Need help with possible infection (HJT log)

My wife's been getting some pop-ups at different times on her PC, no rhyme or reason as to when, they just happen, when surfing, doing email, working in MS Word, etc. I happened to see one yesterday myself, it was a full size window ad for I believe PC-cillin. There is no way to close the window except with alt+F4. I've updated and run Spybot, Adaware, AVG-Antispyware, AVG and have SpywareBlaster updated. I keep this PC updated and scanned on a weekly basis, so I'm kind of surprised by this problem. None of the scans found anything other than tracking cookies, so I'm posting the HJT log in hopes someone might spot something that might be causing this annoyance.

Logfile of HijackThis v1.99.1
Scan saved at 7:39:37 PM, on 1/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\chkdisk.exe
C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Quickenw\Qwdlls.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/swarm.cgi?515877&d9c64b2d1ccf682d9a38fe47b10dd06c
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://www.altavista.com "); (C:\Program Files\InfiNet Surfer Kit\Netscape\Users\Default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UninstalTime] chkdisk.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe
O12 - Plugin for .bat: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .scr: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram2c.vcu.edu/dwa7W.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

 

Hi Bill, welcome back

Ahhh....I'm not seeing Windows XP SP2 installed, this is the reason you got infected, your machine can't possibly be fully protected without that. I strongly suggest you hit Windows Update once we finish here.

This looks like a backdoor trojan perhaps with key logging abilities, so be sure you keep an eye on any online accounts for any sort of financial activities which seem out of sorts. I'd suggest not logging into any of those accounts, or finding another PC to change all related passwords. This is just a precaution, some vendor sites don't call it a key logger, some do.


Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\System32\chkdisk.exe


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trafficswarm.com/cgi-bin/...38fe47b10dd06c


O4 - HKLM\..\Run: [UninstalTime] chkdisk.exe


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\System32\chkdisk.exe<<<--this file**Please note spelling!! Do not delete chkdsk.exe . Note the extra letter 'I'


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

Hi TeMerc,

Thanks for the quick reply. I know about the SP2 thing, her PC is the last one I have to do, guess it will be my weekend project. I can't believe she got this thing, maybe one of the kids used her pc for surfing. I followed your instructions and here's the new HJT log. Hope this thing isn't a key logger, the only thing she does with a password that's important is Ebay, but that's bad enough if someone logs into her account. I'm going to have her change it pronto just in case from my PC. Anyway, here's the log;

Logfile of HijackThis v1.99.1
Scan saved at 10:05:29 PM, on 1/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\BITWARE\NT\bwprnmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Quickenw\Qwdlls.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N1 - Netscape 4: user_pref( "browser.startup.homepage ", "http://www.altavista.com "); (C:\Program Files\InfiNet Surfer Kit\Netscape\Users\Default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [bwprnmon.exe] C:\BITWARE\NT\bwprnmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\InfiNet Surfer Kit\Netscape\Communicator\Program\AIM\aim.exe
O12 - Plugin for .bat: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .scr: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\INFINET SURFER KIT\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://vram2c.vcu.edu/dwa7W.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://prints.picturecenter.kodak.com/activex/LightSurfUploadControl.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

 

Everything looks fine.

The XP SP2 install will likely go smoothly, most do. If not, I think I know of a forum to get help with any problems.

To go that extra mile, head over to Panda for an online scan.


Panda ActiveScan

• Click the [Scan your PC] button. ( You may have to disable any pop up blockers)
• Then press the green [Check Now] button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

**Notelease edit out any references to 'cookies', any sort of 'Quarantine' folder, 'Recyler folder' and 'System Volume Information Folder' from all logs

 

So far, the Panda scan has detected 9 viruses and disinfected 8 of them, and 2 hacking tools/rootkits, and is about half done. I had my wife sign into her Ebay account from my PC and change her password so hopefully that will head off any potential problems. I'll post the log from the Panda scan when it's done. Thanks again for the help, and I will be applying SP2 this weekend to this PC.

 

Here's the result of the Panda scan;

Incident Status Location

Virus:vbs/psyme.gen Not disinfected Operating system
Virus:JS/Kak.Worm Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0001554.~]
Virus:W32/Myparty@MM Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0017919.~][www.myparty.yahoo.com]
Virus:W32/Myparty@MM Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0017920.~][www.myparty.yahoo.com]
Virus:W32/Myparty@MM Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0017921.~][www.myparty.yahoo.com]
Virus:W32/Magistr.B Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[Orlando.exe]
Hacktool:Exploit/iFrame Not disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0021294.~]
Virus:W32/Klez.I Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[BGCOLOR.bat]
Hacktool:Exploit/iFrame Not disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[~0021399.~]
Virus:W32/Klez.I Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[Cxhdi.scr]
Virus:W32/Disemboweler Disinfected C:\Program Files\InfiNet Surfer Kit\Netscape\Users\pbocock\Mail\Inbox[MSOOBE.EXE]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Paula Bocock\Local Settings\Temp\Cookies\paula bocock@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Paula Bocock\Local Settings\Temp\Cookies\paula bocock@dist.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Paula Bocock\Local Settings\Temp\Cookies\paula bocock@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Paula Bocock\Local Settings\Temp\Cookies\paula bocock@atwola[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Paula Bocock\Cookies\paula bocock@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jason\Cookies\jason@atwola[3].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jason\Cookies\jason@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jason\Cookies\jason@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jason\Cookies\jason@dist.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jason\Cookies\jason@atwola[1].txt
Hacktool:Exploit/iFrame Not disinfected Local Folders\My Mail\Misc\Fw:sos!
Virus:W32/Klez.I Disinfected Local Folders\My Mail\Misc\Fw:sos!\BGCOLOR.bat
Virus:W32/Magistr.B Disinfected Local Folders\My Mail\Misc\Oliver is very jealous\Orlando.exe
Let me know if there is anything else to do with this machine, thanks.

 

Looks like you get a lot of virus laden emails!! Everything there is in the Inbox, or was headed there.

All non-threats, cookies and the Netscape items are f\ps.

You're good to go.

 

that's good to hear, thanks again for the help, it's really appreciated.

 

Glad we could be of assistance.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.