Worm.SomeFool.P

Got an e-mail from an unknown adressee advising my e-mail had been stopped as it contained the virus Worm.SomeFool.P. I'm also getting heaps of e-mails from unknown people, all with attachmnts.

Q1 Is there such a virus?
Q2 How to verify if I have it in my PC?
Q3 How to remove?

Pls help

 

Hello Hans01 and welcome to the forum!

alias Netsky.P, i-worm.Netsky.Q (Kaspersky)
Some description among others here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P

Scanning? plus online scan once you're there looking at trend micro get to their free online scan http://housecall.trendmicro.com
Depends on online scan finds if there is anything to be removed.

Also depending on the finds (or just to be really sure) posting your HijackThis log in the HJT forum here is not a bad idea either.
See here for instructions in step 2 and where to get the software.

BTW if you can please register as a member to the forum so we can find you back in case of next happenings and you can send private messages to other forum members and moderators, but keep your email hidden please.

We all get lots of infected emails, a good email scanner/stopper is not a bad idea either.

Please post back how it goes!

 

Trendmicro's online scan didn't work. I couldn't start it as some settings or other in my PC were wrong. Setting fault not described.
I then tried download of sysclean.com etc as shown. Downloaded OK but wouldn't run as some file or other was missing.
IE, back to square one.

 

Which AV/AT are you using normally installed on your system?
We all get bounced infections we never sent ourselves, is part of the netsky pattern: spoofing addresses etc.
But that you can't even run the sysclean.com thing is not nice, did it indicate which file is missing so you can look for that?
There are more online scanners like www.pandasoftware.com, www.ravantivirus.com, and several more.

 

I'm strictly basic level for computers. What's an "AV/AT" ?
Sure it told me which file was missing. Problem = I'm not an IT bloke so the info was of little use

 

AV/AT = anti-virus/anti-trojan scanner
If you tell which file is missing we can maybe help you to locate it if necessary.
Did you type the name in your windows search to see if it is really not there?
(could be in another location)
Did you after downloading that sysclean.com thing also grab the last daily update? It does not work without that.
The sysclean file you unzip in a folder on your system, the daily update you grab from the trendmicro site too and put that in the same folder.
Now i don't 100% remember if you have to unzip that update file or that starting the sysclean thing does that for you; that part you'll have to try.
I set that thing on not autocleaning, i first want to see it's finds and study the log and being able to submit possible alarms to the lab for further research if necessary.
After that one can decide to delete or not.
Hope this helps!

 

Don't worry

I'm using a Linux System and it's nearly impossible that I have been infect by something. I have receive the same E-Mail. I have search the web for Worm.SomeFool.P and that virus to not seem to exist.

It's just another %?$& spammer

Bbp

 

An unspecified ".dll" file was missing and the activation "buttons" didn't display, ie couldn't start the Trendmicro online cleanup.
Downloaded the sysclean AND the daily update file. That didn't work either, another file was supposedly missing.
I expect I have some sort of virus, as my internet explorer has slowed down something awful. Might know more tomorrow (IT-pal coming to check).

 

Oh please do look in the HijackThis forum here and post your Hijackthis log as soon as you can in that place where the experts will help you look into that!
If there is anything they will help you finding it in the best ways!


BbP: Please take the trouble to look in the links i posted in the first reply:
it is another name for Netsky.p among others. And that exists very loud and clear as we can see all over internet.
It's rather unfortunate some companies keep using an initial alias when some nasty got an international known name.

 

Problem solved. Turned out my Anti-Virus seetings were wrong (my own fault). Once corrected, 1 file was quarantined (FVProtect.exe) which contains the Netsky virus. How do I find the "Hijackthis log".

 

OK, I will try your instructions in the link. Big thanks for your assist.

 

Sounds good!
You might like to zip the file and send it to submit@diamondcs.com.au to be sure.
Step 2 in this thread https://www.wilderssecurity.com/showthread.php?t=15913 will bring you to the hijackthis file to create and post your hjt log for an expert view.

 

Hey guys.

My name is Diego, this is the second time I get this Worm.SomeFool.P
But I think it is somethign else.

The first time I got the letter, it wuz from a company in italy, that said I sent and infected email. I looked for information and I didn't found info about the virus, not in Panda, Symantec or McAfee websites. So i answered the email asking which antivirus were they using.

I got an answer, in english. It said something about the person to whom I sent the email. The funny thing is that the address from which I got the email wuzn't the same anymore, it wuz some: XXXEmpresaSPAM@terra.com.pe

As u can see, it wuz an email from Peru (pe, where I live) from a free webclient, and it said clearly SPAM. I asked around and some ppl told me that's a new way of spam. I keep gettin those, sometimes I don't get em' in months, sometimes i get em 2ice a day. My antivirus (norton) won't detect it, so I think I am pretty sure of wut I am sayin'.

Also, this is acopy of the last email I received:

****************************************************
Nuestro detector de virus ha sido activado por un mensaje enviado por Usted:
A: info@vochomania.com.mx
Asunto: read it immediately
Fecha: Thu Apr 29 09:45:46 2004
Las partes del mensaje que estaban infectadas no han sido enviadas.

Este mensaje es slo para avisarle de que su sistema puede tener un virus
y debera verificarlo.

El detector de virus dijo lo siguiente acerca del mensaje:
Informe: document_all.zip contains Worm.SomeFool.P


--
MailScanner
Proteccin contra Virus de E-mail
www.mailscanner.info
******************************************************

I know it is in spanish but:

1st: A decent antivirus company doesn't have writing mistakes, and this emails has some.
2nd: Check the website... not a decent website for an antivirus company, just 1 plain html page, that's all the site.

well I hope this proves my point, or at least makes u think about it.

Pleez, if I am wrong write me, cuz I don't wanna have a virus in my PC. lol...

Take care

Diego Ferreyra
diegoferreyra@speedy.com.pe

 

www.google.com > paste in the name Worm.SomeFool.P and see over 800 hits.
I told you in my first message it is an alias (other name) for netsky.q
Now with the over 800 hits you see the name is used more frequently thanks to the spam messages.
Really, google is your friend here is you refuse to believe my answers.
Two more things: please if you get such an infection forward it to submit@diamond.com.au where the lab will tell you exactly what to do and what it is.
Next go to www.kaspersky.com/remoteviruschk.html , scroll to where you can online submit the email complete wiht code and in a few seconds you have the reply on your screen.
There might be a new variant so it is always interesting to know your expert replies from those two addresses i just gave you.
Thanks in advance.


Here's some siteowners blocklist for several days
http://hosting.boys-brigade.org.uk/mrtg/
and the name reverence - clamav names it this name others not.
http://www.nfllab.com/projects/cvnr/

 

Here's what I managed, hope it's the right thing.
/ H

Logfile of HijackThis v1.97.7
Scan saved at 10:04:51 PM, on 5/3/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\AOTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINWAN\WINWAN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O2 - BHO: (no name) - {E3FE3EEE-D170-BD2B-DD71-A2E317CC48D0} - C:\windows\system\ozxwrnvx.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AOTray] AOTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System\
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [winwan ml075e] "c:\program files\winwan\winwan.exe"
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System\</BODY>
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System\<HEAD>
O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System\</BODY>
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

 

Hi Hans 01,

First, download and run RapidBlaster killer from: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
O2 - BHO: (no name) - {E3FE3EEE-D170-BD2B-DD71-A2E317CC48D0} - C:\windows\system\ozxwrnvx.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O4 - HKLM\..\Run: [] c:\WINDOWS\System\

O4 - HKLM\..\Run: [winwan ml075e] "c:\program files\winwan\winwan.exe"
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System\</BODY>
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System\<HEAD>
O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System\</BODY>

Then reboot and delete:
C:\WINDOWS\BXXS5.DLL

This one is unknown to me:
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
If FWN stands for Find Whatever Now then add it to the list above.

Could you post a new log when you are done, in case we missed something.

Regards,

Pieter

 

Hi, followed your instructions to the letter, but could not find any file C:\WINDOWS\BXXS5.DLL (nor could "Start\Find\C-drive). There's still something amiss -
1) Something tries to connect to internet when I'm working off-line. The connection window pops up but stays away when I close it. It's different from the normal connection window in that the button labelled "Work Off-Line" is called "Cancel". It's a minor nuisance only.
2) Frequently (nearly 100%) I get a "faulty" internet connection when going on-line. Faulty, in the sense that many illustrations are replaced by white boxes with a red crosses inside. Right-click and "Show Picture" doesn't work.
This is often a problem, ie executable buttons are not shown, so either I have to guess / remember or forget about it.

I don't know what the FWNTOOLBAR is either. Under "Properties\Version" it says Copyright : Microsoft. I left it in as I haven't got a clue what it is, does or stands for.

The new log - (ie after actioning your instructions)

Logfile of HijackThis v1.97.7
Scan saved at 11:17:30 PM, on 5/5/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\AOTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AOTray] AOTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [rb32 ml075e] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

Regards,
/ H

 

A good start now would be to get all the Windows and IE updates.

If you can send me this file by mail:
C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
I'll gladly have a look to see whether it's bad news or not. I think so since I can't imagine it is really by MicroSoft.

I will PM you my address.

Regards,

Pieter

 

Oh my god - ok the first piece of advice would have been to say the email from the person in the first post was most likely spoofed, if virus definitions are up to date and you have run a full system scan, you email address was probably spoofed, and you don't have a virus!

I can't see why IT people so enjoy to torment people with techno babble and force them to do needless tasks.

My advice is if you are concerned about internet security buy internet scanner and virus scanner software from symantec (norton). Keep that up to date, ignore suspicious emails, don't visit dodgey websites, and maybe install a piece of firewall software.

geez, all that screen-dumping and telling people to delete system files, you could end up doing more damage to a system which may not even have a virus!!!

 

Dear Some Randum Guy,
to avoid damages to other people's valuable systems you see we help them step by step through processes and not any unnecessary file is ever deleted, trying to save systems from reformatting and data loss.
In the case above you see a file is submitted to an expert for deeper study before the user is adviced to delete it.
Further you see what looks like a html page which added itself to the registry in the O4 lines is fixed, and an infection.
The people here are experienced in what they do and do respect user's systems.
About your advice re norton, that's a personal opinion. Just look through the forums, people with norton properly installed and fully updated and look in the hijackthis logs postings and other threads. You won't get disappointed.
See it as an extra option on a system but not as only option.
I'm for layered protection and second opinions etc. as you can see visiting the DiamondCS forums for instance.
And we all learn from what's happening here.

 

Well Folks,
Thanks to the help I received I now have regained my previous PC speed and my e-mail is not crammed full of weird e-mails (all with attachment) from unknown senders.
I can only conclude that the Wilder advise was good and did the trick.
As for Norton, I bought another Anti-Virus which scored "best buy" in a magazine comparison article. How else can a novice decide what to buy?
Thanks again, Wilders,
/ H

 

My System:
Windows XP (Still Service Pack 1 for the moment) Pro
(Hardware not really important)

That stupid FWN crap....yea....think I might finally be rid of it. There is also a WFWNNET.DRV file in /%SystemDir%/System that I think is responsible for some headaches. I could be wrong on this, but that's just about the only thing i was able to scrounge up. I've been at this for about 8 hours now. I've just about run out of tricks. Think I might be rid of it though as I can still browse. Darn thing was shooting me to an MSN default "Sorry we can't find blahblahblah, are you sure you typed it correctly?" Anyway, hope this helps someone. the last 3 letters of that file (prior to extension) may be different, your mileage may vary, some settling of product likely to occur during shipping. Void Where Prohibited.

 

Almost forgot. That FWN stuff is from findwhatevernow.com EVIL EVIL corporation that just serves to spy and spam people. Watch out for it being buried in with stupid little applications and programs (kinda like all that GAIN advertising junk, but MUCH more annoying). If you have that goofy toolbar...well, sorry, but it's a pain to remove. Start in control panel, delete the directory it has, that stupid dll file, and that .drv file and it should be gone.