This morning I received an email from my company that had a text file attached. Unfortunately I did not look at it closely enough before opening it…the file had a “VBS” extention. When opened it quickly displayed a file folder opening and then the display went back to the email message. I think that I have contracted a virus, but have been unable to locate through virus scans. I am afraid to reboot my computer, since that might activate it. I have searched the hard drive for files created today, but am unable to locate anything unusual. Does anyone have suggestions? ???
There’s really not enough info to help you much on this, but you might want to try Onlinescanners by Trend (see below) and www.ravantivirus.com
What Win & what email-Client do you use ?
Do you have avast installed, or any other Virus-protection/resident running in the background ?
please post a hijackthis-Logfile for diagnosis: http://hjt.klaffke.de
Also work through “VirusRemoval” below
The system is running XP and the email is actually a dial-up connection on the internet. Our email server provides an online access for the company account. Avast is running, has the most recent update, and I’ve done a thorough system scan. So far nothing has been found. I am trying to run another scan from Trend Micro, but my system keeps locking up, or I lose my connection.
I’ll install HijackThis and will post the log…
here is the Hijack log:
Logfile of HijackThis v1.97.7
Scan saved at 5:54:55 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\EarthLink 5.0\updatemgr.exe
C:\WINDOWS\System32\Pelmiced.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Beth\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\Juno6\qsacc\X1IEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [VTPreset] VTPreset.exe
O4 - HKLM..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM..\Run: [ConMgr.exe] “C:\Program Files\EarthLink 5.0\ConMgr.exe”
O4 - HKLM..\Run: [UpdateMgr.exe] “C:\Program Files\EarthLink 5.0\updatemgr.exe” /NOCM
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1085510651250
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38128.6153935185
O17 - HKLM\System\CCS\Services\Tcpip..{3C7DADA3-A1F1-4113-8FF3-CA890D044522}: NameServer = 207.217.120.83 207.217.77.82
O17 - HKLM\System\CS1\Services\Tcpip..{3C7DADA3-A1F1-4113-8FF3-CA890D044522}: NameServer = 207.217.120.83 207.217.77.82
Do you still have that Email/attachement? If so, please send it to virus@asw.cz .
The email has been forwarded…
I was finally able to get Trend Micro to run and it found no viruses.