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16B065A7 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\189953D2 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18E06F83 Infected: Email-Worm.Win32.NetSky.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\746E3BE6 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\748561CD Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41124EB3 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\159E59A8 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D16582F Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D6447D9 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\227909CA Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\239C59AD Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23B62990 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23D74D6C/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23D74D6C Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\24181525 Infected: Email-Worm.Win32.NetSky.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\44B06BD5 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\44F45D89 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45085974/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45085974 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1F9C1EEB Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\154B0044 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\156F4E1C Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\157F200A/rymmxquc.exe Suspicious: Password-protected-EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\157F200A Suspicious: Password-protected-EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15A043E6 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15AA41DB Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15B43FD1/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15B43FD1 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F0C757F/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F0C757F Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F191D70 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F231B66 Infected: Email-Worm.Win32.NetSky.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2AC6500D Infected: Email-Worm.Win32.NetSky.b
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45094001 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1FD8305B.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07A95A66.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\23835250.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2914074D.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A7E7BFF.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A984BE3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7E7B47DB.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7CD962C3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\319271E1.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0C0129C1.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\60223973.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20F71CAA.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\22F82903.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\40FC5E89.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3AA76779.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\382B647D.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\322B0F58.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\54C2006C.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\352302A4.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E481A93.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DD26F20.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1E1A0AD1.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EC67EE1.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\25A14BE8.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5706232B.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D7D6EC0.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7EDC013A.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F1774F9.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\35193581.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0AE9755A.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74653AFC.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\50C417DD.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\73EC5050.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\540829B0.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\38995DDB.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D5D12E3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2A2E75B3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B73458C.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\12F853CA.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\147A2E22.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\739E2A93.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FBA557E.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FAB6DA0.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7538503A.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07640F58.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\738D6574.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15433CA3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\103F6795.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69F00AE2.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D2167EB.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6D7D7F86.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DD81721.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E2A30C8.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2C767313.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E8A17C8.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\431F47D8.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2888243F.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03613FAE.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\00892517.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\496633C3.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7EC33753.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1E0347CA.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2ADD22C2.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7BF16819.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D2B6463.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03F11B3E.tmp Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11CF191E.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EDA3300.tmp Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B913702.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4427636A.chm/index.htm Infected: Trojan-Downloader.VBS.Psyme.ak
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4427636A.chm Infected: Trojan-Downloader.VBS.Psyme.ak
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1E852DF6.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1F520314.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2534752B.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\26387254.tmp Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\26387254.htm Infected: Trojan.HTML.Qrap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\263C1C51.htm Infected: Trojan.HTML.Qrap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2642704A.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D756FDA.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B4D6C1C.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7B6E0FF8.hta Infected: Trojan-Dropper.VBS.Zerolin
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2D122197.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B807B1.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E374D52.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16307479.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DFA5F01.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45A54B14.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0F535122.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65DC0752.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4346707F.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46DB068E.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4F8A79B6.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FF23943.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07662A3E.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C0E42E7.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\10AE2A88.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\383675CF.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4E03257C.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\606954A8.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E391B0B.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\219964E5.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2481088D.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3A0B5030.scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\08951BC2.scr Infected: Email-Worm.Win32.NetSky.q

Scan process completed.


===================================

Logfile of HijackThis v1.99.1
Scan saved at 2:14:22 PM, on 10/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\EXSHOW.EXE
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINNT\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.esinc.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123871264226
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124138123952
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Roxboro2.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Roxboro2.local
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\System32\pctspk.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

===============================================

Thanks again,
adaniel

[tetonbob]

Please use Symantec's guide to remove the Quarantine files.

The other suspicious issues are in the Outlook Express mails. They are in these folders. I recommend you save only necessary mails from these folders, and remove the rest.

C:\Account Settings\Outlook Express\SPAM.dbx

C:\Account Settings\Outlook Express\Sent Items.dbx

C:\Documents and Settings\Tommy\Local Settings\Application Data\Identities\{7D69339C-90A6-4248-8BF2-A8B65CF575FA}\Microsoft\Outlook Express\SPAM.dbx

C:\Documents and Settings\twarren\Local Settings\Application Data\Identities\{704B3545-BEB4-4244-922F-ED3803351DB5}\Microsoft\Outlook Express\Deleted Items.dbx

The HijackThis log is clean...if there are no more problems, let me leave you with this info:

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Make sure to update Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

[adaniel]

Thanks, tetonbob,

I guess we can close another one. I appreciate all your help.

adaniel