virus in network profile

Microsoft Administering windows xp pro
August 1, 2009 at 11:52:18
Specs: Windows XP
I have a virus issue with one of our staffs network domain user profiles. Their cumputer had a virus. I reformated the c drive and reinstalled windows xp pro. When I log back on as their network domain profile I still have traces of the virus. If I log on the same computer with and ofthe profile, no virus. If I log on to another computer using the profile with the virues issue,there is no trace of the virus. I have been lookingwere xp would store netwok domain profile data so I could clean that out.


See More: virus in network profile

Report •


#1
August 1, 2009 at 12:55:39

Report •

#2
August 1, 2009 at 13:28:09
I can not track down the name of the current Virus. There seems to be a main virus that generates virus generic PWS.y!fr
When I click to connect to one specific network shared drive the secondary virusinfects four files(listed below). Mcafee On access scan detects and delets thes files.The specific networkdrive is odd because it shows up as an folder Icon not the standared network share icon.

Extract from mcafee on access scan log.
C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Desktop\Infected\814.exe Generic PWS.y!fr (Trojan)
7/29/2009 3:48:18 PM Deleted
ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\DESKTOP\INFECTED\1[1].EXE Generic PWS.y!fr (Trojan)
ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!fr (Trojan)
7/29/2009 3:53:07 PM Deleted
ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-6680188995-2999360159-801678895-8285\RUNDLL32.EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:53:07 PM Deleted


Report •

#3
August 1, 2009 at 13:40:15
Can you post some logs from infected profile/PC?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
August 1, 2009 at 13:51:46
Here are the on access log and on demand scan log.

7/28/2009 11:04:00 AM Engine version = 5100.0194
7/28/2009 11:04:00 AM AntiVirus DAT version = 4893.0000
7/28/2009 11:04:00 AM Number of detection signatures in EXTRA.DAT = None
7/28/2009 11:04:00 AM Names of detection signatures in EXTRA.DAT = None
7/28/2009 11:05:35 AM Engine version = 5301.4018
7/28/2009 11:05:35 AM AntiVirus DAT version = 5691.0000
7/28/2009 11:05:35 AM Number of detection signatures in EXTRA.DAT = None
7/28/2009 11:05:35 AM Names of detection signatures in EXTRA.DAT = None
7/28/2009 11:50:13 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\unpack200.exe C:\Program Files\Java\jre6\lib\rt.jar
7/28/2009 11:50:34 AM Not scanned (scan timed out) ROSSETTI-01\fmihelcic C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe C:\Program Files\Java\jre1.5.0_06\lib\rt.jar
7/28/2009 12:18:53 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\Driver Cache\i386\driver.cab
7/28/2009 4:11:44 PM Not scanned (scan timed out) ROSSETTI-01\fmihelcic C:\WINDOWS\system32\msiexec.exe C:\Program Files\Microsoft Office\OFFICE11\1033\HTMLREF.CHM
7/28/2009 4:29:37 PM Engine version = 5301.4018
7/28/2009 4:29:37 PM AntiVirus DAT version = 5691.0000
7/28/2009 4:29:37 PM Number of detection signatures in EXTRA.DAT = None
7/28/2009 4:29:37 PM Names of detection signatures in EXTRA.DAT = None
7/28/2009 4:30:13 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/28/2009 4:38:49 PM Not scanned (scan timed out) ROSSETTI-01\ddinsmore C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe C:\Program Files\Java\jre1.5.0_06\lib\rt.jar
7/28/2009 4:47:34 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/28/2009 4:47:34 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-3500073804-1764260668-309305261-0690\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/28/2009 4:47:34 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-3500073804-1764260668-309305261-0690\rundll32.exe Generic PWS.y!ft (Trojan)
7/28/2009 4:48:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IJOLA5U7\1[1].EXE Generic PWS.y!fr (Trojan)
7/28/2009 4:48:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\1[1].exe Generic PWS.y!fr (Trojan)
7/28/2009 4:48:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\174.EXE Generic PWS.y!fr (Trojan)
7/28/2009 4:48:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\174.exe Generic PWS.y!fr (Trojan)
7/28/2009 4:57:02 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-8849575639-7679866370-610689226-6891\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/28/2009 4:57:02 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-8849575639-7679866370-610689226-6891\rundll32.exe Generic PWS.y!ft (Trojan)
7/28/2009 4:57:49 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IJOLA5U7\1[1].EXE Generic PWS.y!fr (Trojan)
7/28/2009 4:57:49 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\1[1].exe Generic PWS.y!fr (Trojan)
7/28/2009 4:57:49 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\571.EXE Generic PWS.y!fr (Trojan)
7/28/2009 4:57:49 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\571.exe Generic PWS.y!fr (Trojan)
7/28/2009 5:09:50 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\WINDOWS\SoftwareDistribution\Download\2d8407673ea9865ef7cd775540e3a36b\update\update.exe C:\windows\Driver Cache\i386\driver.cab
7/28/2009 5:40:44 PM Engine version = 5301.4018
7/28/2009 5:40:44 PM AntiVirus DAT version = 5691.0000
7/28/2009 5:40:44 PM Number of detection signatures in EXTRA.DAT = None
7/28/2009 5:40:44 PM Names of detection signatures in EXTRA.DAT = None
7/28/2009 5:41:23 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 8:15:15 AM Engine version = 5301.4018
7/29/2009 8:15:15 AM AntiVirus DAT version = 5691.0000
7/29/2009 8:15:15 AM Number of detection signatures in EXTRA.DAT = None
7/29/2009 8:15:15 AM Names of detection signatures in EXTRA.DAT = None
7/29/2009 8:15:37 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 8:17:16 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 8:33:31 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/29/2009 8:33:31 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-0239027825-2803758073-962698912-4610\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/29/2009 8:33:31 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-0239027825-2803758073-962698912-4610\rundll32.exe Generic PWS.y!ft (Trojan)
7/29/2009 8:34:24 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IJOLA5U7\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 8:34:24 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 8:34:24 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\223.EXE Generic PWS.y!fr (Trojan)
7/29/2009 8:34:24 AM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\223.exe Generic PWS.y!fr (Trojan)
7/29/2009 8:48:03 AM Not scanned (scan timed out) ROSSETTI-01\fmihelcic C:\WINDOWS\system32\msiexec.exe C:\Program Files\Microsoft Office\OFFICE11\1033\HTMLREF.CHM
7/29/2009 12:32:02 PM Engine version = 5301.4018
7/29/2009 12:32:02 PM AntiVirus DAT version = 5691.0000
7/29/2009 12:32:02 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 12:32:02 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 12:32:24 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 12:34:27 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 12:58:20 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/29/2009 12:58:20 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-7324098343-6744410563-775054460-7439\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/29/2009 12:58:20 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-7324098343-6744410563-775054460-7439\rundll32.exe Generic PWS.y!ft (Trojan)
7/29/2009 12:59:09 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ATUNA1IJ\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 12:59:09 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 12:59:09 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\631.EXE Generic PWS.y!fr (Trojan)
7/29/2009 12:59:09 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\631.exe Generic PWS.y!fr (Trojan)
7/29/2009 1:50:42 PM Engine version = 5301.4018
7/29/2009 1:50:42 PM AntiVirus DAT version = 5691.0000
7/29/2009 1:50:42 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 1:50:42 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 1:51:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 1:52:27 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 2:09:12 PM Engine version = 5301.4018
7/29/2009 2:09:12 PM AntiVirus DAT version = 5691.0000
7/29/2009 2:09:12 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 2:09:12 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 2:09:34 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 2:11:15 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 2:12:37 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/29/2009 2:12:37 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-7990912747-9101392554-431893174-3976\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/29/2009 2:12:37 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-7990912747-9101392554-431893174-3976\rundll32.exe Generic PWS.y!ft (Trojan)
7/29/2009 2:13:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\2XCDIHAD\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 2:13:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\2XCDIHAD\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 2:13:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\446.EXE Generic PWS.y!fr (Trojan)
7/29/2009 2:13:25 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\446.exe Generic PWS.y!fr (Trojan)
7/29/2009 2:15:47 PM Not scanned (scan timed out) ROSSETTI-01\ddinsmore C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe C:\Program Files\Java\jre1.5.0_06\lib\rt.jar
7/29/2009 2:39:39 PM Engine version = 5301.4018
7/29/2009 2:39:39 PM AntiVirus DAT version = 5691.0000
7/29/2009 2:39:39 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 2:39:39 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 2:40:00 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 2:41:00 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 2:44:50 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/29/2009 2:44:50 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-4531727301-1499254283-287378996-6521\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/29/2009 2:44:50 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-4531727301-1499254283-287378996-6521\rundll32.exe Generic PWS.y!ft (Trojan)
7/29/2009 2:45:38 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\IJOLA5U7\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 2:45:38 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 2:45:38 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\406.EXE Generic PWS.y!fr (Trojan)
7/29/2009 2:45:38 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\406.exe Generic PWS.y!fr (Trojan)
7/29/2009 3:00:08 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:03:25 PM Engine version = 5301.4018
7/29/2009 3:03:25 PM AntiVirus DAT version = 5691.0000
7/29/2009 3:03:25 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 3:03:25 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 3:03:46 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:05:04 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:06:12 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!ft (Trojan)
7/29/2009 3:06:12 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-8957558898-1301713526-526809549-7566\RUNDLL32.EXE Generic PWS.y!ft (Trojan)
7/29/2009 3:06:12 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-8957558898-1301713526-526809549-7566\rundll32.exe Generic PWS.y!ft (Trojan)
7/29/2009 3:06:59 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ATUNA1IJ\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:06:59 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 3:07:00 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\LOCAL SETTINGS\TEMP\788.EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:07:00 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Local Settings\Temp\788.exe Generic PWS.y!fr (Trojan)
7/29/2009 3:24:45 PM Engine version = 5301.4018
7/29/2009 3:24:45 PM AntiVirus DAT version = 5691.0000
7/29/2009 3:24:45 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 3:24:45 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 3:25:06 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:26:50 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:28:40 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:35:27 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 3:48:18 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\DESKTOP\INFECTED\814.EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:48:18 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Desktop\Infected\814.exe Generic PWS.y!fr (Trojan)
7/29/2009 3:48:18 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\DOCUMENTS AND SETTINGS\DDINSMORE\DESKTOP\INFECTED\1[1].EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:48:18 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\Documents and Settings\ddinsmore\Desktop\Infected\1[1].exe Generic PWS.y!fr (Trojan)
7/29/2009 3:53:03 PM Engine version = 5301.4018
7/29/2009 3:53:03 PM AntiVirus DAT version = 5691.0000
7/29/2009 3:53:03 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 3:53:03 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 3:53:07 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NvCplDaemon Generic PWS.y!fr (Trojan)
7/29/2009 3:53:07 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-6680188995-2999360159-801678895-8285\RUNDLL32.EXE Generic PWS.y!fr (Trojan)
7/29/2009 3:53:07 PM Deleted ROSSETTI-01\ddinsmore C:\WINDOWS\Explorer.EXE C:\RECYCLER\S-1-5-21-6680188995-2999360159-801678895-8285\rundll32.exe Generic PWS.y!fr (Trojan)
7/29/2009 3:54:25 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 4:02:03 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar
7/29/2009 4:02:32 PM Engine version = 5301.4018
7/29/2009 4:02:32 PM AntiVirus DAT version = 5692.0000
7/29/2009 4:02:32 PM Number of detection signatures in EXTRA.DAT = None
7/29/2009 4:02:32 PM Names of detection signatures in EXTRA.DAT = None
7/29/2009 4:03:14 PM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\lib\rt.jar


on deman scan log
7/29/2009 11:59:23 AM Engine version =5301.4018
7/29/2009 11:59:23 AM AntiVirus DAT version =5691.0000
7/29/2009 11:59:23 AM Number of detection signatures in EXTRA.DAT =None
7/29/2009 11:59:23 AM Names of detection signatures in EXTRA.DAT =None
7/29/2009 11:59:14 AM Scan Started SYS-294\fmihelcic Full Scan
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Scan Summary
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Processes scanned : 47
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Processes detected : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Processes cleaned : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Boot sectors scanned : 1
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Boot sectors detected: 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Boot sectors cleaned : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Files scanned : 65455
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Files with detections: 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic File detections : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Files cleaned : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Files deleted : 0
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Files not scanned : 29
7/29/2009 12:25:29 PM Scan Summary SYS-294\fmihelcic Run time : 0:26:15
7/29/2009 12:25:29 PM Scan Complete SYS-294\fmihelcic Full Scan

7/29/2009 12:59:12 PM Engine version =5301.4018
7/29/2009 12:59:12 PM AntiVirus DAT version =5691.0000
7/29/2009 12:59:12 PM Number of detection signatures in EXTRA.DAT =None
7/29/2009 12:59:12 PM Names of detection signatures in EXTRA.DAT =None
7/29/2009 12:59:04 PM Scan Started SYS-294\ddinsmore Full Scan
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Scan Summary
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Processes scanned : 47
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Processes detected : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Processes cleaned : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Boot sectors scanned : 1
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Boot sectors detected: 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Boot sectors cleaned : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Files scanned : 65487
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Files with detections: 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore File detections : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Files cleaned : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Files deleted : 0
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Files not scanned : 28
7/29/2009 1:25:27 PM Scan Summary SYS-294\ddinsmore Run time : 0:26:23
7/29/2009 1:25:27 PM Scan Complete SYS-294\ddinsmore Full Scan

side note:New to this site. I could not find an upload file gui so I had to cut and paste the file in the reply window.


Report •

#5
August 1, 2009 at 13:56:22
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connected to internet. If avz.exe doesn't start, then try to rename the file avz.exe to game.pif and try to run it again. Pause/Stop your antivirus, firewall software (if any), close games, text editors and all other programs; leave Internet Explorer/Firefox running, before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility.

--> Please navigate to "File" => "Custom Scripts". Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdate;
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script.

--> Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. Upload virusinfo_syscure.zip to rapidshare.com and paste the link here.
* It is necessary now to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

In your next reply, please include download links to the following:
[*] virusinfo_syscure.zip
[*] DDS Logs

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
August 1, 2009 at 14:05:41
Thank you for the information. I will not have acess to that computer untill I get to work on Monday. I would remote into it but it is turned off.


Report •

#7
August 1, 2009 at 14:09:51
If i am guessing right the virus is hidden in your recycle bin. For some reason its not transferred because network profile loaded can't also see it to save it on log out. Therefore it only happens on that computer when that profile is loaded. Not sure if i made sense to you ;).

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#8
August 1, 2009 at 14:48:19
I will look there but I refromated the c:drive befor reinstalling xp. How would the c:recycle drive get reinfected. Also I turned of Restore be for I log in as the user that has the issue.

Report •

#9
August 1, 2009 at 15:50:48
Hmm once you post the required logs might be able to tell more about the situation.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question