1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Win32.agent.gvu Backdoor Trojan Infection

Discussion in 'Malware and Virus Removal Archive' started by ramnagel, 2008/08/07.

  1. 2008/08/07
    ramnagel

    ramnagel Inactive Thread Starter

    Joined:
    2008/08/07
    Messages:
    6
    Likes Received:
    0
    [Added after posting: see my next post below this one - I may have successfully removed the trojan with a system restore!]

    I think I have contracted the win32.agent.gvu backdoor trojan. I ran Spybot which failed to fix it but it did identify it.

    I constantly get this popup dialog when trying to use IE or Windows Explorer:

    "Attention, [full name]! Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!

    Click OK to download the antispyware. (Recommended) "

    The dialog box has a Yes and a No button. Here is the log from dss.exe:


    Deckard's System Scanner v20071014.68
    Run by StefanE on 2008-08-07 11:15:07
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    11: 2008-08-07 09:15:18 UTC - RP937 - Deckard's System Scanner Restore Point
    10: 2008-08-07 08:57:59 UTC - RP936 - System Checkpoint
    9: 2008-08-05 22:44:12 UTC - RP935 - System Checkpoint
    8: 2008-08-04 21:44:11 UTC - RP934 - System Checkpoint
    7: 2008-08-03 20:44:09 UTC - RP933 - System Checkpoint


    -- First Restore Point --
    1: 2008-07-28 14:18:32 UTC - RP927 - Installed OpenOffice.org Installer 1.0


    Backed up registry hives.
    Performed disk cleanup.

    System Drive C: has 1.14 GiB (less than 15%) free.


    -- HijackThis (run as StefanE.exe) ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:19:54 AM, on 2008/08/07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    D:\Apps\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
    D:\Temp\_PublicDump\Malware Scan Tools\Deckard's System Scanner\dss.exe
    D:\Apps\TRENDM~1\HIJACK~1\StefanE.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Gold Manager - {D26AAB3B-B0DD-456C-A7E5-4DA9565FD6EE} - C:\WINDOWS\system32\gldman.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [WinampAgent] D:\Apps\Winamp\winampa.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
    O4 - Startup: MyEnergy Monitor.lnk = ?
    O4 - Startup: Shortcut to boinc.lnk = C:\Program Files\BOINC\boinc.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Apps\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Apps\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
    O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
    O15 - Trusted Zone: http://*.sloth
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.16/uploader2.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133946516222
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O17 - HKLM\Software\..\Telephony: DomainName = sa01.microgen.group
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9138661-2CE9-4263-BCB4-0745EDF914C6}: NameServer = 192.168.2.20
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Microgen Aptitude Bus 2.20 build 2 (debug) (aptbusd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptbusd.exe
    O23 - Service: Microgen Aptitude Bus 2.20 build 2 (aptbus_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptbus.exe
    O23 - Service: Microgen Aptitude Engine 2.20 build 2 (debug) (aptengd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptengd.exe
    O23 - Service: Microgen Aptitude Engine 2.20 build 2 (apteng_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\apteng.exe
    O23 - Service: Microgen Aptitude Server 2.20 build 2 (debug) (aptsrvd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptsrvd.exe
    O23 - Service: Microgen Aptitude Server 2.20 build 2 (aptsrv_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptsrv.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

    --
    End of file - 9448 bytes

    -- File Associations -----------------------------------------------------------

    .bat - TextPad.bat - DefaultIcon - %SystemRoot%\System32\shell32.dll,-153
    .bat - TextPad.bat - shell\open\command - "%1" %*
    .bat - TextPad.bat - shell\edit\command - "C:\Program Files\TextPad 5\TextPad.exe" -s
    .inf - TextPad.inf - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
    .inf - TextPad.inf - shell\open\command - "C:\Program Files\TextPad 5\TextPad.exe" -s
    .ini - TextPad.ini - DefaultIcon - %SystemRoot%\System32\shell32.dll,-151
    .ini - TextPad.ini - shell\open\command - "C:\Program Files\TextPad 5\TextPad.exe" -s
    .reg - TextPad.reg - DefaultIcon - %SystemRoot%\regedit.exe,1
    .reg - TextPad.reg - shell\open\command - regedit.exe "%1 "
    .reg - TextPad.reg - shell\edit\command - "C:\Program Files\TextPad 5\TextPad.exe" -s
    .txt - TextPad.txt - DefaultIcon - %SystemRoot%\system32\shell32.dll,-152
    .txt - TextPad.txt - shell\open\command - "C:\Program Files\TextPad 5\TextPad.exe" -s


