Norton antivirus detected some files infected with the w32.welchia.worm virus. I tried to scan my PC with Norton antivirus but it wouldn't load. I tried searching for the files (TFTP1756, TFTP2404 and TFTP4044) but I couldn't find them in the specified directory (C:/windows/system32) and the Search For Files option doesn't work either. I downloaded the removal tool recommended in a previous thread, but it claimed that the virus is not on my PC. Little things don't work anymore like msn and copying and pasting from web pages, documents, etc. Also, I occasionally get the message that my computer will restart in 60 secs, just like the MSBlast virus (Which I also had), which I stop using 'shutdown - a'. Tried looking in task manager, can't see MSBlast.exe. What's going on?? Feel like I'm going insane! Please help!

Go to the Symantec website and download this removal tool http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html
Scan your pc again with free online scans from PC Flank,housecall or RAV

Tried it, it said I don't have the virus! Forgot to mention something v important, before all this happened i launched the windows xp update, but the update I downloaded made my PC really slow so i did a system restore to just before I upgraded. Could this have caused it somehow??

hello
there have been several windows updates that have caused seriuse problems on peoples computers.

Read the following threads,perhaps you are infected while updating.
http://www.computing.net/windowsxp/wwwboard/forum/76538.html
Removal tips and turnig off system restore http://www.computing.net/windowsxp/wwwboard/forum/76538.html
If those things don't help,download,update and run Spybot S&D .Download also Highjack This,perform a scan and post the log on this site.

Hi, thanks so much for your help. I ran HijackThis, any ideas if there's any problems in thsi log?

Logfile of HijackThis v1.97.7
Scan saved at 19:10:33, on 23/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\WINDOWS\System32\kernel32.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\MMTrayLSI.exe
C:\WINDOWS\System32\MMTray2k.exe
C:\WINDOWS\System32\rundll32.exe
C:\Chris\QuickTime\qttask.exe
C:\Chris\AIM\aim.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Netscape\Netscape\Netscp.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Chris\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowenhancer.com/searchbar/iev1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nimrodonline.dhs.org
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.windowenhancer.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.packardbell.co.uk/center
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.windowenhancer.com/nph-WESearch.cgi?partner=wesearch&kw=
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\winex\v2\winex.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.yahoo.co.uk"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chris\Application Data\Mozilla\Profiles\default\cjz4nxt6.slt\prefs.js)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\winex\v2\winex.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp4,0,2,10.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [KERNEL32] kernel32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTrayLSI] MMTrayLSI.exe
O4 - HKLM\..\Run: [MMTray2K] MMTray2k.exe
O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v2\winex.EXE" /U
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Chris\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [KERNEL32] kernel32.exe
O4 - HKCU\..\Run: [AIM] C:\Chris\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DailyFHMCluster] Uninstaller will remove
O4 - HKCU\..\Run: [FHMCluster] C:\Program Files\Daily FHM\skinkers.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Packard Bell (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.3723148148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4_0_2_10.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2EEADAF8-4B13-4DC7-8A03-F7DD36DED5FF}: NameServer = 194.74.65.69 194.72.9.38
O17 - HKLM\System\CS1\Services\Tcpip\..\{2EEADAF8-4B13-4DC7-8A03-F7DD36DED5FF}: NameServer = 194.74.65.69 194.72.9.38

Hi Chris,
i'm not ready yet to take all the bad lines out of your log, just starting to learn it.
I do see some but will certainly miss others but i'm afraid to let you erase things that should be left in place.Normally one one the realy good guys like Tom41 will help you now.There is also another possiblity and that is to find those lines by the Highjack This tutorial at http://www.spywareinfo.com/~merijn/htlogtutorial.html
succes

1-i would advise you to first go here:
http://cwashington.netreach.net/depo/default.asp?topic=results
there is a removal tool that will remoove it!!!
2-go here, read this carefully: http://grc.com/dcom/
3-download that tool, disconnect from the net and
check if your DCOM service is open and port 135.
4-close port 4444(welchia/blater),135 and all ports you dont
need to be opened!
goto: administrative tools-services
stop all services you dont need or make you vulnerable like:
telnet,print spooler, RCP CALL,messenger,workstation, imapi cd burning com
and all services you dont need.
5-reboot
6-update your AV & FW
7-Be aware, 2004 will be a Boom Viril year!!!

(yes, i got ad-aware, and i got many spywares on this box, dont know to remove them though)