« previous next »
Pages: [1]

Author Topic: HELP- PAKES - DIALER.QY - DIALER.KOTU  (Read 618 times)

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« on: September 03, 2006, 12:21:35 PM »
I made one bad decsison to run a program from a site w I'm infected

I originally had isoffice.exe and ismini.exe and several others

I've run ewido, smitfraud, virtumundobegone, look2m-destroyer, but I'm still experiencing

trojan.PAKES
trojan.DIALER.QY
DIALER.KOTU

Can you help me ??

Latest HJT list :

Logfile of HijackThis v1.99.1
Scan saved at 10:15:12 AM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\QConsole.exe
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...40%3A%3A454x107
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128798714328
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - C:\WINDOWS\SYSTEM32\winmxw32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #1 on: September 03, 2006, 12:30:53 PM »
Can you do the following for me please

Temporarily disable Norton's Auto Protect
From my signature below,
Use INTERNET EXPLORER
Run an online virus scan at Kaspersky's
Accept the prompt at the Welcome screen
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

   
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
       
  • Now click on Scan Settings
       
  • In the scan settings make sure that the following are selected:

         ***Scan using the following Anti-Virus database:
            Extended (if available otherwise Standard)
         ***Scan Options:
            Scan Archives
            Scan Mail Bases
   
  • Click OK
       
  • Now under select a target to scan:

            Select My Computer
   
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

        ***Now click on the Save as Text button:
   
  • Save the file to your desktop.
   * Copy and paste that information in your next post

Could you also do the following
Right click on Hijackthis.exe >>> Rename it too analyze.exe
Run a fresh scan and save logfile and post the fresh log it produces
« Last Edit: September 03, 2006, 12:59:35 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #2 on: September 03, 2006, 12:53:54 PM »
Thanks

I'm really afraid of connecting to the internet without protection since we don't know what else may be going on

Is this really the only way?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #3 on: September 03, 2006, 01:01:55 PM »
You can probably keep Norton's enabled, but it may slowdown the Kaspersky's scan
Can you navigate to kapersky's from my link
Install the active X, etc....
Just before the scan temporarily turn off Norton's auto protects
If you don't feel that is safe, you can leave it running, but as mentioned may slow down the scanner

We have to flush out the bad guys  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #4 on: September 03, 2006, 06:17:06 PM »
The logs are below

Note: Drive F: was a drive from my old PC that I attached to my new one. Although it has Win2K on it, it is not a system disk - I never boot from it

Kapersky LOG:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, September 03, 2006 2:15:05 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.83.0
 Kaspersky Anti-Virus database last update:  3/09/2006
 Kaspersky Anti-Virus database records: 220487
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - Folders:
   C:\
   D:\
   E:\
   F:\

