w32.conycspa.g@mm and Trojan.spamforo keep poping up

[canadieneh02]

whenever i open a internet explorer window for the first time a norton antivirus window pops up saying that it has detected and removed w32.conycspa.g@mm when i say ok it says it has detected and removed trojan.spamforo if i click ok again it just keeps cycling through saying that it keeps detecting and deleting these. I updated and ran a system scan with norton antivirus and it came up with nothing. i also ran and ad aware scan which detected cws and i deleted it. but the norton things keep poping up. here is an hjt log
Logfile of HijackThis v1.99.1
Scan saved at 11:04:57 AM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Norton AntiVirus\QConsole.exe
c:\windows\system32\rlvknlg.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon0.dll",VerifyStatus
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Please help me

[rikkker]

Hi and Welcome to TSF

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

[canadieneh02]

The trojan.spamforo I think was just deleted with the stop sign antivirus program but the other one keeps popping up. Just letting you know.

[rikkker]

Thanks for being so patient.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

==========================================================

*I noticed that you have two antivirus programs installed on your computer.It is important that you uninstall one of them as they may conflict with each other.

==========================================================

eAcceleration Stop-Sign

Quote:

- While testing indicates that the "threat scanner" is still slow and has occasional problems with false positives -- in large part because of the use of heuristics, which cannot be turned off by the user -- we can no longer classify this application as "rogue/suspect." Nonetheless, this anti-malware application -- at least in its current state -- cannot be recommended, given the many excellent competing anti-virus, anti-trojan, and anti-spyware applications that are available (some for free)

See Here for more information.


LimeWire - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't good at all. They collect information about you and your usage. We recommend uninstalling it.

==========================================================

Download and install Ewido Security Suite

When installing, under "Additional Options" uncheck..

• Install background guard
• Install scan via context menu

Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


Download LSPFix.exe


Please download Cleanup! and install it. Do NOT run it yet.

==========================================================

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

==========================================================

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\LimeWire\LimeWire.exe
c:\windows\system32\rlvknlg.exe

==========================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

Acceleration Software
wild tangent
LimeWire
AWS/Weatherbug

==========================================================

Instructions for using LSPFix

1. Double click on LSPFix.exe to run it.
2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
3. You'll find a window with 2 panes,if there is any thing in the remove pane please put it back into the keep pane.
4. Now highlight any instances of rlls.dll
5. Then click on the arrow pointing to the right, >>.
6. This will move the entry to the right pane labeled Remove
7. Click the Finish button to complete the fix.

If you are unsure about removing certain files, please come back and post the filenames here and I will advise you how to proceed.


==========================================================

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [StopSignSsTsMon] Rundll32.exe "C:\Program Files\Acceleration Software\Anti-Virus\sstsmon0.dll",VerifyStatus
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked. (make sure you do not miss any)[/b]

==========================================================

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\ Acceleration Software
C:\Program Files\Common Files\ eAcceleration
C:\WINDOWS\ wt
c:\windows\system32\ rlvknlg.exe
C:\Program Files\ AWS
c:\windows\system32\ rlls.dll
PowerReg Scheduler V3.exe <<<-you will have to search for this one.
C:\Program Files\hp center\137903\Program\ BackWeb-137903.exe

==========================================================

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
   • Delete Newsgroup cache
   • Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

==========================================================

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC

==========================================================

Reboot your system in Normal Mode.

==========================================================

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post a fresh Hijack This log so that we can check if your system is clean.


In your next post i will need fresh logs from:

1)HijackThis
2)Ewido log
3)Panda ActiveScan log

[canadieneh02]

Sorry it took so long
here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 6:18:30 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Here is Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:42:49 PM, 12/5/2005
+ Report-Checksum: 388973F0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3DE88907-3E38-11D4-BEB2-CBE76C0598DD} -> Spyware.BandObjects : Cleaned with backup
HKLM\SOFTWARE\ISPInstaller\RegistryBackup\HKCR\CLSID\{3DE88907-3E38-11D4-BEB2-CBE76C0598DD} -> Spyware.BandObjects : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Internet Explorer\Keywords -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1030656839-1065937116-3454538618-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\HJT\backups\backup-20050317-200652-914.dll -> Spyware.Ihbo : Cleaned with backup
C:\Downloads\DinerDashSetup-dm[1].exe -> Spyware.Trymedia : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\41AB737B.exe -> Worm.Delf.i : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\42060B17.exe -> Worm.Delf.i : Cleaned with backup
C:\Program Files\Norton AntiVirus\Quarantine\Portal\4F574C27.exe -> Logger.Agent.ig : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_38.exe -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_90.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/WINDOWS/NDNuninstall6_98.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/uninstall6_38.exe -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/newdotnet6_98.dll -> Spyware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/uninstall6_98.exe -> Adware.NewDotNet : Error during cleaning
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip/Program Files/newdotnet/newdotnet6_98.to_be_deleted -> Spyware.NewDotNet : Error during cleaning
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\inet20002\3.00.11.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\inetdata\1.02.11.dll -> Spyware.Ihbo : Cleaned with backup


::Report End

Here is Panda

Incident Status Location

Adware:adware/cws.yexe Not disinfected C:\messanger.ini
Spyware:spyware/new.net Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\Desktop\HJT\backups\backup-20050317-200653-495.inf
Virus:Trj/Downloader.TC Not disinfected C:\Documents and Settings\Administrator\lc.html
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_90.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[NDNuninstall6_98.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[uninstall6_38.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[newdotnet6_98.dll]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[uninstall6_98.exe]
Spyware:Spyware/New.net Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip[newdotnet6_98.to_be_deleted]
Virus:Trj/Downloader.AOU Not disinfected C:\WINDOWS\inetdata\winlogon.exe
Virus:Trj/Downloader.TC Not disinfected C:\WINDOWS\system32\lc.html

[canadieneh02]

Just bumping it up

[rikkker]

Hi canadieneh02


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.


=========================================================

You still have Norton and Avg installed on your computer.It is not a good idea to have two Antivirus programs installed at the same time as they will confict with each other.Please uninstall one of them.The choice is up to you as to which one you keep.


==========================================================



Empty your Quarantine folder for Norton. You can do so by following the instructions Here

==========================================================


Download KillBox (it's important that you get version v2.0.0.175)

Launch KillBox.exe & select the following options:
delete on Reboot
Select all the filenames listed below & then right-click & select Copy

C:\messanger.ini
C:\Documents and Settings\Administrator\lc.html
C:\Program Files\Yahoo!\YPSR\Quarantine\20051120105005.zip
C:\WINDOWS\inetdata\winlogon.exe
C:\WINDOWS\system32\lc.html

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

Quote:

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe Then try Killbox again.

==========================================================

Delete these folders

C:\WINDOWS\ inet20002
C:\WINDOWS\ inetdata

==========================================================

Please download Cleanup! and install it.<<<- If you still have cleanup please skip this step.


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
   • Delete Newsgroup cache
   • Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

==========================================================

Please post a fresh Hijack This log so that we can check if your system is clean.

How is your system running now?Let me know if you are having any problems.

In your next post i will need fresh logs from:

1)HijackThis
2)Kaspersky scan

[canadieneh02]

I finished what you said to do. I went in and deleted all of the quarantine before i did the Kaspersky scan and more of those things showed up in the scan. so the thing must keep making copies of itself. As soon as the scan finished i went in and deleted all the quarantine again. I hope this can be fixed.

Here is HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:55:11 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Here is Kaspersky

KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 08, 2005 22:52:23
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 9/12/2005
Kaspersky Anti-Virus database records: 154113
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 108663
Number of viruses found: 4
Number of infected objects: 210
Number of suspicious objects: 0
Duration of the scan process: 7891 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\02AA33AD.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\02AC04CF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02AF3156.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02B13EC9.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02B468C5.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02B712C2.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02B755DA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\02B75B9F.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\0418121B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\05AB0F83.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\073E537E.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\08093FC4.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\08B05430.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\0A0A36B3.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\0A0D60AF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\0A0F0433.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\0A0F7AAF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\14D610D2.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\16320352.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\17E07255.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1E786439.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\1E866505.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1E934419.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EA2060A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EA31DC0.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EA41607.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EA53007.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EAC03FF.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\1EAD13FD.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\1EB006D6.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\1EB36FAE.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\24B37D5C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\25801B57.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\29775BD5.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A010063.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A035185.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2A071336.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A153370.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A176524.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A18264A.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2A25055E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A313508.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A32762D.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A37714B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A390148.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A495336.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A50272F.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A54725A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A563812.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2A592524.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A686715.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A70654E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A747508.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A8236F9.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A85643D.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A8678AA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A8739CF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A8922A7.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2A9137C5.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A9632E3.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2A980838.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA030D8.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AA433AF.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AA4728A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA54AD3.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA56AD2.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA75DAB.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA814CE.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AA858D8.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AAA2ECD.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AAD58CA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AAE31A4.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AAE68C7.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AB11A7C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AB32CC3.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AB4059D.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2ABA00BC.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2ABB0B3E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AC264B1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AC47EB1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AC72D91.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AC838AA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2ACF0CA3.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD13E58.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD23AAA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD56854.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD6609C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD77A9B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AD90A98.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2ADA2498.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2ADE4E94.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2ADF5E91.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE2516B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE4228D.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE53A42.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE57B67.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE6328A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE92564.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AE95C86.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AF14A7E.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AF26234.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AF32359.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AF81E77.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AF92E74.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AFC3886.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2AFC6029.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AFD5871.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2AFE7270.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B021C6C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B032C6A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B061F43.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B0A2093.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B0B436F.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B0D2A5F.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B0D2C04.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B0F5C13.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B10545B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B147E58.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B167131.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B1A1B2E.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B1C0405.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B1F164C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B2346FE.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B2A243E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B2A6D1C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B2D1718.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B353A7B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B363C33.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B37150D.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B3A7DE5.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B3E2029.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B4725D6.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B481E1E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B4E3AF4.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B4E44DA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B4E7217.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B5123CB.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B51504C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B5164F1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B544DC8.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B5A0A0B.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B5A21C1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B5B1A08.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B5B2CE7.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B626E01.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B641FB6.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B6731FD.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B680AD7.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B6841FA.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B6C6BF7.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B6E50E2.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B6F15F3.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B6F5ED0.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B7147A8.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B723FEF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B7669EC.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B7F30BE.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B7F67E1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B8311DD.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B842BDD.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B8504B7.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B87774D.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B881A29.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B886D8E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B8965D6.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B8E5618.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B8F02AC.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9039CF.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9153E8.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B926B84.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9319A0.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9363CB.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B957DCB.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\2B960DC8.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B993F7C.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9B3082.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9B3E24.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9E7BC0.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2B9F3BF4.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\2BB96358.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\306B7F53.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\310534AA.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\32D43D87.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\35F46C16.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\386E1F39.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\39504F8A.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\3E736645.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\3F2C191E.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\4007654A.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\44981C44.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\47422230.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\54096822.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\560139F5.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\56E363CB.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\57BE4932.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\5D8553B1.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\653C716A.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\664F5405.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\66E71114.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\66FC0546.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\67CF1E60.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\6C353388.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\6E84783B.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\6EFB6231.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\701C633C.exe Infected: Trojan-Proxy.Win32.Delf.aa
C:\Program Files\Norton AntiVirus\Quarantine\73277BE2.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\75E04E11.exe Infected: Email-Worm.Win32.Delf.i
C:\Program Files\Norton AntiVirus\Quarantine\7A263558.exe Infected: Email-Worm.Win32.Delf.i
C:\WINDOWS\system32\.pif Infected: Trojan-Downloader.BAT.Ftp.z
C:\WINDOWS\system32\systemwin32s.exe Infected: Backdoor.Win32.Wootbot.ae

Scan process completed.

[rikkker]

hi canadian02

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

=========================================================

May i ask why you still have two antivirus programs installed?They can conflict with each other.You should uninstall one so the one that you have left can do it's job properly.

Go Here to see what can happen to your system if you have too many antivirus programs installed.

==========================================================

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

==========================================================

Please navigate to this folder and delete all files that are found here.You should be left with an empty folder.

C:\Program Files\Norton AntiVirus\Quarantine\

==========================================================

Delete these files

C:\WINDOWS\system32\.pif
C:\WINDOWS\system32\systemwin32s.exe

==========================================================

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
   • Delete Newsgroup cache
   • Delete Newsgroup Subscriptions
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will not create any backups!!

==========================================================

Reboot to normal mode.

==========================================================

Any problems now?

Please post a fresh Hijack This log so that we can check if your system is clean.

In your next post i will need a fresh log from

1)HijackThis

[canadieneh02]

i got rid of one of the anti virus programs and did everything else u said. i think it might be fixed now but not sure.
Here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:44:10 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_2.1.1.74.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[rikkker]

Well done. Your log is clean. Any more problems? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.

• Select the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Select Custom Level .
  • Change 'Download signed ActiveX controls' to Prompt
  • Change 'Download unsigned ActiveX controls' to Disable
  • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
  • Change 'Installation of desktop items' to Prompt
  • Change 'Launching programs and files in an IFRAME' to Prompt
  • Change 'Navigate sub-frames across different domains' to Prompt
  • When all these changes have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Select OK to exit the Internet Properties page.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

Here are two very good free Antivirus products which are available:

Avast!

AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.Make sure that you only install one antivirus progarm as they can confict with each other.

FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here

SpywareBlaster to help prevent spyware from installing in the first place.

SpywareGuard to catch and block spyware before it can execute.

SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here

AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here

MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
Please respond to this thread one more time so we can mark this thread as resolved.

[canadieneh02]

Thanks for all your help. It seems to be running fine. If I have any other problems I'll come back to this site.