Worm.SomeFool.P

Discussion in 'malware problems & news' started by hans01, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. hans01

    hans01 Guest

    Got an e-mail from an unknown adressee advising my e-mail had been stopped as it contained the virus Worm.SomeFool.P. I'm also getting heaps of e-mails from unknown people, all with attachmnts.

    Q1 Is there such a virus?
    Q2 How to verify if I have it in my PC?
    Q3 How to remove?

    Pls help
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Hans01 and welcome to the forum!

    alias Netsky.P, i-worm.Netsky.Q (Kaspersky)
    Some description among others here:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P

    Scanning? plus online scan once you're there looking at trend micro get to their free online scan http://housecall.trendmicro.com
    Depends on online scan finds if there is anything to be removed.

    Also depending on the finds (or just to be really sure) posting your HijackThis log in the HJT forum here is not a bad idea either.
    See here for instructions in step 2 and where to get the software.

    BTW if you can please register as a member to the forum so we can find you back in case of next happenings and you can send private messages to other forum members and moderators, but keep your email hidden please.

    We all get lots of infected emails, a good email scanner/stopper is not a bad idea either.

    Please post back how it goes!
     
    Last edited: Apr 12, 2004
  3. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Trendmicro's online scan didn't work. I couldn't start it as some settings or other in my PC were wrong. Setting fault not described.
    I then tried download of sysclean.com etc as shown. Downloaded OK but wouldn't run as some file or other was missing.
    IE, back to square one.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which AV/AT are you using normally installed on your system?
    We all get bounced infections we never sent ourselves, is part of the netsky pattern: spoofing addresses etc.
    But that you can't even run the sysclean.com thing is not nice, did it indicate which file is missing so you can look for that?
    There are more online scanners like www.pandasoftware.com, www.ravantivirus.com, and several more.
     
  5. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    I'm strictly basic level for computers. What's an "AV/AT" ?
    Sure it told me which file was missing. Problem = I'm not an IT bloke so the info was of little use
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    AV/AT = anti-virus/anti-trojan scanner
    If you tell which file is missing we can maybe help you to locate it if necessary.
    Did you type the name in your windows search to see if it is really not there?
    (could be in another location)
    Did you after downloading that sysclean.com thing also grab the last daily update? It does not work without that.
    The sysclean file you unzip in a folder on your system, the daily update you grab from the trendmicro site too and put that in the same folder.
    Now i don't 100% remember if you have to unzip that update file or that starting the sysclean thing does that for you; that part you'll have to try.
    I set that thing on not autocleaning, i first want to see it's finds and study the log and being able to submit possible alarms to the lab for further research if necessary.
    After that one can decide to delete or not.
    Hope this helps!
     
  7. Bbp

    Bbp Guest

    Don't worry

    I'm using a Linux System and it's nearly impossible that I have been infect by something. I have receive the same E-Mail. I have search the web for Worm.SomeFool.P and that virus to not seem to exist.

    It's just another %?$& spammer

    Bbp
     
  8. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    An unspecified ".dll" file was missing and the activation "buttons" didn't display, ie couldn't start the Trendmicro online cleanup.
    Downloaded the sysclean AND the daily update file. That didn't work either, another file was supposedly missing.
    I expect I have some sort of virus, as my internet explorer has slowed down something awful. Might know more tomorrow (IT-pal coming to check).
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oh please do look in the HijackThis forum here and post your Hijackthis log as soon as you can in that place where the experts will help you look into that!
    If there is anything they will help you finding it in the best ways!


    BbP: Please take the trouble to look in the links i posted in the first reply:
    it is another name for Netsky.p among others. And that exists very loud and clear as we can see all over internet.
    It's rather unfortunate some companies keep using an initial alias when some nasty got an international known name.
     
  10. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Problem solved. Turned out my Anti-Virus seetings were wrong (my own fault). Once corrected, 1 file was quarantined (FVProtect.exe) which contains the Netsky virus. How do I find the "Hijackthis log".
     
  11. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    OK, I will try your instructions in the link. Big thanks for your assist.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  13. Diego Ferreyra

    Diego Ferreyra Registered Member

    Joined:
    Apr 29, 2004
    Posts:
    1
    Hey guys.

    My name is Diego, this is the second time I get this Worm.SomeFool.P
    But I think it is somethign else.

    The first time I got the letter, it wuz from a company in italy, that said I sent and infected email. I looked for information and I didn't found info about the virus, not in Panda, Symantec or McAfee websites. So i answered the email asking which antivirus were they using.

    I got an answer, in english. It said something about the person to whom I sent the email. The funny thing is that the address from which I got the email wuzn't the same anymore, it wuz some: XXXEmpresaSPAM@terra.com.pe

    As u can see, it wuz an email from Peru (pe, where I live) from a free webclient, and it said clearly SPAM. I asked around and some ppl told me that's a new way of spam. I keep gettin those, sometimes I don't get em' in months, sometimes i get em 2ice a day. My antivirus (norton) won't detect it, so I think I am pretty sure of wut I am sayin'.

    Also, this is acopy of the last email I received:

    ****************************************************
    Nuestro detector de virus ha sido activado por un mensaje enviado por Usted:
    A: info@vochomania.com.mx
    Asunto: read it immediately
    Fecha: Thu Apr 29 09:45:46 2004
    Las partes del mensaje que estaban infectadas no han sido enviadas.

    Este mensaje es slo para avisarle de que su sistema puede tener un virus
    y debera verificarlo.

    El detector de virus dijo lo siguiente acerca del mensaje:
    Informe: document_all.zip contains Worm.SomeFool.P


    --
    MailScanner
    Proteccin contra Virus de E-mail
    www.mailscanner.info
    ******************************************************

    I know it is in spanish but:

    1st: A decent antivirus company doesn't have writing mistakes, and this emails has some.
    2nd: Check the website... not a decent website for an antivirus company, just 1 plain html page, that's all the site.

    well I hope this proves my point, or at least makes u think about it.

    Pleez, if I am wrong write me, cuz I don't wanna have a virus in my PC. lol...

    Take care

    Diego Ferreyra
    diegoferreyra@speedy.com.pe
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    www.google.com > paste in the name Worm.SomeFool.P and see over 800 hits.
    I told you in my first message it is an alias (other name) for netsky.q
    Now with the over 800 hits you see the name is used more frequently thanks to the spam messages.
    Really, google is your friend here is you refuse to believe my answers.
    Two more things: please if you get such an infection forward it to submit@diamond.com.au where the lab will tell you exactly what to do and what it is.
    Next go to www.kaspersky.com/remoteviruschk.html , scroll to where you can online submit the email complete wiht code and in a few seconds you have the reply on your screen.
    There might be a new variant so it is always interesting to know your expert replies from those two addresses i just gave you.
    Thanks in advance.


    Here's some siteowners blocklist for several days
    http://hosting.boys-brigade.org.uk/mrtg/
    and the name reverence - clamav names it this name others not.
    http://www.nfllab.com/projects/cvnr/
     
    Last edited: Apr 29, 2004
  15. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Here's what I managed, hope it's the right thing.
    / H

    Logfile of HijackThis v1.97.7
    Scan saved at 10:04:51 PM, on 5/3/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\AOTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINWAN\WINWAN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
    O2 - BHO: (no name) - {E3FE3EEE-D170-BD2B-DD71-A2E317CC48D0} - C:\windows\system\ozxwrnvx.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AOTray] AOTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [] c:\WINDOWS\System\
    O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [winwan ml075e] "c:\program files\winwan\winwan.exe"
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System\<HEAD>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System\</HTML>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System\<BODY>
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System\</BODY>
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [<H] c:\WINDOWS\System\<HEAD>
    O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [</H] c:\WINDOWS\System\</HTML>
    O4 - HKCU\..\Run: [<B] c:\WINDOWS\System\<BODY>
    O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
    O4 - HKCU\..\Run: [] c:\WINDOWS\System\
    O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
    O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKCU\..\Run: [</B] c:\WINDOWS\System\</BODY>
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Hans 01,

    First, download and run RapidBlaster killer from: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

    O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\HH.DLL
    O2 - BHO: (no name) - {E3FE3EEE-D170-BD2B-DD71-A2E317CC48D0} - C:\windows\system\ozxwrnvx.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O4 - HKLM\..\Run: [] c:\WINDOWS\System\

    O4 - HKLM\..\Run: [winwan ml075e] "c:\program files\winwan\winwan.exe"
    O4 - HKLM\..\Run: [<H] c:\WINDOWS\System\<HEAD>
    O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
    O4 - HKLM\..\Run: [</H] c:\WINDOWS\System\</HTML>
    O4 - HKLM\..\Run: [<B] c:\WINDOWS\System\<BODY>
    O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
    O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
    O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System\</BODY>
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

    O4 - HKCU\..\Run: [<H] c:\WINDOWS\System\<HEAD>
    O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System\ <TITLE>Error</TITLE>
    O4 - HKCU\..\Run: [</H] c:\WINDOWS\System\</HTML>
    O4 - HKCU\..\Run: [<B] c:\WINDOWS\System\<BODY>
    O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System\The site you have requested doesn't exist.
    O4 - HKCU\..\Run: [] c:\WINDOWS\System\
    O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System\The associated domain name has probably been reserved by a client from
    O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
    O4 - HKCU\..\Run: [</B] c:\WINDOWS\System\</BODY>

    Then reboot and delete:
    C:\WINDOWS\BXXS5.DLL

    This one is unknown to me:
    O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
    If FWN stands for Find Whatever Now then add it to the list above.

    Could you post a new log when you are done, in case we missed something.

    Regards,

    Pieter
     
  17. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Hi, followed your instructions to the letter, but could not find any file C:\WINDOWS\BXXS5.DLL (nor could "Start\Find\C-drive). There's still something amiss -
    1) Something tries to connect to internet when I'm working off-line. The connection window pops up but stays away when I close it. It's different from the normal connection window in that the button labelled "Work Off-Line" is called "Cancel". It's a minor nuisance only.
    2) Frequently (nearly 100%) I get a "faulty" internet connection when going on-line. Faulty, in the sense that many illustrations are replaced by white boxes with a red crosses inside. Right-click and "Show Picture" doesn't work.
    This is often a problem, ie executable buttons are not shown, so either I have to guess / remember or forget about it.

    I don't know what the FWNTOOLBAR is either. Under "Properties\Version" it says Copyright : Microsoft. I left it in as I haven't got a clue what it is, does or stands for.

    The new log - (ie after actioning your instructions)

    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:30 PM, on 5/5/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\AOTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AOTray] AOTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [rb32 ml075e] "c:\program files\RapidBlaster\rb32.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://chat.msn.com
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

    Regards,
    / H
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    A good start now would be to get all the Windows and IE updates.

    If you can send me this file by mail:
    C:\WINDOWS\SYSTEM\FWNTOOLBAR.DLL
    I'll gladly have a look to see whether it's bad news or not. I think so since I can't imagine it is really by MicroSoft.

    I will PM you my address.

    Regards,

    Pieter
     
  19. Oh my god - ok the first piece of advice would have been to say the email from the person in the first post was most likely spoofed, if virus definitions are up to date and you have run a full system scan, you email address was probably spoofed, and you don't have a virus!

    I can't see why IT people so enjoy to torment people with techno babble and force them to do needless tasks.

    My advice is if you are concerned about internet security buy internet scanner and virus scanner software from symantec (norton). Keep that up to date, ignore suspicious emails, don't visit dodgey websites, and maybe install a piece of firewall software.

    geez, all that screen-dumping and telling people to delete system files, you could end up doing more damage to a system which may not even have a virus!!!
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Dear Some Randum Guy,
    to avoid damages to other people's valuable systems you see we help them step by step through processes and not any unnecessary file is ever deleted, trying to save systems from reformatting and data loss.
    In the case above you see a file is submitted to an expert for deeper study before the user is adviced to delete it.
    Further you see what looks like a html page which added itself to the registry in the O4 lines is fixed, and an infection.
    The people here are experienced in what they do and do respect user's systems.
    About your advice re norton, that's a personal opinion. Just look through the forums, people with norton properly installed and fully updated and look in the hijackthis logs postings and other threads. You won't get disappointed.
    See it as an extra option on a system but not as only option.
    I'm for layered protection and second opinions etc. as you can see visiting the DiamondCS forums for instance.
    And we all learn from what's happening here.
     
  21. Hans 01

    Hans 01 Registered Member

    Joined:
    Oct 16, 2003
    Posts:
    49
    Well Folks,
    Thanks to the help I received I now have regained my previous PC speed and my e-mail is not crammed full of weird e-mails (all with attachment) from unknown senders.
    I can only conclude that the Wilder advise was good and did the trick.
    As for Norton, I bought another Anti-Virus which scored "best buy" in a magazine comparison article. How else can a novice decide what to buy?
    Thanks again, Wilders,
    / H
     
  22. miniSage

    miniSage Guest

    My System:
    Windows XP (Still Service Pack 1 for the moment) Pro
    (Hardware not really important)

    That stupid FWN crap....yea....think I might finally be rid of it. There is also a WFWNNET.DRV file in /%SystemDir%/System that I think is responsible for some headaches. I could be wrong on this, but that's just about the only thing i was able to scrounge up. I've been at this for about 8 hours now. I've just about run out of tricks. Think I might be rid of it though as I can still browse. Darn thing was shooting me to an MSN default "Sorry we can't find blahblahblah, are you sure you typed it correctly?" Anyway, hope this helps someone. the last 3 letters of that file (prior to extension) may be different, your mileage may vary, some settling of product likely to occur during shipping. Void Where Prohibited.
     
  23. miniSage

    miniSage Guest

    Almost forgot. That FWN stuff is from findwhatevernow.com EVIL EVIL corporation that just serves to spy and spam people. Watch out for it being buried in with stupid little applications and programs (kinda like all that GAIN advertising junk, but MUCH more annoying). If you have that goofy toolbar...well, sorry, but it's a pain to remove. Start in control panel, delete the directory it has, that stupid dll file, and that .drv file and it should be gone.
     
Thread Status:
Not open for further replies.