Scan Statistics:
   Total number of scanned objects: 162787
   Number of viruses found: 19
   Number of infected objects: 421 / 0
   Number of suspicious objects: 31
   Duration of the scan process: 02:44:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-04282006-193203.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-09-03_Log.ALUSchedulerSvc.LiveUpdate   Object is locked   skipped
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\smitfraud\Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\smitfraud\SmitfraudFix.zip/SmitfraudFix/Reboot.exe   Infected: not-a-virus:RiskTool.Win32.Reboot.f   skipped
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\smitfraud\SmitfraudFix.zip   ZIP: infected - 1   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\call256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\callmember256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\contactgroup256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\index2.dat   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\profile256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\user1024.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\user256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Application Data\Skype\briandm99\voicemail256.dbb   Object is locked   skipped
C:\Documents and Settings\brian\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\brian\Desktop\OLd Drive F\laptop\DOWNLOADS\WAR FTP\war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
C:\Documents and Settings\brian\Desktop\OLd Drive F\laptop\DOWNLOADS\WAR FTP\ward165.exe/war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
C:\Documents and Settings\brian\Desktop\OLd Drive F\laptop\DOWNLOADS\WAR FTP\ward165.exe   ZIP: infected - 1   skipped
C:\Documents and Settings\brian\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/11 Jun 2006 05:52 to [email protected]:New Graphic Site/11 Jun 2006 05:52 from mohammad jamshidi:New Graphic Site/11 Jun 2006 05:49 from Yahoo! Groups Notification:MODERATE -- ha/11 Jun 2006 05:23 from hamed j:New Graphic Site/10 Jun 2006 10:26 to B_L_A_C_K_W_O_R_NEmail Removed:New Graphic Sit/09 Jun 2006 17:03 from salam salame:New Graphic Site/09 Jun 2006 12:01 to B_L_A_C_K_W_O_R_NEmail Removed:New Graphic Sit/09 Jun 2006 11:36 from HADI JAFARINIA:New Graphic Site/09 Jun 2006  ...    Infected: Email-Worm.JS.Yamanner.a   skipped
C:\Documents and Settings\brian\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst   Mail MS Mail: infected - 1   skipped
C:\Documents and Settings\brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\brian\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\brian\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{A0A9D9AD-5A3A-49D5-AE4C-A177328879B8}   Object is locked   skipped
C:\Documents and Settings\brian\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\brian\Local Settings\Temp\Perflib_Perfdata_f98.dat   Object is locked   skipped
C:\Documents and Settings\brian\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\brian\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\brian\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\hp\bin\KillWind.exe   Infected: not-a-virus:RiskTool.Win32.PsKill.p   skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\04F44064.exe   Infected: Trojan-Downloader.Win32.Obfuscated.a   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\14827E6A.exe   Infected: Trojan.Win32.Dialer.pz   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\16DC4846.exe   Infected: Trojan.Win32.Dialer.pz   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\18B34217.exe   Infected: Trojan.Win32.Dialer.qy   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\507A7E6C.exe   Infected: Trojan.Win32.Dialer.qy   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0169NAV~.TMP   Object is locked   skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0675NAV~.TMP   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\Internet Logs\tvDebug.log   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\ismini.exe   Infected: Trojan-Downloader.Win32.Zlob.xy   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\system32\winmxw32.dll   Infected: Packed.Win32.Klone.g   skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1f8.dat   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
D:\I386\Apps\APP04843\src\da\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\de\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\fi\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\fr\JS\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\it\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\ko\JS\LUREGWMI.EXE   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\nl\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\no\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\pt\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\sv\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\zh\cn\JS\LUREGWMI.EXE   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\zh\tw\JS\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\ot8100logo.exe/WISE0084.BIN/WISE0007.BIN   Infected: not-a-virus:AdWare.Win32.BMCentral.a   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\ot8100logo.exe/WISE0084.BIN   Infected: not-a-virus:AdWare.Win32.BMCentral.a   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\ot8100logo.exe   WiseSFX: infected - 2   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\WAR FTP\war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\WAR FTP\ward165.exe/war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\Documents and Settings\All Users.WINNT\Desktop\DOWNLOADS\WAR FTP\ward165.exe   ZIP: infected - 1   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03680000.VBN   Infected: EICAR-Test-File   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03680001.VBN   Infected: Email-Worm.Win32.Magistr.b   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\036C0000.VBN   Infected: EICAR-Test-File   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800000.VBN   Infected: Email-Worm.Win32.Magistr.b   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800001.VBN   Infected: Email-Worm.Win32.Magistr.b   skipped
F:\DRIVE F\laptop\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03880000.VBN   Infected: Email-Worm.Win32.MTX   skipped
F:\DRIVE F\laptop\All Users\Desktop\DOWNLOADS\WAR FTP\war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\DRIVE F\laptop\All Users\Desktop\DOWNLOADS\WAR FTP\ward165.exe/war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\DRIVE F\laptop\All Users\Desktop\DOWNLOADS\WAR FTP\ward165.exe   ZIP: infected - 1   skipped
F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\ward165.exe/war-ftpd.exe   Infected: not-a-virus:Server-FTP.Win32.PremierServer.b   skipped
F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\ward165.exe   ZIP: infected - 1   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04B0060D/[From webmasterEmail Removed][Date Tue, 28 Dec 2004 13:27:15 GMT]/yahoo_2861.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04B0060D/[From webmasterEmail Removed][Date Tue, 28 Dec 2004 13:27:15 GMT]/yahoo_2861.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04B0060D   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04B0060D   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E17BD7/[From [email protected]][Date Tue, 28 Dec 2004 16:44:29 GMT]/oh_nono6304.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E17BD7/[From [email protected]][Date Tue, 28 Dec 2004 16:44:29 GMT]/oh_nono6304.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E17BD7   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\04E17BD7   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\053D77B6/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\053D77B6/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\053D77B6   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\053D77B6   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\058F115C/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\058F115C/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\058F115C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\058F115C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05956555/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05956555/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05956555   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05956555   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05A20D46/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05A20D46/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05A20D46   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05A20D46   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05AC0B3C/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05AC0B3C/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05AC0B3C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05AC0B3C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05B60931/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05B60931/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05B60931   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05B60931   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\060478DB/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\060478DB/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\060478DB   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\060478DB   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06C85003/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06C85003/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06C85003   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06C85003   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06E21FE6/[From infoEmail Removed][Date Fri, 31 Dec 2004 09:40:40 UTC]/Email Removed.3464.doc.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06E21FE6/[From infoEmail Removed][Date Fri, 31 Dec 2004 09:40:40 UTC]/Email Removed.3464.doc.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06E21FE6   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06E21FE6   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06EC1DDB/[From [email protected]][Date Fri, 31 Dec 2004 12:55:29 GMT]/bigfoot.xls.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06EC1DDB/[From [email protected]][Date Fri, 31 Dec 2004 12:55:29 GMT]/bigfoot.xls.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06EC1DDB   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06EC1DDB   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06FC6FC9/[From [email protected]][Date Fri, 31 Dec 2004 16:18:28 UTC]/ilnet_7607.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06FC6FC9/[From [email protected]][Date Fri, 31 Dec 2004 16:18:28 UTC]/ilnet_7607.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06FC6FC9   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\06FC6FC9   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07066DBF/[From ewnet2004Email Removed][Date Fri, 31 Dec 2004 19:21:31 UTC]/thats_hard.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07066DBF/[From ewnet2004Email Removed][Date Fri, 31 Dec 2004 19:21:31 UTC]/thats_hard.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07066DBF   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07066DBF   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070D41B7/[From [email protected]][Date Fri, 31 Dec 2004 23:09:08 GMT]/mail.xls.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070D41B7/[From [email protected]][Date Fri, 31 Dec 2004 23:09:08 GMT]/mail.xls.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070D41B7   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\070D41B7   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17F73118/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17F73118/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17F73118   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\17F73118   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\181754F4/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\181754F4/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\181754F4   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\181754F4   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182152E9/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182152E9/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182152E9   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182152E9   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182E7ADB/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182E7ADB/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182E7ADB   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\182E7ADB   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\183E4CC9/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\183E4CC9/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\183E4CC9   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\183E4CC9   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184520C2/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184520C2/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184520C2   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184520C2   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F1EB7/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F1EB7/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F1EB7   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\184F1EB7   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18591CAC/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18591CAC/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18591CAC   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18591CAC   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\186F4293/[From infoEmail Removed][Date Fri, 31 Dec 2004 09:40:40 UTC]/Email Removed.3464.doc.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\186F4293/[From infoEmail Removed][Date Fri, 31 Dec 2004 09:40:40 UTC]/Email Removed.3464.doc.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\186F4293   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\186F4293   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1876168C/[From [email protected]][Date Fri, 31 Dec 2004 12:55:29 GMT]/bigfoot.xls.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1876168C/[From [email protected]][Date Fri, 31 Dec 2004 12:55:29 GMT]/bigfoot.xls.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1876168C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1876168C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1886687A/[From [email protected]][Date Fri, 31 Dec 2004 16:18:28 UTC]/ilnet_7607.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1886687A/[From [email protected]][Date Fri, 31 Dec 2004 16:18:28 UTC]/ilnet_7607.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1886687A   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1886687A   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\188D3C73/[From ewnet2004Email Removed][Date Fri, 31 Dec 2004 19:21:31 UTC]/thats_hard.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\188D3C73/[From ewnet2004Email Removed][Date Fri, 31 Dec 2004 19:21:31 UTC]/thats_hard.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\188D3C73   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\188D3C73   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18973A68/[From [email protected]][Date Fri, 31 Dec 2004 23:09:08 GMT]/mail.xls.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18973A68/[From [email protected]][Date Fri, 31 Dec 2004 23:09:08 GMT]/mail.xls.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18973A68   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18973A68   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AA3652/[From [email protected]][Date Sat, 01 Jan 2005 11:38:41 UTC]/auto__mail.swipnet_7741.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AA3652/[From [email protected]][Date Sat, 01 Jan 2005 11:38:41 UTC]/auto__mail.swipnet_7741.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AA3652   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18AA3652   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B43448/[From Error_MailEmail Removed][Date Sat, 01 Jan 2005 15:10:33 GMT]/re_mail.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B43448/[From Error_MailEmail Removed][Date Sat, 01 Jan 2005 15:10:33 GMT]/re_mail.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B43448   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18B43448   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18C15C39/[From [email protected]][Date Sat, 01 Jan 2005 19:18:47 GMT]/mediaone.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18C15C39/[From [email protected]][Date Sat, 01 Jan 2005 19:18:47 GMT]/mediaone.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18C15C39   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18C15C39   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18CB5A2E/[From [email protected]][Date Sat, 01 Jan 2005 23:37:12 UTC]/mail3784.