Help with this log

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please do not run Hijackthis from it's current location.

• Create a permanent directory - C:\Program Files\HiJackThis\
  Re-locate all files to the new directory

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

'UNPLUG' YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

Please save the following instructions in Notepad. I have customed my instructions on the assumption that you have Notepad 'on'. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your question(s) before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

• CometCursor
  Wild Tangent

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: CSBrBho Class - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - C:\PROGRA~1\Comet\Install\Temp\brbho.dll (file missing)
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.63.236.109.79.downloads.es...935375OneCC.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you have not done so already, please enable the viewing of Hidden files

1. From Windows Explorer, go to Tools>Folder Options> View tab.
2. Enable the option for Show hidden files and folder
3. Disable the option for Hide file extensions for known types
4. Disable the option for Hide protected operating system files
5. Click Yes to confirm & then click OK

Locate and delete the following folder(s), if present:

• C:\PROGRA~1\Comet\
  C:\Program Files\WildTangent\

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
     [*]Delete Cookies
     [*]Delete Prefetch files (Windows XP only)
     [*][X]Scan local drives for temporary files (Please uncheck this option)
     [*]Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders without making a backup


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer at Kaspersky Web Scanner

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Please download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:

1. HiJackThis
   [*] Online scan
   [*] Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Results after scan

Hi,

Here are the logs that resulted after performing all the actions you told me to:

1. HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:56 PM, on 8/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BlockTracker] c:\hp\bin\BlockTracker.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bmed.mcgill.ca/CFIDE/classes/CFJava.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F18FFF5-85B9-4378-A1B4-06743830EC70} (WAPUploaderAX Class) - http://www.web-a-photo.com/WebaphotoUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15e3323366603a86e521/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110493533375
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


2. Online Scan (Kaspersky web scanner)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 26, 2005 16:47:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/08/2005
Kaspersky Anti-Virus database records: 137168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 105734
Number of viruses found: 6
Number of infected objects: 51
Number of suspicious objects: 15
Duration of the scan process: 4994 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\12483BFE/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\12483BFE Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\158B6E7C Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\15AF3C55/[From [email protected]][Date Mon, 24 Jan 2005 10:01:18 -0600]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\15AF3C55/[From [email protected]][Date Mon, 24 Jan 2005 10:01:18 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\15AF3C55 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\15BC6446/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\15BC6446 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\28E02FBB/[From [email protected]][Date Sat, 23 Oct 2004 12:30:00 -0600]/your_text.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\28E02FBB Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\28EA2DB1/[From [email protected]][Date Sun, 24 Oct 2004 11:34:01 -0600]/your_document.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\28EA2DB1 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\29047D94/[From [email protected]][Date Sun, 24 Oct 2004 15:51:49 -0600]/yours.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\29047D94 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\290E7B89/[From [email protected]][Date Sun, 24 Oct 2004 18:29:56 -0600]/your_picture.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\290E7B89 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\291B237B/[From [email protected]][Date Mon, 25 Oct 2004 08:10:07 -0600]/your_file.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\291B237B Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\29227774/[From [email protected]][Date Mon, 25 Oct 2004 20:33:11 -0600]/your_product.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\29227774 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\36A926CC/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\36A926CC Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\36CA4AA8/Data.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\36CA4AA8 Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\36D3489D/Bill.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\36D3489D Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\3D37736B Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\3D6F3D2E Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\3D7F0F1C/[From [email protected]][Date Thu, 20 Jan 2005 11:26:38 -0600]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D7F0F1C/[From [email protected]][Date Thu, 20 Jan 2005 11:26:38 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D7F0F1C Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D8C370E Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\3D930B07/[From [email protected]][Date Thu, 20 Jan 2005 14:12:21 -0600]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D930B07/[From [email protected]][Date Thu, 20 Jan 2005 14:12:21 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D930B07 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\3D9D08FC/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\3D9D08FC Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\444061AC Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\4450339A/[From [email protected]][Date Fri, 21 Jan 2005 18:00:27 -0600]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\4450339A/[From [email protected]][Date Fri, 21 Jan 2005 18:00:27 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\4450339A Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\445A318F/details.txt .pif Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\445A318F Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\47CC5001 Infected: Trojan-Dropper.Win32.Keenval.a
C:\Program Files\Norton AntiVirus\Quarantine\704C13C6 Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\708E5B7E Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\70985973/[From [email protected]][Date Fri, 21 Jan 2005 09:45:42 -0600]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\70985973/[From [email protected]][Date Fri, 21 Jan 2005 09:45:42 -0600]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\70985973 Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\749F297C/Informations.txt .exe Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\749F297C Infected: Email-Worm.Win32.NetSky.aa
C:\Program Files\Norton AntiVirus\Quarantine\7D964B1F/[From [email protected]][Date Sat, 16 Oct 2004 21:55:17 -0600]/message_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7D964B1F Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7DEB0EC1/[From [email protected]][Date Mon, 18 Oct 2004 15:42:31 -0600]/your_bill.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7DEB0EC1 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E055EA4/[From [email protected]][Date Tue, 19 Oct 2004 15:24:57 -0600]/my_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E055EA4 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E202E88/[From [email protected]][Date Tue, 19 Oct 2004 21:29:49 -0600]/your_product.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E202E88 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E4D7A55/[From [email protected]][Date Wed, 20 Oct 2004 12:29:58 -0600]/my_details.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E4D7A55 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E674A39/[From [email protected]][Date Fri, 22 Oct 2004 12:22:07 -0600]/your_document.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E674A39 Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E7E701F/[From [email protected]][Date Fri, 22 Oct 2004 15:41:58 -0600]/document.pif Infected: Email-Worm.Win32.NetSky.d
C:\Program Files\Norton AntiVirus\Quarantine\7E7E701F Infected: Email-Worm.Win32.NetSky.d
C:\WINDOWS\system32\SplWbr.dlltmp Infected: Trojan-Dropper.Win32.Small.sf

Scan process completed.


3. Antispyware.log

Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hotbara'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hotbarb'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hotbarc'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUK'
Found 'DisplayName' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUK'
Found 'UninstallString' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PUK'
Found '{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}' in 'Software\Microsoft\Internet Explorer\Toolbar\WebBrowser'
Internet URL Shortcuts
Files and Directories
Found 'cool.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'face.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'iloveyou.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'kiss.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'no.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'now.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'payaso.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'smile.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'yes.gif' in 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons'
Found 'MyWayPluginProxy.class' in 'C:\Program Files\Netscape\Communicator\Program\Plugins'
Found 'ADVC5.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp'
Found 'XTFL2.bsx' in 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\cool.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\cool.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\cool.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\face.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\face.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\face.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\iloveyou.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\iloveyou.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\iloveyou.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\kiss.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\kiss.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\kiss.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\no.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\no.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\no.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\now.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\now.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\now.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\payaso.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\payaso.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\payaso.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\smile.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\smile.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\smile.gif'
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\yes.gif' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\yes.gif' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\My Documents\My Pictures\Emoticons\yes.gif'
Checking for 'C:\Program Files\Netscape\Communicator\Program\Plugins\MyWayPluginProxy.class' in shortcut areas.
Checking for 'C:\Program Files\Netscape\Communicator\Program\Plugins\MyWayPluginProxy.class' in startup areas.
Cleaning 'C:\Program Files\Netscape\Communicator\Program\Plugins\MyWayPluginProxy.class'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\ADVC5.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\ADVC5.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\ADVC5.bsx'
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\XTFL2.bsx' in shortcut areas.
Checking for 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\XTFL2.bsx' in startup areas.
Cleaning 'C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13A.tmp\XTFL2.bsx'
Finished Cleaning

--------------------------------------------------------------------------

I would really appreciate it if you could tell me what can I do to clean my computer of the viruses and worms that were found on it.

I thank you in advance!!

Anel :smile:

Thanks

Hi,

I deleted the worms and the file you told me and it looks that everything is OK!.

I ran the online scanner again and it didn't show any virus... yeih!!!

For now my computer seems to be working just fine, thanks for the help, I really appreciate it.

Thanks again!

Anel C :wink:

Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type sysdm.cpl & press Enter
   • Select the System Restore Tab
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.