Infected Pst File

Wanted to start off by thanking the guys/gals at majorgeeks. I have been cleaning my personal computers and those at my office so successfully its become almost a hobby to me. I use the "READ ME FIRST - Basic Spyware..." by Major Attitude and it has fixed every issue I've ever encountered up until now.

I restarted the infected computer in safe mode and ran the Bitdefender and RavAntivirus scans(System Restore has been disabled - WinXP). Bitdefender didn't find anything, but RAVAntivirus found 212 infected files and 6 separate viruses. All infected files were in my c:\documents and settings\...\Microsoft\Outlook\outlook.pst, outlook2.pst, archive.pst, outlook4.pst files.

RAV did NOT remove these viruses. This is not uncommon and on occasion I have had to manually remove the culprit files after an RAV scan. Since this is a .pst file which contains about a year and a half worth of emails (1.6 gigs) I didn't want to delete the file. I recall receiving these emails months ago (I believe there was about 20 of them over time). On each occasion they were deleted, but for some reason, on 2005-09-25 at 16:52:19(info obtained from my T1 provider who is threatening to disconnect me if this is not resolved), they all became active.

I have downloaded Avast! and that program finds 5 of the six viruses. It lists the information a little differently than RAV which enabled me to import the pst file into a new outlook profile in an attempt to find and permantly delete the infected email. I was able to find the email but not delete it. I have tried to remove the attachment without success and tried to delete the entire email without success as well. Each time I run Avast! I try to delete, delete at startup, move or repair and all operations fail either with "Error occurred during file deleting :Error 0x80040119" or "Error occurred during file deleting: The system can not find the file specified" or "Error occurred during moving to chest: There are no more files" or "Error occurred during repair: There are no more files".

I do not have Norton's. I have been working on this for 2 days now and can not do anything else until this is resolved. Any help would be greatly appreciated.

Below are the names of the viruses that were found.

1. Iframe_Exploit* - This shouldn't be possible because I'm running Explorer 6.0.2900.2180.xpsp_sp2_gdr.050301-1519. I'm told this only affects 5.0 or earlier. This is the one that does not appear to be found by Avast!

2. Win32/Bagle:AI

3.JS/Dword.dr*

4. Trojan Proxy: Win32/Mitglieder.CL

5.Trojan Proxy: Win32\Mitglieder.CN - Why have one version when you can have two

6. Netsky.k@mm

Again, there does not appear to be any other infections on my computer outside the pst files. RAVAntivirus and Avast! are not able to clean them for some reason. Any help would be appreaciated

 

System Info is:

Microsoft Windows XP Professional
Service Pack 2
IE 6.0.2900.2180
Pentium 4A, 2666 mhz (5*533)
381 MB ddr sdram
82 gb ic35l090avv207-0 hard drive

 

Not sure if you wanted the HJT in safemode so I'm including it attached. I don't know who the 178.48.108.148 is. My external IP starts with 67.

The Avast! virus tool came back clean.(No Viruses) Avast! home edition (trial) only found the viruses in the pst files when I checked "thorough scan". Let me know if you want me to post the results from the virus tool cleaner you told me to download.

Thanks for helping with this

 

Poker software. Not only kosher, but recommended

 

O23 - Service: SymWMI Service was either left behind by an uninstall of Norton's or may possibly be the Beagle worm "solution" that I ran that did nothing.

Before answering everything, I installed AVG and if I import the infected pst files into a new outlook profile (I named one virus) it appears to clean the infected emails. This process will take forever so if you know a faster way, please let me know. I have about 4 different files each over 1.5 gigs to import and go through.

After using HOSTER, I ran HJT and all O1 Hosts were gone so I couldn't delete them.

When I checked everything off(even the poker stuff) and clicked FIX, I got an error message on O2 BHO ....c:\windows\system32\nnkcl.dll(file missing) - The error said:

AN UNEXPECTED ERROR HAS OCCURRED AT PROCEDURE: MODBACKUP_MAKEBACKUP(SITEM=O20-APPINIT_DLLS.C:\WINDOWS\SYSTEM32\HLPB.DLL ERROR #5 - INVALID PROCEDURE CALL OR ARGUEMENT
PLEASE EMAIL ME @MERIJN@SPYWAREINFO.COM REPORTING THE FOLLOWING
*WHAT YOU WERE TRYING TO FIX WHEN THE ERROR OCCURRED IF APPLICABLE
*HOW YOU CAN REPRODUCE THE ERROR
*A COMPLETE HJT SCAN LOG

I then restarted in safe mode as instructed and deleted Empire Poker and PartyPoker folders using Windows Explorer.

I could not find C:\WINDOWS\System32\nnkcl.dll I then searched the entire computer for this file and couldn't find it anywhere. After my first HJT log, I thought the c:\windows\system32\hlpb.dll file looked suspicious so I restarted in safe mode and in windows recovery console (used that with xfind to get rid of a real nasty a long time ago) and couldn't find that file either.

Prefetch contents are deleted. Ran Ccleaner before and after this. Here's my log file. Do I get brownie points for homepage? I'd keep you as a home page if you let me respond to the nits that ask you for help before going through the READ ME FIRST BASIC SPYWARE REMOVAL thread - (can i get help from this forum???) and (nobody ever replies to my queries since the first time I posted there). But since I see your new policy is only Official Malware guys can respond and call someone a NIT!!!! then I'll have to change back to yahoo.com or my poker site after a few days. Considering you guys don't charge for this help, people should be a little more respectful. Just my opinion....

As for how things are working... They've been fine. Except for that call from the T1 carrier telling me I'm sending everyone and their mother the Beagle worm and they're going to disconnect me. While I'm waiting for your reply I'll run another RAV scan. I'm pretty sure its going to find the viruses in the email. I think we fixed the symptom(my computer being used as a host), but if it happened once, as long as those things are in my pst file, I'm sure they'll get out again. If you can think of any other way of cleaning the pst files other than importing them one by one I would appreciate it.

 

I'm using the free AVG scan and it doesn't seem to recognize the viruses in the pst files in the default settings. Appears that they can only be changed with the full version. If this is inaccurate, please let me know. Only when I have outlook opened and the file imported does AVG appear to clean it.

I scanned using RAV again only scanning the pst files I imported and cleaned with AVG and it still finds a virus in there. I'm attaching the RAV results. It only has one infected email (Don't know why AVG can't clean it, but I can't find the infected message itself in outlook)

Deleted the SymWMI Service. I did have to use SymWSC to delete it.

Deleted c:\program Files\Common Files\Symantec Shared

I'm attaching my HJT log cause a few things looked suspicious to me, but I'm a novice.

The following items jump out at me:
O4 - the file hkcmd.exe
O17 - don't know the address 205.171.3.65
O20 - winlogon file igfxsrvc.dll.

Thanks again for your help.

 

Right on with Qwest.

As for the AVG, when I run the scan, it doesn't detect anything, but when I open Outlook and import the infected pst file I'm assuming AVG's email monitor then cleans the email files because the scan found no viruses yet inside outlook when I'm looking at the previously infected email it says AVG cleaned or deleted one of the viruses in the actual body of the email.

RAV does NOT offer an option to delete. This was done both in normal and safe mode. When I tried to download the desktop version, the link said something about being acquired by Microsoft. I have search for this email with rar attachment, but can not find it. Would you know how to search outlook by message or attachment number?(RAV lists messages by number)

I switched from Avast! to AVG only because Avast! was giving me all those error messages when I tried to clean the outlook pst file. Avast!, in my opinion was better at identifying the viruses because it found them without importing into an open outlook file. Just when I tried to delete, move or repair the viruses or emails or attachments, Avast! gave me an error (the exact error is in my first post). I think I'm going to request tech support from Avast! as well and see what they say.

Thank you for your help cleaning my system. In your opinion, did it look like my system was being used as a host/relay station for distributing these viruses via email?