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18CB5A2E/[From [email protected]][Date Sat, 01 Jan 2005 23:37:12 UTC]/mail3784.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18CB5A2E   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18CB5A2E   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18D55824/[From [email protected]][Date Sun, 02 Jan 2005 02:20:14 GMT]/mail.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18D55824/[From [email protected]][Date Sun, 02 Jan 2005 02:20:14 GMT]/mail.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18D55824   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18D55824   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19092B5C/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19092B5C/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19092B5C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\19092B5C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C026217/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C026217/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C026217   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C026217   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C0F0A09/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C0F0A09/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C0F0A09   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C0F0A09   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C1C31FA/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C1C31FA/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C1C31FA   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C1C31FA   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C2959EC/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C2959EC/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C2959EC   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C2959EC   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C3357E1/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C3357E1/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C3357E1   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C3357E1   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C392BDA/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C392BDA/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C392BDA   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C392BDA   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C4653CB/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C4653CB/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C4653CB   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1C4653CB   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D44061C/[From [email protected]][Date Sat, 18 Dec 2004 14:37:22 GMT]/re_mail.6082.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D44061C/[From [email protected]][Date Sat, 18 Dec 2004 14:37:22 GMT]/re_mail.6082.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D44061C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D44061C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D55580A/[From [email protected]][Date Sun, 19 Dec 2004 07:57:17 GMT]/fast.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D55580A/[From [email protected]][Date Sun, 19 Dec 2004 07:57:17 GMT]/fast.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D55580A   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D55580A   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6529F8/[From infoEmail Removed][Date Sun, 19 Dec 2004 12:50:59 GMT]/yahoo.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6529F8/[From infoEmail Removed][Date Sun, 19 Dec 2004 12:50:59 GMT]/yahoo.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6529F8   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6529F8   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6F27EE/[From infoEmail Removed][Date Sun, 19 Dec 2004 16:38:43 GMT]/Email Removed5215.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6F27EE/[From infoEmail Removed][Date Sun, 19 Dec 2004 16:38:43 GMT]/Email Removed5215.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6F27EE   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D6F27EE   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D7F79DC/[From user_infoEmail Removed][Date Mon, 20 Dec 2004 13:55:46 GMT]/yahoo.5355.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D7F79DC/[From user_infoEmail Removed][Date Mon, 20 Dec 2004 13:55:46 GMT]/yahoo.5355.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D7F79DC   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D7F79DC   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D9414DD/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D9414DD/[From [email protected]][Date Wed, 29 Dec 2004 17:56:43 GMT]/im_shocked.3733.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D9414DD   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D9414DD   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DCF089C/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DCF089C/[From infoEmail Removed][Date Wed, 29 Dec 2004 20:47:30 GMT]/re_mail.7108.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DCF089C   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3DCF089C   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E481A17/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E481A17/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 01:09:42 GMT]/re_mail.DOC.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E481A17   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E481A17   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E6F11EC/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E6F11EC/[From [email protected]][Date Thu, 30 Dec 2004 04:16:46 UTC]/mindspring5757.TXT.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E6F11EC   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E6F11EC   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E7F63DA/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E7F63DA/[From [email protected]][Date Thu, 30 Dec 2004 07:42:34 UTC]/mail.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E7F63DA   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E7F63DA   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E8961CF/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E8961CF/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 11:28:40 GMT]/mail_253.eml.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E8961CF   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E8961CF   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E935FC4/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E935FC4/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 14:33:30 GMT]/auto__mail.yahoo4392.EML.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E935FC4   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3E935FC4   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EA007B6/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EA007B6/[From webmasterEmail Removed][Date Thu, 30 Dec 2004 18:05:40 GMT]/yahoo.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EA007B6   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3EA007B6   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57214680/[From [email protected]][Date Tue, 07 Dec 2004 18:23:04 GMT]/re_mail5541.word.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57214680/[From [email protected]][Date Tue, 07 Dec 2004 18:23:04 GMT]/re_mail5541.word.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57214680   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57214680   CryptFF: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57620E38/[From webmasterEmail Removed.au][Date Wed, 08 Dec 2004 02:02:11 UTC]/auto__mail.yahoo3600.zip/message_text.txt                                                           .pif   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57620E38/[From webmasterEmail Removed.au][Date Wed, 08 Dec 2004 02:02:11 UTC]/auto__mail.yahoo3600.zip   Infected: Email-Worm.Win32.Sober.i   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57620E38   Mail: infected - 2   skipped
F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\57620E38   CryptFF: infe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #5 on: September 03, 2006, 11:03:51 PM »
You may of  cut off the bottom of the log from Kapersky's
Can you supply the bottom of the log please if that is the case, let me know
« Last Edit: September 03, 2006, 11:04:45 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #6 on: September 03, 2006, 11:34:36 PM »
[attachment=1296:attachment][attachment=1295:attachment]


