XXXtoolbar & other aggressive popup

Computing.Net > Forums > Security and Virus > XXXtoolbar & other aggressive popup

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

XXXtoolbar & other aggressive popup

Name: Ronensis
Date: December 10, 2003 at 03:46:37 Pacific
OS: win 2000
CPU/Ram: PIII 1.2GHz

Comment:

I am attacked by aggressive popups including "XXXtoolbar" and "caitlee.com" when I strart up and on every IE operation and popups all the time.
Tried "Spybot" and "Adaware" but they didn't clean them.
The log I get from Hijackthis is :

Logfile of HijackThis v1.97.2
Scan saved at 10:02:03 AM, on 10-Dec-03
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\syscoig32.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\WINNT\Commond.com
C:\aim.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINNT\System32\internat.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Palm\HOTSYNC.exe
C:\Program Files\Avant Browser\abrowser.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
D:\Program Files\7-ZIP\7zFMn.exe
C:\DOCUME~1\ronen\LOCALS~1\Temp\7zO40FF.tmp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.msn.co.il/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.start.co.il/
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IMAQBoot] D:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msngerr] syscoig32.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [runla234] C:\WINNT\SYSTEM32\drivers\cache\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\drivers\cache\files\secure.bat
O4 - HKLM\..\Run: [rundl25] C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\svshost.exe
O4 - HKLM\..\Run: [rundl732] C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\secure.bat
O4 - HKLM\..\Run: [DOS Environment] C:\WINNT\Commond.com
O4 - HKLM\..\Run: [Services] C:\aim.exe
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kasaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [Windows Shell] C:\WINNT\System32\Exploror.exe
O4 - HKLM\..\Run: [Windows Spool Services] spoolsvc32.exe
O4 - HKLM\..\RunServices: [msngerr] syscoig32.exe
O4 - HKLM\..\RunServices: [Windows Spool Services] spoolsvc32.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msngerr] syscoig32.exe
O4 - HKLM\..\RunOnce: [msngerr] syscoig32.exe
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SurfSaver &QuickSave - D:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - D:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - D:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Broadbase E-Service LiveA - http://199.203.28.85/EU_yashir/eu1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/277c97680953c1525505/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.2292361111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = optunoffice.com
What can I do to be able to work on my computer ??
Please help !!

Sponsored Link

Ads by Google

Response Number 1

Name: Tom41
Date: December 10, 2003 at 05:34:13 Pacific

Reply:

Hi Ronensis,
You have quite a few viruses, Backdoor.Sumtax, Backdoor.Sdbot and a few unknowns.
Before we start the removal, go here and run an online virus scan to identify the unknowns. Copy the report and paste it in a reply.
Rav Online Scan

Response Number 2

Name: Ronensis
Date: December 11, 2003 at 00:01:29 Pacific

Reply:

That's the report I got from running Rav Online Scan (BTW: wasn't my Norton untivirus suppose to detect these viruses?) :
Scan started at 10-Dec-03 6:18:09 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\remote.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\script.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\script1.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\script2.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\script3.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\script4.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\remote.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\script.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\script1.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\script2.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\script3.ini - IRC/Generic* -> Suspicious
C:\cache.exe->(RARSfx)->cache\files\script4.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\script.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\script1.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\script2.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\script3.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\script4.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\script.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\script1.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\script2.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\script3.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\script4.ini - IRC/Generic* -> Suspicious
C:\msn9.exe - Backdoor:IRC/SdBot.gen! -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\msnq32.exe - Tool:HideWindows -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\msnq32.exe - Tool:HideWindows -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\Documents and Settings\ronen\Local Settings\Temporary Internet Files\Content.IE5\YDSFU92T\webcam[1].exe - Tool:PornDialer.BP -> Infected
C:\Documents and Settings\ronen.LABTOP2\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1MLE5UP\pup[1].htm->(SCRIPT0000) - JS/Noclose* -> Infected
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20030924.008\0000NAV~.TMP - Backdoor:IRC/SdBot -> Infected
C:\WINNT\system32\msnv32.exe - Backdoor:IRC/SdBot -> Infected
C:\WINNT\system32\spoolsvc32.exe - Backdoor:IRC/SdBot.gen! -> Infected
C:\WINNT\system32\spread.exe - Backdoor:IRC/SdBot -> Infected
C:\WINNT\system32\drivers\cache\files\euh.exe - Backdoor:IRC/SdBot.gen! -> Infected
C:\WINNT\system32\drivers\cache\files\remote.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\drivers\cache\files\script.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\drivers\cache\files\script1.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\drivers\cache\files\script2.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\drivers\cache\files\script3.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\drivers\cache\files\script4.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\Microsoft\Crypto\JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\os2\msnq32.exe - Tool:HideWindows -> Infected
C:\WINNT\system32\os2\os2.exe->(UPXW)->(RARSfx)->os2\msnq32.exe - Tool:HideWindows -> Infected
C:\WINNT\system32\os2\os2.exe->(UPXW)->(RARSfx)->os2\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\WINNT\system32\os2\os2.exe->(UPXW)->(RARSfx)->os2\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\WINNT\system32\os2\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\WINNT\system32\time\msnq32.exe - Tool:HideWindows -> Infected
C:\WINNT\system32\tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\WINNT\system32\tk32\test.exe->(UPXW)->(RARSfx)->tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\WINNT\system32\tk32\test.exe->(UPXW)->(RARSfx)->tk32\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\WINNT\system32\tk32\test.exe->(UPXW)->(RARSfx)->tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\WINNT\system32\tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
D:\Copy of ronen\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1MLE5UP\pup[1].htm->(SCRIPT0000) - JS/Noclose* -> Infected
D:\Data\Outlook\archive.pst->Attachment.8111: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\archive.pst->Attachment.9046: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
D:\Data\Outlook\Copy of outlook.pst->Attachment.6291: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\Copy of outlook.pst->Attachment.8608: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
D:\Data\Outlook\outlook.bak->Attachment.6291: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\outlook.bak->Attachment.8608: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
Scanned
============================
Objects: 215096
Directories: 9446
Archives: 10234
Size(Kb): 540934
Infected files: 38
Found
============================
Viruses found: 10
Suspicious files: 31
Disinfected files: 0
Mail files: 4127

Response Number 3

Name: Tom41
Date: December 11, 2003 at 01:41:19 Pacific

Reply:

1. Open the task manager and end process on the following:
C:\WINNT\System32\syscoig32.exe
C:\WINNT\Commond.com
C:\aim.exe
2. Run HijackThis again and place a check in the box next to the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer in safe mode when you're done.
O4 - HKLM\..\Run: [msngerr] syscoig32.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [runla234] C:\WINNT\SYSTEM32\drivers\cache\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\drivers\cache\files\secure.bat
O4 - HKLM\..\Run: [rundl25] C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\svshost.exe
O4 - HKLM\..\Run: [rundl732] C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\cmdow.exe /run /hid C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs\files\secure.bat
O4 - HKLM\..\Run: [DOS Environment] C:\WINNT\Commond.com
O4 - HKLM\..\Run: [Services] C:\aim.exe
O4 - HKLM\..\Run: [Windows Shell] C:\WINNT\System32\Exploror.exe
O4 - HKLM\..\Run: [Windows Spool Services] spoolsvc32.exe
O4 - HKLM\..\RunServices: [msngerr] syscoig32.exe
O4 - HKLM\..\RunServices: [Windows Spool Services] spoolsvc32.exe
O4 - HKCU\..\Run: [msngerr] syscoig32.exe
O4 - HKLM\..\RunOnce: [msngerr] syscoig32.exe
Once in safe mode, delete the following:
Files:
C:\WINNT\System32\syscoig32.exe
C:\WINNT\Commond.com
C:\aim.exe
C:\WINNT\System32\Exploror.exe
C:\WINNT\system32\spoolsvc32.exe
C:\WINNT\system32\msnv32.exe
C:\WINNT\system32\spread.exe
C:\WINNT\system32\os2\wsmd32.dll
C:\WINNT\system32\os2\os2.exe
Folders:
C:\WINNT\SYSTEM32\Microsoft\Crypto\jbs
C:\WINNT\SYSTEM32\drivers\cache\files
C:\Program Files\Common files\updater
C:\WINNT\system32\time
C:\WINNT\system32\tk32
Empty the C:\Documents and Settings\ronen\Local Settings\Temporary Internet Files folder,
Delete the infected Outlook email messages.
Reboot to Windows and run another Rav scan and post the report.
Run Hijack again and post a new log.