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
    R1 StarOpen - c:\windows\system32\drivers\staropen.sys
    R3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
    R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

    S3 Ser2pl (Prolific2 Serial port driver) - c:\windows\system32\drivers\ser2pl.sys <Not Verified; Prolific Technology Inc.; Prolific USB-to-Serial Bridge Cable>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 spkrmon - c:\program files\analog devices\soundmax\spkrmon.exe <Not Verified; ; spkrmon Module>

    S2 aptbus_2_20b2 (Microgen Aptitude Bus 2.20 build 2) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\aptbus.exe" <Not Verified; Microgen; Microgen Aptitude>
    S2 apteng_2_20b2 (Microgen Aptitude Engine 2.20 build 2) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\apteng.exe" <Not Verified; Microgen; Microgen Aptitude>
    S3 aptbusd_2_20b2 (Microgen Aptitude Bus 2.20 build 2 (debug)) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\aptbusd.exe" <Not Verified; Microgen; Microgen Aptitude>
    S3 aptengd_2_20b2 (Microgen Aptitude Engine 2.20 build 2 (debug)) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\aptengd.exe" <Not Verified; Microgen; Microgen Aptitude>
    S3 aptsrv_2_20b2 (Microgen Aptitude Server 2.20 build 2) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\aptsrv.exe" <Not Verified; Microgen; Microgen Aptitude>
    S3 aptsrvd_2_20b2 (Microgen Aptitude Server 2.20 build 2 (debug)) - "d:\apps\microgen aptitude 2.20 build 2\server\bin\aptsrvd.exe" <Not Verified; Microgen; Microgen Aptitude>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID:
    Description: Video Controller
    Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01791028&REV_04\3&172E68DD&0&11
    Manufacturer:
    Name: Video Controller
    PNP Device ID: PCI\VEN_8086&DEV_2782&SUBSYS_01791028&REV_04\3&172E68DD&0&11
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-08-07 11:18:18 426 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{BB2F0B11-716C-46BD-81A4-F12B9F175A15}.job
    2008-08-07 11:02:02 258 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


    -- Files created between 2008-07-07 and 2008-08-07 -----------------------------

    2008-08-06 15:49:33 18944 --a------ C:\WINDOWS\system32\gldman.dll
    2008-08-06 15:48:59 18944 --a------ C:\WINDOWS\system32\goldManager.dll
    2008-07-28 16:18:33 0 d-------- C:\Program Files\Sun
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Templates
    2008-07-14 12:13:40 0 dr------- C:\Documents and Settings\Luvuyom\Start Menu
    2008-07-14 12:13:40 0 dr-h----- C:\Documents and Settings\Luvuyom\SendTo
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Recent
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\PrintHood
    2008-07-14 12:13:40 225280 --ah----- C:\Documents and Settings\Luvuyom\NTUSER.DAT
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\NetHood
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\My Documents
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Local Settings
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\Favorites
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\Desktop
    2008-07-14 12:13:40 0 d--hs---- C:\Documents and Settings\Luvuyom\Cookies
    2008-07-14 12:13:40 0 dr-h----- C:\Documents and Settings\Luvuyom\Application Data
    2008-07-14 12:13:40 0 d---s---- C:\Documents and Settings\Luvuyom\Application Data\Microsoft
    2008-07-11 11:07:25 0 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
    2008-07-11 11:05:06 0 d-------- C:\WINDOWS\DTS9_KB948109_ENU
    2008-07-11 11:03:55 0 d-------- C:\WINDOWS\NS9_KB948109_ENU
    2008-07-11 11:01:04 0 d-------- C:\WINDOWS\RS9_KB948109_ENU
    2008-07-11 10:59:04 0 d-------- C:\WINDOWS\OLAP9_KB948109_ENU
    2008-07-11 10:51:44 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU


    -- Find3M Report ---------------------------------------------------------------

    2008-08-07 10:27:37 0 d-------- C:\Program Files\BOINC
    2008-08-06 18:36:00 0 d-------- C:\Documents and Settings\stefane\Application Data\Abilon
    2008-08-06 16:24:18 0 d-------- C:\Program Files\TextPad 5
    2008-07-28 16:17:59 0 d-------- C:\Program Files\Java
    2008-07-11 11:08:43 0 d-------- C:\Program Files\Microsoft SQL Server


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D26AAB3B-B0DD-456C-A7E5-4DA9565FD6EE}]
    2008/08/06 03:49 PM 18944 --a------ C:\WINDOWS\system32\gldman.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004/08/20 03:55 PM]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004/08/20 03:51 PM]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001/09/24 07:59 AM]
    "NWEReboot "=" " []
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007/07/28 03:47 PM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008/06/10 04:27 AM]
    "WinampAgent "= "D:\Apps\Winamp\winampa.exe" [2008/04/01 08:49 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 03:18 PM]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007/01/19 12:54 PM]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006/03/30 04:45 PM]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007/04/19 07:37 AM]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\stefane\Start Menu\Programs\Startup\
    BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2005/11/29 01:56:38 AM]
    MyEnergy Monitor.lnk - C:\Documents and Settings\stefane\Application Data\Microsoft\Installer\{1585C416-0B4C-4F5A-A524-FB6F645E186B}\_C516D71ABFF5028D542708.exe [2008/05/05 12:58:54 PM]
    Shortcut to boinc.lnk - C:\Program Files\BOINC\boinc.exe [2005/11/29 01:54:58 AM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007/02/05 03:40:46 PM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007/02/05 03:39 PM 294400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

    *Newly Created Service* - NAVENG
    *Newly Created Service* - NAVEX15



    -- Hosts -----------------------------------------------------------------------

    192.168.2.14 ecomctn
    192.168.2.204 dugong


    -- End of Deckard's System Scanner: finished at 2008-08-07 11:20:33 ------------

    Thanks for your help.
     
    Last edited: 2008/08/07
    ramnagel,
    #1
  2. 2008/08/07
    ramnagel

    ramnagel Inactive Thread Starter

    Joined:
    2008/08/07
    Messages:
    6
    Likes Received:
    0
    System Restore may have fixed win32.agent.gvu trojan!

    Well, I may have removed win32.agent.gvu myself! I performed a successful system restore on the infected XP machine to two days ago (it was infected yesterday afternoon) and the nagging dialog box has not reappeared on reboot.

    Note: at no point did I click on the Yes or No buttons presented in the trojan downloader's dialog box before it performed the system restore.

    Now, can you tell me whether I am good to go again, please? Thanks.

    Here are the results from dss.exe after the system restore:


    Deckard's System Scanner v20071014.68
    Run by stefane on 2008-08-07 13:05:01
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    System Drive C: has 0.85 GiB (less than 15%) free.


    -- HijackThis (run as stefane.exe) ---------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:05:02 PM, on 2008/08/07
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptbus.exe
    D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptsrv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptlog.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
    C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\apteng.exe
    C:\WINDOWS\Explorer.EXE
    D:\Apps\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    D:\Apps\Winamp\winampa.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    D:\Temp\_PublicDump\Malware Scan Tools\Deckard's System Scanner\dss.exe
    D:\Apps\TRENDM~1\HIJACK~1\stefane.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ig?hl=en
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [WinampAgent] D:\Apps\Winamp\winampa.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
    O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
    O4 - Startup: MyEnergy Monitor.lnk = ?
    O4 - Startup: Shortcut to boinc.lnk = C:\Program Files\BOINC\boinc.exe
    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XML Spy Suite\spy.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Apps\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - D:\Apps\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
    O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XML Spy Suite\spy.htm (HKCU)
    O15 - Trusted Zone: http://*.sloth
    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.16/uploader2.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133946516222
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O17 - HKLM\Software\..\Telephony: DomainName = sa01.microgen.group
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B9138661-2CE9-4263-BCB4-0745EDF914C6}: NameServer = 192.168.2.20
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sa01.microgen.group
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Microgen Aptitude Bus 2.20 build 2 (debug) (aptbusd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptbusd.exe
    O23 - Service: Microgen Aptitude Bus 2.20 build 2 (aptbus_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptbus.exe
    O23 - Service: Microgen Aptitude Engine 2.20 build 2 (debug) (aptengd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptengd.exe
    O23 - Service: Microgen Aptitude Engine 2.20 build 2 (apteng_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\apteng.exe
    O23 - Service: Microgen Aptitude Server 2.20 build 2 (debug) (aptsrvd_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptsrvd.exe
    O23 - Service: Microgen Aptitude Server 2.20 build 2 (aptsrv_2_20b2) - Microgen - D:\Apps\Microgen Aptitude 2.20 build 2\Server\bin\aptsrv.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

    --
    End of file - 9729 bytes

    -- Files created between 2008-07-07 and 2008-08-07 -----------------------------

    2008-08-07 12:59:01 0 d-------- G:\Deckard
    2008-08-04 23:44:00 15990784 --a------ C:\Documents and Settings\stefane\ntuser.dat
    2008-07-28 16:18:33 0 d-------- C:\Program Files\Sun
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Templates
    2008-07-14 12:13:40 0 dr------- C:\Documents and Settings\Luvuyom\Start Menu
    2008-07-14 12:13:40 0 dr-h----- C:\Documents and Settings\Luvuyom\SendTo
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Recent
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\PrintHood
    2008-07-14 12:13:40 225280 --ah----- C:\Documents and Settings\Luvuyom\ntuser.dat
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\NetHood
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\My Documents
    2008-07-14 12:13:40 0 d--h----- C:\Documents and Settings\Luvuyom\Local Settings
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\Favorites
    2008-07-14 12:13:40 0 d-------- C:\Documents and Settings\Luvuyom\Desktop
    2008-07-14 12:13:40 0 d--hs---- C:\Documents and Settings\Luvuyom\Cookies
    2008-07-14 12:13:40 0 dr-h----- C:\Documents and Settings\Luvuyom\Application Data
    2008-07-14 12:13:40 0 d---s---- C:\Documents and Settings\Luvuyom\Application Data\Microsoft
    2008-07-11 11:07:25 0 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
    2008-07-11 11:05:06 0 d-------- C:\WINDOWS\DTS9_KB948109_ENU
    2008-07-11 11:03:55 0 d-------- C:\WINDOWS\NS9_KB948109_ENU
    2008-07-11 11:01:04 0 d-------- C:\WINDOWS\RS9_KB948109_ENU
    2008-07-11 10:59:04 0 d-------- C:\WINDOWS\OLAP9_KB948109_ENU
    2008-07-11 10:51:44 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU


    -- Find3M Report ---------------------------------------------------------------

    2008-08-07 13:04:14 0 d-------- C:\Program Files\BOINC
    2008-08-07 12:49:16 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-08-07 12:42:22 0 d-------- C:\Program Files\TextPad 5
    2008-08-06 18:36:00 0 d-------- C:\Documents and Settings\stefane\Application Data\Abilon
    2008-07-28 16:17:59 0 d-------- C:\Program Files\Java
    2008-07-11 11:08:43 0 d-------- C:\Program Files\Microsoft SQL Server


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray "= "C:\WINDOWS\system32\igfxtray.exe" [2004/08/20 03:55 PM]
    "HotKeysCmds "= "C:\WINDOWS\system32\hkcmd.exe" [2004/08/20 03:51 PM]
    "vptray "= "C:\Program Files\NavNT\vptray.exe" [2001/09/24 07:59 AM]
    "NWEReboot "=" " []
    "Google Desktop Search "= "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007/07/28 03:47 PM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008/06/10 04:27 AM]
    "WinampAgent "= "D:\Apps\Winamp\winampa.exe" [2008/04/01 08:49 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004/08/12 03:18 PM]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007/01/19 12:54 PM]
    "updateMgr "= "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006/03/30 04:45 PM]
    "googletalk "= "C:\Program Files\Google\Google Talk\googletalk.exe" [2007/04/19 07:37 AM]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Picasa Media Detector "=C:\Program Files\Picasa2\PicasaMediaDetector.exe

    C:\Documents and Settings\stefane\Start Menu\Programs\Startup\
    BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2005/11/29 01:56:38 AM]
    MyEnergy Monitor.lnk - C:\Documents and Settings\stefane\Application Data\Microsoft\Installer\{1585C416-0B4C-4F5A-A524-FB6F645E186B}\_C516D71ABFF5028D542708.exe [2008/05/05 12:58:54 PM]
    Shortcut to boinc.lnk - C:\Program Files\BOINC\boinc.exe [2005/11/29 01:54:58 AM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007/02/05 03:40:46 PM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5} "= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007/02/05 03:39 PM 294400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL




    -- End of Deckard's System Scanner: finished at 2008-08-07 13:05:21 ------------
     
    ramnagel,
    #2


  3. to hide this advert.

  4. 2008/08/07
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi ramnagel
    Welcome to Windowsbbs.

    Lets get a on-line scan for a second opinion.

    Scanning with Kaspersky WebScanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #3
  5. 2008/08/12
    ramnagel

    ramnagel Inactive Thread Starter

    Joined:
    2008/08/07
    Messages:
    6
    Likes Received:
    0
    Kaspersky online scanner license has expired!

    Sorry for the late reply but I have been away for a few days, Geri.

    I get an error message after installing the ActiveX component :( It goes, "Kaspersky online scanner license has expired!" I cannot continue from then on. The message appears in a pop-up dialog whose title is "Windows Internet Explorer ".

    How should I proceed, please?

     
    ramnagel,
    #4
  6. 2008/08/12
    ramnagel

    ramnagel Inactive Thread Starter

    Joined:
    2008/08/07
    Messages:
    6
    Likes Received:
    0
    Ignore previous post...

    Whoa! Belay that previous post. I googled the problem and now seem to be having success. Will post the Kaspersky report once I have it, thanks.

     
    ramnagel,
    #5
  7. 2008/08/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi ramnagel
    Kaspersky has changed their on-line scan. So if the one you tried doesn't work then try this one.

    Please do an online scan with Kaspersky WebScanner

    Click on "Accept" If your pop "“up blocker blocks any windows from opening.

    Click Run on the window that opens.
    Windows Vista users you must open the web browser using the Run as Administrator command.
    • The program will launch and then begin downloading the latest definition files:
    • Under Scan on the left side.Click on My Computer
    • This will start the program and scan your system.
    • Click the "Scan Report" On the left side.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
    • Save the text file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2008/08/18
    ramnagel

    ramnagel Inactive Thread Starter

    Joined:
    2008/08/07
    Messages:
    6
    Likes Received:
    0
    Kaspersky results

    I ran Kaspersky over the weekend and here are the results. Looks like all
    is clear apart from a couple of network drives which should be fixable.

    R: is a repository of old software (previous versions of one of our products)
    and I manually cleaned RECYCIER from M: I hope Sality can be cleaned
    without losing the original executables! Anyway, thanks for all your support.

    Much appreciated.

    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, August 18, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Friday, August 15, 2008 15:37:47
    Records in database: 974826


    Scan settings
    Scan using the following database standard
    Scan archives no
    Scan mail databases no

    Scan area My Computer
    C:\
    D:\
    E:\
    F:\
    G:\
    I:\
    L:\
    M:\
    O:\
    P:\
    Q:\
    R:\
    S:\
    T:\
    V:\
    W:\
    X:\
    Y:\
    Z:\

    Scan statistics
    Files scanned 1027706
    Threat name 5
    Infected objects 396
    Suspicious objects 1
    Duration of the scan 12:03:09

    File name Threat name Threats count
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe Infected: Exploit.HTML.Agent.am 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01F40000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03EC0000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03F00000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03F40000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\048C0000.VBN Infected: Exploit.HTML.Agent.am 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06F40000.VBN Suspicious: Exploit.Win32.IMG-WMF 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80002.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0002.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0003.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0004.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09AC0005.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B00000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B00001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09BC0000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C00000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C00001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C00002.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C80000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C80001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C80002.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C80003.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09C80004.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0001.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0002.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0003.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0004.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09CC0005.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D00000.VBN Infected: Virus.Win32.Sality.l 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B5C0000.VBN Infected: Trojan-Downloader.HTML.Agent.aq 1
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B640000.VBN Infected: Trojan-Downloader.HTML.Agent.aq 1
    M:\RECYCIER\system.exe Infected: Virus.Win32.Delf.an 1
    R:\Aims 6.23\aims\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\service\AfaAimsDepPoller.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\service\AfaAimsSM.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaAimsRegHelper.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaAimsUpdate.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaDataSetViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaDataSourceViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaDataSrcTest.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaDbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaFormsUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaMenuProgLister.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaMenuTester.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaMonitorUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\AfaTableViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\kill.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\reconutil\AfaReconUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\tcpview.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\aims\utilities\xmlinst.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\rdm\AfaRemoteDataManager.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\udu\AfaUDU.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\udu\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\Aims 6.23\udu\utilities\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Client\PaymentEP10\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Client\PaymentEP11\CKPaymentEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Client\ReportingEP05\CKAIMSReportBookEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Client\TrustEP05\CKTrustEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Server\AIMS OBOL EP 01\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Loaded\26387\Source\CKAIMSReportingEngine\CKAimsReportingEngine.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp10\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Loaded\wb\pwbench60103g.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Loaded\WB61\pwbench60103b.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Loaded\WB61B\pwbench60103d.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp11\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP10\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP11\CKPaymentEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP12\CKPaymentEP12.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PortfolioEP10\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PortfolioEP11\CKAIMSPortfolioEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\ReportingEP05\CKAIMSReportBookEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\TrustEP05\CKTrustEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\TrustEP06\CKTrustEP6.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Integrated Solutions\CKTRUSTSOLUTION\Server\PreviousSPS\AIMS OBOL EP 01\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp12\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP10\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP11\CKPaymentEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PaymentEP12\CKPaymentEP12.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PortfolioEP10\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\PortfolioEP11\CKAIMSPortfolioEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\ReportingEP05\CKAIMSReportBookEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\TrustEP05\CKTrustEP5.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Client\PreviousSPS\TrustEP06\CKTrustEP6.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Server\PreviousSPS\AIMS OBOL EP 01\CLIREG32.EXE Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Integrated Solutions\CKTRUSTSOLUTION\Server\PreviousSPS\AIMS OBOL EP 01\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp13\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp3\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp4\Loaded\23346\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp4\Loaded\23397\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp4\Loaded\23418\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp4\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp5\Loaded\23418\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp5\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp6\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp7\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp7\Loaded\24786\fe\AIMSEXE\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp7\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Client\PaymentEP10\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Client\PortfolioEP10\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Server\AIMS OBOL EP 01\CLIREG32.EXE Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Server\AIMS OBOL EP 01\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Loaded\21924\fe\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Loaded\23187\FE\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Loaded\23187\FE\pwbtest61102d.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp8\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Integrated Solutions\CKTRUSTSOLUTION\Client\PaymentEP10\CKPaymentEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Integrated Solutions\CKTRUSTSOLUTION\Client\PaymentEP11\CKPaymentEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Integrated Solutions\CKTRUSTSOLUTION\Client\PortfolioEP10\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Integrated Solutions\CKTRUSTSOLUTION\Server\AIMS OBOL EP 01\regtlib.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Integrated Solutions\CKTRUSTSOLUTION\Zip File - History\CKAIMSPortfolioEP10.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Loaded\24961\CKPaymentEP11.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Loaded\26829\fe\client\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\isp9\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaAimsMonitor.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaAimsRegHelper.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaAimsUpdate.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaComponentInfo.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaDataSetViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaDataSourceViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaDataSrcTest.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaDbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaFormsUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaMenuTester.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaTableViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaTCPListener.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\AfaVerCompare.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\kill.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\reconutil\AfaReconUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\tcpview.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\AIMSEXE\utilities\xmlinst.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\Workbench\bin\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\AIMSV6.1\V6.1Cut3\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\20532\pwbtest.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\20551\fe\pwbtest.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\24683\fe\exe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\spacks\3330\application\AfaAims_v6.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\spacks\Pamco15Feb\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\spacks\Pamco24Jan\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\spacks\Patch001\logs\quent\18382\FE\pwbtest.exe Infected: Virus.Win32.Sality.l 1
    R:\Archived WIP TBR & SPACKS\Tbr\wbexe\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\service\AfaAimsDepPoller.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\service\AfaAimsSM.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaAimsUpdate.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaComponentInfo.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaDataSourceViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaDataSrcTest.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaDbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaFormsIdentifier.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaMonitorUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaTableViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaTCPListener.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\AfaVerCompare.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\kill.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\reconutil\AfaReconUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Aimsexe\utilities\xmlinst.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Client Reporting\RDM 6.2\AfaRemoteDataManager.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Client Reporting\UDU 6.2\AfaUDU.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Client Reporting\UDU 6.2\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Workbench\bin\dbgmon.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Workbench\bin\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\bup AIMS V62 Pre-SP\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\CK3.4EP1\Database\CK34DatabaseEP1.exe Infected: Virus.Win32.Sality.l 1
    R:\CK3.4EP1\Server\CK34ServerEP1.exe Infected: Virus.Win32.Sality.l 1
    R:\fincc\ClientVersions\2002-08-05\Shadow\Source\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\service\AfaAimsDepPoller.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\service\AfaAimsSM.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaAimsRegHelper.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaAimsUpdate.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaComponentInfo.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaDataSetViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaDataSourceViewer.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaDbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaFormsUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaMenuProgLister.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaMonitorUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\AfaTCPListener.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\kill.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\reconutil\AfaReconUtil.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\client\bin\utilities\xmlinst.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\obol\AfaAimsEnvironment\make-ds-resource\AfaMakeDSRes.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\AFAMutexLib\Tests\MTMutexTest.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\AFAMutexLib\Tests\MutexTestUI.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\AFARuleLoader\Test\test.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\bin\Definer.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\bin\QBuilder.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\Debug\DbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\DebugMonitor\AfaDbgMonX.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\GatewayControl\Compatability\GatewayControl.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\NotifyServer\bin\Debug\NotifyServer.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\StreamXChange\NotifyServer\bin\Release\NotifyServer.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\Warehouse and ePorts\ePorts Security\Bin\SQLRegView.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\Warehouse and ePorts\ePorts Security\DataClass\Test\DataClassTest.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\Warehouse and ePorts\ePorts Security\MyEnumHelp\VBTest\Project1.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\Warehouse and ePorts\UDU\bin\AfaUDU.exe Infected: Virus.Win32.Sality.l 1
    R:\InterlinkCheck\GRZEGORZ BAJDA\Source Code\Aims62\Warehouse and ePorts\UDU\bin\utilities\regsvr32.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS42\loaded\100289i\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS42\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS49\AimsEXE\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS49\StreamXChange\Definer.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS49\UDU\AfaUDU.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS49\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS51\Loaded\100285i\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS51\Loaded\33734e\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS51\Workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS64\aimsexe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS64\reporting\udu\bin\AfaUDU.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS64\stp\bin\Definer.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS64\stp\bin\GatewayControl.exe Infected: Virus.Win32.Sality.l 1
    R:\QA\Release\AS64\workbench\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\RECYCIER\system.exe Infected: Virus.Win32.Delf.an 1
    R:\Shadow\QA\spacks\Patch001\old\fe\AfaAims_v6.exe Infected: Virus.Win32.Sality.l 1
    R:\Shadow\QA\spacks\Patch001\packaged\3173\fe\AfaAims_v6.exe Infected: Virus.Win32.Sality.l 1
    R:\Shadow\QA\spacks\Patch001\release\src\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\Shadow\Srcecde\pmrad15\Rel4.5\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\ShadowBok\source\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\smac\core61\postie.exe Infected: Virus.Win32.Sality.l 1
    R:\SMACmonty\pwbench.exe Infected: Virus.Win32.Sality.l 1
    R:\Wip\archive\24683\fe\AfaAims.exe Infected: Virus.Win32.Sality.l 1
    The selected area was scanned.


     
    ramnagel,
    #7
  9. 2008/08/18
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi ramnagel
    OK let me tell you that Sality infections are a nasty one, they steal information among other things.
    Please look at this information so you know what you have been dealing with.
    http://ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=52797

    It "seems" Norton cleaned it off your C Drive, I would suggest having Norton run on the R Drive...Better yet the "My Computer" or "full system" scan settings to clean the R Drive and check everything else.

    This is a network infection and will trasfer itself to other computers on a network, So if you have a network set up with other computers they may also be infected. Each computer needs to be disconnected from the network and a full system scan with Norton done on each one.

    After you run Norton to scan the whole system then Delete everything in the quarantine folder run Kaspersky again and post the log.

    Thanks
    Geri
     
    Geri,
    #8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...