Find your solution!

tvvandy · 08-Jun-2007, 07:49 PM #1

I think it all started when I watched a random video online and ever since then my usually well behaved system has been giving me pop ups left, right and center!! WinproVirus2007 started downloading on its own, although I immediately uninstalled it from my system, I think the damage was done. Even when I dont have the browser open, I have explorer opening with pop-ups and even my faithful firefox has succumbed. I run SpyBot and and Ad-aware about twice now, each time it cleans the system, but the problem remains.

Your help truly appreciated. Thanks so much.

Posting my Hijack This logfile here..

Logfile of HijackThis v1.99.1
Scan saved at 7:38:14 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\Vandu\LOCALS~1\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\veydovfl.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Program Files\Mozilla Firefox\plugins\GetFlash.exe -p
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Vandu\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.2) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

khazars · 08-Jun-2007, 08:22 PM #2

hi, welcome to TSG.

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
· Double-click VundoFix.exe to run it.
· Click the Scan for Vundo button.
· Once it's done scanning, click the Remove Vundo button.
· You will receive a prompt asking if you want to remove the files, click YES
· Once you click yes, your desktop will go blank as it starts removing Vundo.
· When completed, it will prompt that it will shutdown your computer, click OK.
· Turn your computer back on.

Go here and downlaod the latest version of java, once
downloaded, go to add/remove and uninstall all previous versions of java
from add/remove and then instlall the latest version you just downloaded!

http://java.com/en/download/manual.jsp

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Download the pocket killbox

http://www.majorgeeks.com/Pocket_KillBox_d4709.html

Download AVG Anti-Spyware

http://www.ewido.net/en/

* Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run AVG and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

Close AVG Anti-Spyware. Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [{ZN}] C:\DOCUME~1\Vandu\LOCALS~1\Temp\TICHD003.exe CHD003
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\veydovfl.dll",realset

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\DOCUME~1\Vandu\LOCALS~1\Temp\TICHD003.exe CHD003
C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\WINDOWS\system32\veydovfl.dll

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.

Run AVG Anti-Spyware!

# IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
# Launch AVG Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# AVG will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close AVG and reboot your system back into Normal Mode.

Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav,

http://www.spywareinfo.dk/download/mwav.exe

double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.

Highlight the portion of the scan that lists infected items and hold
CTRL + C to Copy then paste it here. The whole log with be extremely
big so there is no way to copy the whole thing. I just need the
infected items list.

Post a new hijack this, the vundo, smitraud, the Mwav scan log and the AVg antispware log!

tvvandy · 09-Jun-2007, 01:06 AM #3

Thanks! Started the Vundofix and its been going on the last four hours now! Not sure if that is normal.
But will follow all the steps and post the logs you stated.
Thanks so much again.

khazars · 09-Jun-2007, 06:56 AM #4

no it's not, stop it and start it again!

tvvandy · 09-Jun-2007, 06:19 PM #5

Thanks so much for your instructions. I really appreciate your help..I went through all the steps you sent me and have posted my logs below. However, when I ran the AVG AntiSpyware, for some reason - it would not show me a report, DESPITE having changed the settings to generate a report after every scan (as you had instructed). not sure what happened there. I have not had the pop-ups in the last few hours, but both my browsers are really slow still, and there is something else wierd going on. My homepage (Ny Times) is really funky on Firefox but fine on Explorer. Also I cannot go to gmail website on firefox, but is fine on explorer. Even more oddly, I could not access TSG forum on explorer (giving me a few moments of great panic), but am able to access it from firefox, thankfully....Anyway here are my logs. What do you think?

New Hijack This

Logfile of HijackThis v1.99.0
Scan saved at 2:58:18 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Vandu\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
****************** And my Smitfraud report**********
SmitFraudFix v2.193

Scan done at 2:38:24.12, Sat 06/09/2007
Run from C:\Documents and Settings\Vandu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before
SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CBCE6236-8E2D-4F5D-9B93-0AA84F30C2E6}: DhcpNameServer=167.206.245.9167.206.245.73167.206.245.10HKLM\SYSTEM\CS2\Ser vices\Tcpip\..\{CBCE6236-8E2D-4F5D-9B93-
0AA84F30C2E6}: DhcpNameServer=167.206.245.9 167.206.245.73167.206.245.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.245.9 167.206.245.73 167.206.245.10HKLM\SYSTEM\CS2\Services\Tcpip\Parameters:

DhcpNameServer=167.206.245.9 167.206.245.73 167.206.245.10
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After
SmitFraudFix
!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End

Am posting the infections portion from my mwav scan in a separate reply (too long)

tvvandy · 09-Jun-2007, 06:20 PM #6

And lastly, the infections portion from my mwav scan..
Sat Jun 09 04:39:50 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0126164D infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.
Sat Jun 09 04:39:50 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0144102D
Sat Jun 09 04:39:50 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0144102D infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:50 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0154621B
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0154621B infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\015B3613
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\015B3613 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\01782FF3
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\01782FF3 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\08165176
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\08165176 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\08407347
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\08407347 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\08E16FF4
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\08E16FF4 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0B010224
Sat Jun 09 04:39:51 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0B010224 infected by "Email-Worm.Win32.NetSky.r" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:51 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0C9746AA
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0C9746AA infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0CAB4295
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0CAB4295 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0F943273
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0F943273 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0FD3290A
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0FD3290A infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0FEA4EF0
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0FEA4EF0 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\0FFB20DE
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\0FFB20DE infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\17584134
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\17584134 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\19AB47C5
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\19AB47C5 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\19DD49DC
Sat Jun 09 04:39:52 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\19DD49DC infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:52 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\19E31187
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\19E31187 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\19F045C7
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\19F045C7 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\1D7D13C7
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\1D7D13C7 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\1D8A3402
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\1D8A3402 infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\1D975BF3
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\1D975BF3 infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\1DCD64E7
Sat Jun 09 04:39:53 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\1DCD64E7 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:53 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\241327B9
Sat Jun 09 04:39:54 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\241327B9 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:54 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\284429EC
Sat Jun 09 04:39:54 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\284429EC infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.

Sat Jun 09 04:39:54 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\294D72C7
Sat Jun 09 04:39:54 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\294D72C7 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:54 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2A506B30
Sat Jun 09 04:39:54 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2A506B30 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:54 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2C9E7163
Sat Jun 09 04:39:54 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2C9E7163 infected by "Email-Worm.Win32.Bagle.y" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:54 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2CEF0B09
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2CEF0B09 infected by "Email-Worm.Win32.Bagle.y" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2F2C4C1B
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2F2C4C1B infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2F437202
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2F437202 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2F6A69D7
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2F6A69D7 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2F7711C9
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2F7711C9 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2FB53250
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2FB53250 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\2FD22C30
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\2FD22C30 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\30040D9E
Sat Jun 09 04:39:55 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\30040D9E infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:55 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\320D7F28
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\320D7F28 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\35C00F16
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\35C00F16 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\370700ED
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\370700ED infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\371D26D4
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\371D26D4 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\392C27AB
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\392C27AB infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\395A2420
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\395A2420 infected by "Email-Worm.Win32.Bagle.y" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3A480428
Sat Jun 09 04:39:56 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3A480428 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:56 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3A623C56
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3A623C56 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3A6C3A4B
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3A6C3A4B infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3A763841
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3A763841 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3BDC6223
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3BDC6223 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3C1C62BB
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3C1C62BB infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3C4339BD
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3C4339BD infected by "Email-Worm.Win32.NetSky.j" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\3D410121
Sat Jun 09 04:39:57 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\3D410121 infected by "Email-Worm.Win32.NetSky.r" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:57 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\40D746EF
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\40D746EF infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\40FE3EC4
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\40FE3EC4 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\428A0E1E
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\428A0E1E infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\42B105F3
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\42B105F3 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\42BB03E8
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\42BB03E8 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\42C157E1
Sat Jun 09 04:39:58 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\42C157E1 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:58 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\42C82BDA
Sat Jun 09 04:39:59 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\42C82BDA infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:59 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\42E25D8A
Sat Jun 09 04:39:59 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\42E25D8A infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:39:59 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\464E08EA
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\464E08EA infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\46652ED1
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\46652ED1 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\466B02C9
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\466B02C9 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\479D7DF8
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\479D7DF8 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\47C81FC9
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\47C81FC9 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4BEE21BB
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\4BEE21BB infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\53B8240C
Sat Jun 09 04:40:00 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\53B8240C infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:00 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\53E56FDA
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\53E56FDA infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\53E6463E
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\53E6463E infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\55E8472E
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\55E8472E infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\56021712
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\56021712 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\56C23901
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\56C23901 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\56F004CF
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\56F004CF infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\596108C5
Sat Jun 09 04:40:01 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\596108C5 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:01 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\5D2B1289
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\5D2B1289 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\5DF74295
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\5DF74295 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\5E1A106E
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\5E1A106E infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\5E2B625C
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\5E2B625C infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\5E8C6849
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\5E8C6849 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\60046CDE
Sat Jun 09 04:40:02 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\60046CDE infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:02 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\602510BB
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\602510BB infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\63B728DD
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\63B728DD infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\63D178C0
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\63D178C0 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\63DA76B6
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\63DA76B6 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\656A547A
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\656A547A infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\6594764C
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\6594764C infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\65A87236
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\65A87236 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\65AE462F
Sat Jun 09 04:40:03 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\65AE462F infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:03 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\65B84424
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\65B84424 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\65C56C16
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\65C56C16 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\686F4EB9
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\686F4EB9 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\69C06CE0
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\69C06CE0 infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\6B0A0A18
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\6B0A0A18 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\76D5030E
Sat Jun 09 04:40:04 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\76D5030E infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:04 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\76E654FC
Sat Jun 09 04:40:05 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\76E654FC infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:05 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\7B344870
Sat Jun 09 04:40:05 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\7B344870 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:05 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\7F4B0B12
Sat Jun 09 04:40:05 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\7F4B0B12 infected by "Email-Worm.Win32.NetSky.d" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:05 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\7F6804F1
Sat Jun 09 04:40:05 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\7F6804F1 infected by "Email-Worm.Win32.NetSky.b" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:05 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\7F752CE3
Sat Jun 09 04:40:05 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\7F752CE3 infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

Sat Jun 09 04:40:05 2007 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\7F7C00DC
Sat Jun 09 04:40:06 2007 => File C:\Program Files\Norton AntiVirus\Quarantine\7F7C00DC infected by "Email-Worm.Win32.Swen" Virus. Action Taken: File Deleted.

khazars · 09-Jun-2007, 07:57 PM #7

you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!

Comodo firewall. Sign up it's free!

http://www.personalfirewall.trustix.com/

Threads on comodo!

http://www.wilderssecurity.com/forumdisplay.php?f=31

Disable spybot's teatimer as it cnaainterfere with the fixes.

Go to add/remove and uninstall firefox and then reinstlal it!

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Vandu\Local Settings\Temp\TICHD003.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

Download Superantispyware (SAS):

http://www.superantispyware.com/supe....html?rid=3132

Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware
. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.

Active X settings

http://www.compu-docs.com/activex.htm

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another log, the super log, and the panda scan log

Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox freeze google hard drive hardware hijackthis internet keyboard laptop logon logs off malware motherboard network networking problem ram recovery redirect router screen slow software sound trojan usb userinit.exe virus vista wifi windows windows 7 windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)