Junior Member
Ok, I've followed the latest instructions. Here are the results of the BitDefender Scan.
BitDefender Online Scanner
Scan report generated at: Sat, Aug 26, 2006 - 12:04:32
Scan path: A:\;C:\;D:\;
Statistics
Time
01:36:32
Files
370125
Folders
6138
Boot Sectors
3
Archives
9022
Packed Files
36590
Results
Identified Viruses
1
Infected Files
1
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
1
Engines Info
Virus Definitions
450834
Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Scan plugins
13
Archive plugins
39
Unpack plugins
5
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Infected with: Trojan.Dropper.Vbs.Zerolin.Q
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Disinfection failed
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Deleted
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)
Updated
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)
Updated
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 234)
Updated
C:\Documents and Settings\John\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Deleted Items.dbx
Update failed
Senior Member (Canada)
Post your latest HijackThis log for a final review, if you want.
Do you now feel that you now have a clean PC. That means no more AV alerts. Do you still use Outlook Express? Malware was found in the 'Deleted Items' FOLDER by two (2) tools - wouldn't hurt to check again. I can suggest several more scanning tools if you are still unsure of your PC's state of health. Or you can re-run all tools currently in use.
To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.
ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)
PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Accordingly and of further note; it can be very unsafe to run with admin rights on any PC that you browse the Internet with.
(Windows XP)To Turn OFF System Restore.FOLDER LOCATION: c:\System Volume Information\_restore….
- Click the Start button.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
- Click Apply.
REBOOT.
To Turn ON System Restore.
- Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
- Create new System Restore points.
(Windows ME)See the following link for instructions:FOLDER LOCATION: c:\_RESTORE\TEMP\….
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:
- Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
- http://www.securityfocus.com/news/11273
If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.- Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
- In addition to using Ad-aware, consider using another free malware scanning/removal program :
Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
Microsoft Windows Defender beta 2 : http://www.download.com/Microsoft-Wi...ml?tag=lst-0-1
- Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
*** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za
It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
- Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
- Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
http://www.spywarewarrior.com/uiuc/resource.htm- A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
- Run the HiJackThis tool and select ‘Open the Misc Tools section’.
- Next select ‘Open host file manager’ button.
- Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
- Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
EXCERPT:#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
.
.
.
#end of lines added by WinHelp2002
*Remember just like your primary anti-virus software, it is important to:
- Keep all of these programs up-to-date (using auto-updates where possible), and
- Use them on a regular (minimum weekly) basis.
REALITY CHECK:
- Who else uses your PC? What are the potential risks created by multiple (potentially loose cannon) users and why?
- What about bad luck, simple mistakes, and bad browsing choices (SEE: www.siteadvisor.com and their BLOG)?
- SEE: The Dangers of Popularity (for Popular SEARCH TERMS):
http://blog.siteadvisor.com/2006/08/...pularity.shtml
The correlation of search term popularity and search term riskiness illustrates how malicious activity tends to follow and exploit consumer behavior. Users demand "free," and bad actors flock to fill corresponding search results with their deceptive offerings. All too often, users don't realize the detrimental consequences of these sites until their systems crash from spyware or their inboxes become choked with spam.
ABOVE ALL, it is most imperative that users exercise "safe surfing" habits such as banning or at least verifying email attachments (with scanning tools) before opening, and by not executing programs unless obtained from a trusted (or researched) source, etc.
In general, always research any unfamiliar links or products that you might want to access or download. In particular, the SiteAdvisor site and other links listed in my signature have continued to make a significant difference to my clients’ PC health due to better-informed browsing habits and choices. Peer-to-Peer and FREE download sites add a level of risk that many should seriously take into account and adjust their behavior accordingly.
Additionally, TEMPORARY files are both a significant source of clutter and potential hiding places for MALWARE content. Clean out those areas periodically - at least weekly.
Junior Member
Ok, I thought everything was clean because my AVG Antivirus has had clean tests for the last 7 days straight.
I reset the sytem restore as instructed and tried again last night to do the XP SP2 install. Same thing it hung about half way through installing the new files giving me an error "Access denied". Luckily the uninstall went smoothly and everything seems to be operating normally.
I really don't understand what is going on. The system seems to be stable but the XP SP2 install just refuses to cooperate.
Anyway, Here is my latest Highjack This logfile.
Any suggestions would be appreciated.
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 7:22:52 AM, on 8/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\QUICKENW2000\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&gl=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;http://localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW2000\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW2000\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...2/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095180586841
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
O16 - DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} (Desktop.Smdesk) - http://www.servicemagic.com/smod/smdesktop.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...15/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Senior Member (Canada)
HijackThis LOG appears to be fine.
This can be the result of many issues (see, in particular, 'Google group results' at the bottom of first page results):"Access denied"
http://www.google.ca/search?hl=en&q=...G=Search&meta=
Try our XP Forum if you require more specific advice or guidance.
However and in addition, it may be necessary to order a 'Windows XP SP2' cd or, better still, have a local vendor do the update (they would have such disks):
http://www.microsoft.com/windowsxp/d...s/default.mspx
Junior Member
After using my computer a few more days it is edident I still have viruses. I did look back over the emails and I realized that when you said to clean out the deleted files section of Outlook Express you meant to follow the path you listed in the email. I did this and deletd several files I did not think belonged there. There were some files that had names I did recognioze as Outlook folder names so I left them there. I can delete these also if you think that is a good idea since I am using Outlook 2000 instead of Outlook Express. I also rescanned the computer with BitDefender and Kapersky. Both detected viruses in the Recycler folder. I tried to delete one of the files there but it told be it was being used by an open process. Since I was unsure what the file was used for I left it alone.
Anyway, I have posted the results of my latest scans below.
Please let me know what I need to do to eradicate the latest set of viruses.
Thanks again for all of your help.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 01, 2006 11:05:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/09/2006
Kaspersky Anti-Virus database records: 220109
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 89452
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:17:10
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\John\triggers.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Sandra\triggers.log Object is locked skipped
C:\Documents and Settings\John\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\John\Application Data\Microsoft\Outlook\Microsoft Outlook Internet Settings.NICK Object is locked skipped
C:\Documents and Settings\John\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\John\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\John\Application Data\Microsoft\Word\AutoRecovery save of Normal.as$ Object is locked skipped
C:\Documents and Settings\John\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\MSHist012006090120060 902\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\~DF15C0.tmp Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\~DF64DE.tmp Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\~WRF0003.tmp Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\John\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Sandra\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Sandra\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSBrws.log Object is locked skipped
C:\Documents and Settings\Sandra\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\History\History.IE5\MSHist012006090120060 902\index.dat Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\Temp\qdiagd.log Object is locked skipped
C:\Documents and Settings\Sandra\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Sandra\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sandra\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx/[From Irvin Medrano <Varnerbiot@bns.com>][Date Sat, 28 Aug 2004 19:47:46 -0100 (CST)]/html Infected: Trojan-Dropper.VBS.Zerolin skipped
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx Mail MS Outlook 5: infected - 1 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\change.log Object is locked skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A4FBC8 EB-31DF-4768-A30A-956D2BCA9E5E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\Temp\WCESCOMM.LOG Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
BitDefender Online Scanner
Scan report generated at: Fri, Sep 01, 2006 - 20:31:23
Scan path: A:\;C:\;D:\;
Statistics
Time
01:36:17
Files
380536
Folders
6123
Boot Sectors
3
Archives
9362
Packed Files
37752
Results
Identified Viruses
1
Infected Files
1
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
1
Engines Info
Virus Definitions
452048
Engine build
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
Scan plugins
13
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Infected with: Trojan.Dropper.Vbs.Zerolin.Q
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Disinfection failed
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)=>(JAVASCRIPT 1)
Deleted
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)=>(message body)
Updated
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)=>[Subject: re:appointment august 29th at 04-00 - ][Date: Sat, 28 Aug 2004 19:47:46 -0100 (CST)]=>(MIME part)
Updated
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx=>(message 234)
Updated
C:\RECYCLER\S-1-5-21-3802390207-2702098091-648908277-1006\Dc7.dbx
Update failed
Senior Member (Canada)
Delete the Recycle Bin items in SAFE MODE.There were some files that had names I did recognioze as Outlook folder names so I left them there. I can delete these also if you think that is a good idea since I am using Outlook 2000 instead of Outlook Express. I also rescanned the computer with BitDefender and Kapersky. Both detected viruses in the Recycler folder. I tried to delete one of the files there but it told be it was being used by an open process. Since I was unsure what the file was used for I left it alone.
You do not want to be deleting FILES. Your best option is to run Outlook or Outlook Express (OE) and clean out the individual emails in question. Certainly, ensure that the 'Deleted Items' FOLDER in those applications is cleaned out. If you no longer use OE I would ensure that all email items are removed (just in case).
In some cases (continued email unreliability), you might have make a BACKUP of all 'Outlook' *.PST FILES and to get familiar with exporting selected test Outlook emails (delete test items and then re-import them). Then it is time to consider exporting all known good emails to a holding file and then creating a completely new and clean Outlook profile to re-import your emails:
http://support.microsoft.com/kb/196492/
How to export e-mail messages from Outlook Express into Outlook 2000
http://support.microsoft.com/kb/1963...d=2520&sid=139
Junior Member
I just wanted to let you know that I finally have a virus/malware free computer and that I have sucessfully installed Windows XP SP2. I used Trend Micros online virus scanner Housecalll to remove the final viruses. After I was rid of them I went to the Google forum pages you listed and found a solution to my XP install problems. The subinacl utility from Microsoft was run in the safe mode according to one of the posts you sent me. After rumming the registry premissions reset I was finally able to sucessfully instal SP2.
Thanks for all of your help. Your website is a real computer saver.
Thanks for all your help.
John Lane