That's wierd - I was sure I checked that everything was there.

I'm attaching as files





[attachment=1297:attachment]

here is kapersky
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #7 on: September 04, 2006, 12:00:03 AM »
I wasn't quite sure if you got the bottom part of the log
Thanks for attaching the whole thing
I need you too disable a couple more protections so they won't interfere with the next fixes
Don't be worried, we can reenable them AFTER we have you clear of all malware
For Cleanup purposes, open Norton's Quarantine area and permanently delete all files in this area

Window's Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Disable Norton's Script blocking:
   1. Start Norton AntiVirus.
      If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
   2. Click Options.
      If you see a menu, click Norton AntiVirus.
   3. In the left pane, click Script Blocking.
   4. In the right pane, uncheck Enable Script Blocking (recommended).
   5. Click OK.

Can you do the following please
Download The Avenger.zip by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#3333FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard


[color=\"#3333FF\"]files to delete:
C:\WINDOWS\system32\winmxw32.dll
C:\WINDOWS\system32\ismini.exe
F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\ward165.exe
F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\war-ftpd.exe
F:\DRIVE F\laptop\All Users\Desktop\DOWNLOADS\WAR FTP\ward165.exe
C:\WINDOWS\ALCXMNTR.EXE [/color]


Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the Green Light to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Post back the following
1. Post a fresh hijackthislog (analyze.exe)
2. Post the log from Avenger located here>>C:\Avenger.txt
« Last Edit: September 04, 2006, 12:08:20 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #8 on: September 04, 2006, 01:09:51 PM »
log files:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ejhpvdnu

*******************

Script file located at: \??\C:\humnqfmp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\winmxw32.dll deleted successfully.
File C:\WINDOWS\system32\ismini.exe deleted successfully.
File F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\ward165.exe deleted successfully.
File F:\DRIVE F\laptop\DOWNLOADS\WAR FTP\war-ftpd.exe deleted successfully.
File F:\DRIVE F\laptop\All Users\Desktop\DOWNLOADS\WAR FTP\ward165.exe deleted successfully.
File C:\WINDOWS\ALCXMNTR.EXE deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 11:04:29 AM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\sm56hlpr.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\notepad.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\ANALYZE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...40%3A%3A454x107
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128798714328
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #9 on: September 04, 2006, 01:41:10 PM »
Ewido should of removed some files I forgot about with the Kapersky scan
Can you do the following
Open Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido after it has been updated

Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...40%3A%3A454x107

O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)


After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer into safe mode
You can do this by tapping the F8 key before Windows loads
Choose Safe mode from the Menu

Ewido Scan
  • Then click on the Scanner tab at the top and then click on Complete System Scan.  This scan can take quite a while to run, so be prepared.
    Ensure you are doing a complete scan, which will include drives: C>D>F
    Don't use your computer while running the scan, let it complete
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As".  This will create a text file.  Make sure you know where to find this file again (like on the Desktop).
Reboot the computer back to Normal windows

Back in Windows
Post a fresh hijackthis log and report from Ewido's
Let me know how things are running

EDIT>>I edited the above instructions, If you have already started
We'll do the above in next step
« Last Edit: September 04, 2006, 02:11:18 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #10 on: September 04, 2006, 05:41:09 PM »
EWido and HJT  reprts are attached

So far in the last 3 hours I've had popups from Norton or Ewido

I'm hoping that you've beet the thing

Thanks for all your help

Brian

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   3:27:19 PM 9/4/2006

 + Scan result:   



C:\avenger\backup.zip/avenger/ismini.exe -> Downloader.Zlob.xy : Cleaned with backup (quarantined).
C:\Documents and Settings\brian\Cookies\brian@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 3:37:26 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Desktop\DOWNLOADS\hijack\ANALYZE.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.4156\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128798714328
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #11 on: September 04, 2006, 05:44:36 PM »
Quote
So far in the last 3 hours I've had popups from Norton or Ewido

Does that mean you have or haven't had popups?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #12 on: September 04, 2006, 07:54:10 PM »
sorry - my fat fingers

I've had NO warning popups from any of the security software - norton, ewdio, windows defender

Previously I would get 3 or 4 as soon as I started internet explorer

Thanks again for all your help
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #13 on: September 04, 2006, 08:07:57 PM »
Going thru your Kapersky's log
You may want to do the following
In OUTLOOK, remove any emails you don't trust or recognize

These zip files are considered infected by Kapersky's
You may want to remove them
F:\XNEWSDOWN\BPFTP Server 2.21.zip
F:\XNEWSDOWN\FlashGet 1.40.zip   

Can you run scan for me, just as a double check
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Go to either of these links
http://www.virustotal.com/flash/index_en.html
OR
http://virusscan.jotti.org/
OR
Virus.org

Use the browse button and navigate to this file on your harddrive
The same file is located in different folders, scan at least 2 of them please
D:\I386\Apps\APP04843\src\da\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\de\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\fi\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\fr\JS\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\it\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\ko\JS\LUREGWMI.EXE   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\nl\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\no\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\pt\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\sv\js\LURegWMI.exe   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\zh\cn\JS\LUREGWMI.EXE   Infected: not-a-virus:AdWare.Win32.Dm.n   skipped
D:\I386\Apps\APP04843\src\zh\tw\JS\LURegWMI.exe

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
« Last Edit: September 04, 2006, 08:08:22 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #14 on: September 05, 2006, 02:33:40 AM »
[attachment=1327:attachment][attachment=1326:attachment]




I've done some cleanup on drive f: based on the kaspersky scan I still have some to do. I will delete the old eudora mailboxes, etc.

drive d: is the system recovery partition that came with the PC. Is really an archive to restore winxp and the varios apps that came with the system. I had to use winrar to extract a couple of LURegWMI.exe files to scan

The various scan reports are attached
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #15 on: September 05, 2006, 07:16:33 PM »
Could you let me know something please
That file you scanned
Did your Recovery partition also include a trial of Nortons' on it?

I think this may be a false positive related to an older file of Symantec's

Also, let me know if everything is still OK, we'll just do a quick final cleanup step
« Last Edit: September 05, 2006, 07:17:37 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #16 on: September 05, 2006, 10:38:55 PM »
Yes

The PC came with a trial version of Norton, so I assume that it is one one the apps in the recovery partition

When the trial version expired I installed NIS 2005

I was online for several hours yesterday with no sign of any virus activity

I think you have managed to get it... - YOU ARE THE BEST...

I can't thank you enough
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #17 on: September 05, 2006, 11:02:35 PM »
We should create a new system restore point and remove all older ones in case they are infected

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Name it and click create
When that's done

Open MyComputer
Right click on Local Disk C:
Select Properties>>Disk CleanUp
Let if finish calculating

Select the More Options tab
and click Cleanup under System Restore
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

*Install  SpywareBlaster 3.5.1 by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

If your protections from Windows Defender and Nortons are still disabled, go back and reenable them

You can go back and rehide hidden files and folders
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading de-select Show hidden files and folders.
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

You can go ahead and delete this text file
C:\Avenger.txt

And Avenger.exe and Avenger.zip
Avenger would of created a folder here>>C:\Avenger

Hold onto that folder for about a week, it contains backups of what we removed
If everythings still running good after that time, go ahead and delete that folder too

Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
« Last Edit: September 05, 2006, 11:10:27 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline godzilly

  • Newbie
  • *
  • Posts: 32
  • Karma: +0/-0
    • View Profile
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #18 on: September 05, 2006, 11:58:59 PM »
Cleanup complete

Thanks again....
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
HELP- PAKES - DIALER.QY - DIALER.KOTU
« Reply #19 on: September 06, 2006, 11:32:52 PM »
Your welcome, I'll lock this topic as your problems are resolved
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »