People say my email (Hotmail via Outlook Express) is sending them bad attachments. They say I have a trojan, but all tests have revealed nothing. Have tried Norton, Adaware, Ghostbusters, a2, swatit. All updated, nothing found. Could someone knowledgeable tell me if there's anything suspicious in this logfile, or alteratively, offer some advice? Best, Taivo Vancouver, BC Logfile of HijackThis v1.97.5 Scan saved at 9:36:22 AM, on 2/24/2004 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\SISTRAY.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\STARTUPMONITOR.exe C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\LEXBCES.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\MYIE32\MYIE.exe C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\HIJACKTHIS.exe C:\WINDOWS\NOTEPAD.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.exe O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.exe /LOADQUIET O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.exe O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.exe O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37993.8402083333 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/270db814013472c39a23/netzip/RdxIE601.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab STARTUP LIST StartupList report, 2/24/2004, 9:05:08 AM StartupList version: 1.52 Started from : C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\HIJACKTHIS.exe Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\SISTRAY.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\STARTUPMONITOR.exe C:\WINDOWS\SYSTEM\WBEM\WINMGMT.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\LEXBCES.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\MYIE32\MYIE.exe C:\MY DOCUMENTS\DOWNLOADS\UNZIPPED\HIJACKTHIS.exe --------------------- Listing of startup folders: Shell folders Startup: [C:\WINDOWS\Start Menu\Programs\StartUp] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s SystemTray = SysTray.exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.exe Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.exe /LOADQUIET Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.exe SiS Tray = C:\WINDOWS\SYSTEM\SISTRAY.exe Run StartupMonitor = StartupMonitor.exe --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.exe --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv --------------------- C:\WINDOWS\WININIT.BAK listing: (Created 23/2/2004, 15:11:10) [Rename] NUL=C:\WINDOWS\TEMP\WZSE1.TMP\QREMOVE.COM NUL=C:\WINDOWS\TEMP\WZSE1.TMP\PVER32.DLL NUL=C:\WINDOWS\TEMP\WZSE1.TMP\PUTIL32.DLL NUL=C:\WINDOWS\TEMP\WZSE1.TMP\PPROCS32.DLL NUL=C:\WINDOWS\TEMP\WZSE1.TMP\PFILE32.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PORT16.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\QREMOVE.COM NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PVER32.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PUTIL32.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PPROCS32.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PORT16.DLL NUL=C:\WINDOWS\TEMP\WZSE0.TMP\PFILE32.DLL --------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP --------------------- C:\WINDOWS\WINSTART.BAT listing: C:\WINDOWS\tmpcpyis.bat --------------------- Enumerating Browser Helper Objects: (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} --------------------- Enumerating Task Scheduler jobs: Tune-up Application Start.job PCHealth Scheduler for Data Collection.job Symantec NetDetect.job --------------------- Enumerating Download Program Files: [Update Class] InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37993.8402083333 [GSDACtl Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab [RdxIE Class] InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL CODEBASE = http://software-dl.real.com/270db814013472c39a23/netzip/RdxIE601.cab --------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL --------------------- End of report, 5,476 bytes Report generated in 0.153 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

Here's one thing, but I'm not done looking yet. Chekc out the link for help: http://securityresponse.symantec.com/avcenter/venc/data/trojan.prova.html