Response Number 4

Name: Ronensis
Date: December 11, 2003 at 13:50:35 Pacific

Reply:

Thanks Tom41 for you help.
I tried doing all you adviced but had some problems :
1.In Safe Mode I could not erase 15 of the \Temporary Internet Files, some of that are the popups I have like "caitlee.com".
2.I couldn't find any folder name "\jbs" in "C:\WINNT\SYSTEM32\Microsoft\Crypto".
3.same with the file "C:\WINNT\system32\msnv32.exe".
4. How do I find the infected emails (I ran a search on the attachment file name, but found nothing).
Here is the report I got for the second run of Rav :
Scan started at 11-Dec-03 4:23:44 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\cache.exe->(UPXW)->(RARSfx)->cache\files\euh.exe - Backdoor:IRC/SdBot.gen! -> Infected
C:\JBS.exe->(UPXW)->(RARSfx)->JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\JBS.exe->(RARSfx)->JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\msn9.exe - Backdoor:IRC/SdBot.gen! -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\msnq32.exe - Tool:HideWindows -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\os2.exe->(UPXW)->(RARSfx)->os2\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\test.exe->(UPXW)->(RARSfx)->tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\msnq32.exe - Tool:HideWindows -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\tester.exe->(UPXW)->(RARSfx)->tk32\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\msnq32.exe - Tool:HideWindows -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\swtm32.bat - Trojan:BAT/Noshare.F* -> Infected
C:\time.exe->(UPXW)->(RARSfx)->time\wsmd32.dll - Worm:IRC/Randon.Q* -> Infected
C:\Documents and Settings\ronen\Local Settings\Temporary Internet Files\Content.IE5\YDSFU92T\webcam[1].exe - Tool:PornDialer.BP -> Infected
C:\Documents and Settings\ronen.LABTOP2\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1MLE5UP\pup[1].htm->(SCRIPT0000) - JS/Noclose* -> Infected
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20030924.008\0000NAV~.TMP - Backdoor:IRC/SdBot -> Infected
C:\WINNT\system32\msnv32.exe - Backdoor:IRC/SdBot -> Infected
C:\WINNT\system32\Microsoft\Crypto\JBS\files\remote.ini - IRC/Generic* -> Suspicious
C:\WINNT\system32\os2\msnq32.exe - Tool:HideWindows -> Infected
D:\Copy of ronen\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1MLE5UP\pup[1].htm->(SCRIPT0000) - JS/Noclose* -> Infected
D:\Data\Outlook\archive.pst->Attachment.8111: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\archive.pst->Attachment.9046: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
D:\Data\Outlook\Copy of outlook.pst->Attachment.6291: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\Copy of outlook.pst->Attachment.8608: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
D:\Data\Outlook\outlook.bak->Attachment.6291: "gone.scr" - Win32/Goner.A@mm -> Infected
D:\Data\Outlook\outlook.bak->Attachment.8608: "BMLFGFBM.EXE" - Win32/Hybris.C@mm -> Infected
Scanned
============================
Objects: 210900
Directories: 9429
Archives: 10217
Size(Kb): 433892
Infected files: 26
Found
============================
Viruses found: 10
Suspicious files: 3
Disinfected files: 0
Mail files: 4124
Here is the Hijack log :
Logfile of HijackThis v1.97.2
Scan saved at 11:44:08 PM, on 11-Dec-03
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\internat.exe
D:\Program Files\Babylon\Babylon.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Avant Browser\abrowser.exe
D:\Palm\HOTSYNC.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.exe
D:\Program Files\7-ZIP\7zFMn.exe
C:\DOCUME~1\ronen\LOCALS~1\Temp\7zO957.tmp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.msn.co.il/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.start.co.il/
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IMAQBoot] D:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kasaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [SVCHOST] C:\WINNT\svchost.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SurfSaver &QuickSave - D:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - D:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - D:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Broadbase E-Service LiveA - http://199.203.28.85/EU_yashir/eu1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/277c97680953c1525505/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.2292361111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7995F4D-733C-478C-A16E-7488D3C03445}: NameServer = 192.115.106.31 192.115.106.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = optunoffice.com
What should I do now?

Response Number 5

Name: Tom41
Date: December 11, 2003 at 23:24:13 Pacific

Reply:

Make sure you are able to view hidden files and folders when searching for those files.
Open any folder and cick Tools > Folder Options > View tab. Select 'show hidden files and folders'.
You can also try running an online virus scan at any of these and choose 'Auto clean'.
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/
http://housecall.antivirus.com/

Run HijackThis again and place a check in the box next to the following items. Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer when you're done.
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [SVCHOST] C:\WINNT\svchost.exe
After restarting delete C:\WINNT\svchost.exe.

os2 tcpip os2 documentation restart shell	sendmail attach file sftp file script dec 21140
See More

Response Number 6

Name: Ronensis
Date: December 14, 2003 at 23:38:28 Pacific

Reply:

After long run of http://www.pandasoftware.com/activescan/com/
that's the report I got (they say they can't disinfect these) :

Incident Status Location
Bck/Sdbot.S No disinfected C:\euh.exe
Bck/IRC.Mirc.Based No disinfected C:\os2.exe[msmngr32.exe]
Bck/IRC.Mirc.Based No disinfected C:\os2.exe[os2.exe][msmngr32.exe]
Bck/IRC.Mirc.Based No disinfected C:\os2.exe[os2.exe][os2.exe][msmngr32.exe]
Trojan Horse No disinfected C:\os2.exe[os2.exe][os2.exe][swtm32.bat]
W32/Tzet.B.worm No disinfected C:\os2.exe[os2.exe][os2.exe][vlot.dll]
Trojan Horse No disinfected C:\os2.exe[os2.exe][swtm32.bat]
W32/Tzet.B.worm No disinfected C:\os2.exe[os2.exe][vlot.dll]
Trojan Horse No disinfected C:\os2.exe[swtm32.bat]
W32/Tzet.B.worm No disinfected C:\os2.exe[vlot.dll]
W32/Randex.T.worm No disinfected C:\Program Files\Common Files\Symantec Shared\VirusDefs\20030924.008\0000NAV~.TMP
Bck/IRC.Mirc.Based No disinfected C:\test.exe[msmngr32.exe]
Trojan Horse No disinfected C:\test.exe[swtm32.bat]
Bck/IRC.Mirc.Based No disinfected C:\test.exe[test.exe][msmngr32.exe]
Trojan Horse No disinfected C:\test.exe[test.exe][swtm32.bat]
Bck/IRC.Mirc.Based No disinfected C:\test.exe[test.exe][test.exe][msmngr32.exe]
Trojan Horse No disinfected C:\test.exe[test.exe][test.exe][swtm32.bat]
W32/Tzet.B.worm No disinfected C:\test.exe[test.exe][test.exe][vlot.dll]
W32/Tzet.B.worm No disinfected C:\test.exe[test.exe][vlot.dll]
W32/Tzet.B.worm No disinfected C:\test.exe[vlot.dll]
Bck/IRC.Mirc.Based No disinfected C:\tester.exe[msmngr32.exe]
Trojan Horse No disinfected C:\tester.exe[swtm32.bat]
Bck/IRC.Mirc.Based No disinfected C:\tester.exe[test.exe][msmngr32.exe]
Trojan Horse No disinfected C:\tester.exe[test.exe][swtm32.bat]
Bck/IRC.Mirc.Based No disinfected C:\tester.exe[test.exe][test.exe][msmngr32.exe]
Trojan Horse No disinfected C:\tester.exe[test.exe][test.exe][swtm32.bat]
W32/Tzet.B.worm No disinfected C:\tester.exe[test.exe][test.exe][vlot.dll]
W32/Tzet.B.worm No disinfected C:\tester.exe[test.exe][vlot.dll]
W32/Tzet.B.worm No disinfected C:\tester.exe[vlot.dll]
Bck/IRC.Mirc.Based No disinfected C:\time.exe[msmngr32.exe]
Trojan Horse No disinfected C:\time.exe[swtm32.bat]
W32/Tzet.B.worm No disinfected C:\time.exe[vlot.dll]
W32/Randex.T.worm No disinfected C:\WINNT\system32\metalrock-is-gay.exe
W32/Randex.P.worm No disinfected C:\WINNT\system32\msnv32.exe
W32/Randex.T.worm No disinfected C:\WINNT\system32\musirc4.71.exe
W32/Tzet.B.worm No disinfected C:\WINNT\system32\os2\vlot.dll
W32/Randex.T.worm No disinfected C:\WINNT\system32\SPREAD.ME
And that's the Hijack log I get now :
Logfile of HijackThis v1.97.2
Scan saved at 9:26:28 AM, on 15-Dec-03
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
D:\Program Files\Microsoft Office\Office\OUTLOOK.exe
C:\Program Files\Avant Browser\abrowser.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.exe
D:\Program Files\7-ZIP\7zFMn.exe
C:\DOCUME~1\ronen\LOCALS~1\Temp\7zO56E9.tmp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.msn.co.il/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.start.co.il/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IMAQBoot] D:\Program Files\National Instruments\NI-IMAQ\bin\ImaqBoot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KAZAA] D:\Program Files\Kasaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Babylon Translator] D:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: SurfSaver &QuickSave - D:\Program Files\askSam\SurfSaver\QuickSave.htm
O8 - Extra context menu item: SurfSaver Sav&e... - D:\Program Files\askSam\SurfSaver\Add.htm
O8 - Extra context menu item: SurfSaver Searc&h... - D:\Program Files\askSam\SurfSaver\Search.htm
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: Broadbase E-Service LiveA - http://199.203.28.85/EU_yashir/eu1.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/277c97680953c1525505/netzip/RdxIE601.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37704.2292361111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F7995F4D-733C-478C-A16E-7488D3C03445}: NameServer = 192.115.106.31 192.115.106.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = optunoffice.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = optunoffice.com
What should I do now?

Sponsored Link

Ads by Google

Dr. Solomons and Macafee

downloader.swizzor.c help...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: XXXtoolbar & other aggressive popup

Popup Stopper and winxp

Summary

www.computing.net/answers/security/popup-stopper-and-winxp/1004.html

Winantiviruspro and other pop ups!

Summary

www.computing.net/answers/security/winantiviruspro-and-other-pop-ups-/20890.html

good anti-popup, spyware

Summary

www.computing.net/answers/security/good-antipopup-spyware/5353.html

From the Geek Dictionary
slow learner - A person who tends to take longer to understand things than the average per...

Ask a Question!

Weekly Poll
Did you go shopping on Black Friday?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
my games crash on windows vista

Sims 2 - Insert CD 2

Google in Black (custom theme)

Delete rows

Trojan Horse

All Awaiting Reply

Tom's News
Man Pleads Guilty Selling Fake Chips to Navy

Threatening Rap on YouTube Lands Two in Jail

New Final Fantasy XIII Trailer is 5 Minutes Long

Guy Quits Job With Error Message

Verizon Takes on Sprint's 3G Network (And Wins)

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE