I suspect that I have some type of virus. Each time I log onto the internet I receive several error messages that state “this email could not be delivered.” When in fact I have not sent any emails to anyone. Also, I receive approximately 8-10 undelivered e-mail notification. Also I receive an email from Mircosoft.com with an attachment stating that I need to install the critical update that is attached. I uninstalled and re-installed my ISP and my web browser. I updated my antivirus software and scanned my system. I ran Ad-ware, spybot and visited several web sites and scanned my system online and each time I am told that there was not virus found on my system. Can someone help me identify the virus and give help in deleting it??? Thanks

hi les, hope you did not open up the email with the microsoft patch. its a virus. The W32.Swen.A@mm or W32.Gibe.B@mm (Swen/Gibe) virus. if you opened the attachment and are virused you can get the fix on the Symatec website. microsoft never sends anyone(individually)a personalized message> they would have to send billions< if you didn't open it, good. scan your machine with hijack this and send it over, someone will help you with the analysis. hope this helps, all the best, murve

If you checked DIFFERENT sites that scan for viruses online and all found you clean,you're clean ! A very good one is http://housecall.antivirus.com/housecall/start_corp.asp and for trojans http://www.trojanscan.com/ You can also download the free trial of another av program like NOD32 or VirusChaser that are very good http://www.viruschaser.com/Eng/index.jsp and try...

A side note to add to advice murve gave. As well as Microsoft never sending patches through email....neither do antivirus companies. There are some worms runing around out there that supposedly come from several antivirus companies with an update or patch...MS or AV companies do not send attachments. As far as it looking like you sent the email...most likely someone that has your email addy in their address book is infected. Several email worms will spoof the from field of the email making it look like it came from you. If those bounce back messages have attachments....delete them too!

Murve, Following is the results of scanning my system. Logfile of HijackThis v1.97.7 Scan saved at 3:47:13 PM, on 12/11/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\Atiptaxx.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Speaking Clock\SpClock.exe C:\Program Files\Weather Watcher\ww.exe C:\Program Files\HistoryKill\histkill.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\Webshots\WebshotsTray.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\HistoryKill\hkPopupKiller.exe C:\Documents and Settings\user\My Documents\My Download Files\hijackthis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/s/sp/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O1 - Hosts: 128.121.251.213 www.driverzone.com O1 - Hosts: 64.136.21.226 account.juno.com O1 - Hosts: 64.136.29.200 www.juno.com O1 - Hosts: 64.136.21.200 help.juno.com O1 - Hosts: 64.202.162.37 www.technologyvault.com O1 - Hosts: 216.40.250.31 www.modemhelp.net O1 - Hosts: 199.181.135.201 www.abc.com O1 - Hosts: 207.188.7.117 realguide.real.com O1 - Hosts: 66.70.25.17 www.thepaperboy.com O1 - Hosts: 199.239.136.245 www.nytimes.com O1 - Hosts: 12.129.147.10 www.washingtonpost.com O1 - Hosts: 161.58.83.20 www.washingtontimes.com O1 - Hosts: 209.97.63.94 www.federaltimes.com O1 - Hosts: 66.54.32.232 www.usatoday.com O1 - Hosts: 68.152.85.13 www.frontpagemagazine.com O1 - Hosts: 64.210.243.35 www.activedayton.com O1 - Hosts: 207.46.248.106 windows.microsoft.com O1 - Hosts: 204.127.12.39 www.worldnet.att.net O1 - Hosts: 12.120.124.51 help.att.net O1 - Hosts: 204.127.135.145 webmail.att.net O1 - Hosts: 204.127.166.6 acct-update.worldnet.att.net O1 - Hosts: 160.79.196.219 www.almanac.com O1 - Hosts: 65.205.253.233 www.liquidaudio.com O1 - Hosts: 209.112.228.1 www.liquidmusicnetwork.com O1 - Hosts: 64.12.144.53 free.aol.com O1 - Hosts: 204.57.71.1 www.pricewatch.com O1 - Hosts: 206.16.0.147 download.cnet.com O1 - Hosts: 63.236.73.232 www.windrivers.com O1 - Hosts: 207.218.239.222 www.digital-digest.com O1 - Hosts: 206.16.0.148 www.help.com O1 - Hosts: 208.37.5.16 www.marketproshows.com O1 - Hosts: 216.251.32.98 www.mightymaxcorp.com O1 - Hosts: 64.143.102.180 www.phoebemicro.com O1 - Hosts: 206.16.6.252 www.zdnet.com O1 - Hosts: 198.71.74.16 www.lhsl.com O1 - Hosts: 64.78.60.79 808hi.com O1 - Hosts: 209.115.68.80 www.computerfest.com O1 - Hosts: 207.106.175.113 www.diamondmm.com O1 - Hosts: 206.244.186.245 www.toast.net O1 - Hosts: 209.61.187.19 bandwidthspeedtest.com O1 - Hosts: 64.77.42.34 software.xfx.net O1 - Hosts: 64.12.165.25 9337387.home.icq.com O1 - Hosts: 206.183.238.251 www.5oclock.com O1 - Hosts: 66.210.246.140 www.komando.com O1 - Hosts: 216.235.147.35 computing.net O1 - Hosts: 206.16.0.148 catchup.cnet.com O1 - Hosts: 209.235.199.46 www.winappslist.com O1 - Hosts: 128.121.214.219 www.answersthatwork.com O1 - Hosts: 63.236.73.74 www.jumbo.com O1 - Hosts: 64.119.33.210 www.freewarearena.com O1 - Hosts: 24.153.137.234 www.tcresale.com O1 - Hosts: 63.99.224.32 www.tmjcss.com O1 - Hosts: 64.106.217.20 www.waterwheel.com O1 - Hosts: 216.127.89.76 www.makeitsimple.com O1 - Hosts: 65.61.130.177 www.nexthardwareshop.com O1 - Hosts: 167.206.220.132 www.yumyum.com O1 - Hosts: 207.19.134.20 www.mhbp.com O1 - Hosts: 128.121.214.218 www.usstatequarters.com O1 - Hosts: 64.224.48.79 www.afvclub.com O1 - Hosts: 65.208.207.33 www.aftravelonline.com O1 - Hosts: 129.48.104.161 wpsv.wpafb.af.mil O1 - Hosts: 162.115.163.100 verizonwireless.com O1 - Hosts: 64.56.97.206 www.unitedinlove.com O1 - Hosts: 131.84.1.90 www.defendamerica.mil O1 - Hosts: 65.215.56.73 www.historychannel.org O1 - Hosts: 207.188.7.44 forms.real.com O1 - Hosts: 24.29.163.195 www.roadrunnerohio.com O1 - Hosts: 216.52.177.33 www.crown.org O1 - Hosts: 66.165.77.164 www.trinitycredit.org O1 - Hosts: 148.129.75.146 www.fedstats.gov O1 - Hosts: 66.150.2.101 www.dogpile.com O1 - Hosts: 205.243.144.2 www.beaucoup.com O1 - Hosts: 206.16.0.152 www.mysimon.com O1 - Hosts: 64.29.208.227 www.ilor.com O1 - Hosts: 205.188.243.153 www.mapquest.com O1 - Hosts: 66.37.205.40 www.switchboard.com O1 - Hosts: 216.109.127.124 people.yahoo.com O1 - Hosts: 207.178.172.11 www.pac-info.com O1 - Hosts: 64.236.16.145 www.pga.com O1 - Hosts: 64.156.240.36 www.tigerwoods.com O1 - Hosts: 216.19.170.30 www.pgatour.com O1 - Hosts: 64.0.20.170 music.hollywoodandvine.com O1 - Hosts: 63.146.177.58 www.thegolfchannel.com O1 - Hosts: 4.18.230.126 www.amazingfacts.org O1 - Hosts: 153.106.5.1 www.ccel.org O1 - Hosts: 208.139.192.199 www.hyperhistory.com O1 - Hosts: 216.210.103.104 www.afii.org O1 - Hosts: 65.39.69.58 www.christiananswers.net O1 - Hosts: 66.218.77.68 www.geocities.com O1 - Hosts: 64.167.21.2 www.gty.org O1 - Hosts: 216.82.92.19 www.biblebb.com O1 - Hosts: 205.134.210.5 www.iclnet.org O1 - Hosts: 64.254.34.12 www.haydid.org O1 - Hosts: 64.233.20.65 www.ame-church.org O1 - Hosts: 216.138.79.103 www.nunnministries.org O1 - Hosts: 66.232.22.14 www.ynca.com O1 - Hosts: 207.217.98.20 home.earthlink.net O1 - Hosts: 24.215.46.46 www.bible.ca O1 - Hosts: 213.18.253.81 atschool.eduweb.co.uk O1 - Hosts: 209.205.130.75 www.crownrights.com O1 - Hosts: 198.60.208.140 wesley.nnu.edu O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.exe O4 - HKLM\..\Run: [TweakDUN] C:\Program Files\TweakDUN\tweakdun.exe splash O4 - HKLM\..\Run: [NAV Agent] C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPW32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.exe O4 - HKCU\..\Run: [Speaking Clock Lite] C:\Program Files\Speaking Clock\SpClock.exe O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37964.7347800926 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

hi les, your scan results seem to be ok. maybe someone out there can add to the analysis. although i would do a check on the Watch.exe file. in some instances that file is known as a crack tool trojan. if you find it in your processes and your windows directory then you should google it and note the info. you will have to delete the file from your processes and from the windows directory hope this helps, murve