I also had uninstalled Norton yesterday and installed Avast. When I ran it, it said it found some trojan stuff and one adware thing, and some of the files looked like the ones from that W32.Mytob.ED@mm worm that I thought we got rid of weeks ago - perhaps they were just remnants, though, and not active.
Here's the info from that - I deleted everything it said was infected.
7/16/2005 10:09:32 PM default 3164 Sign of "Win32:Trojano-1714 [Trj]" has been found in "C:\WINDOWS\dnnljdh.exe" file.
7/16/2005 10:21:53 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\WINDOWS\tlsxigjdv.exe" file.
7/16/2005 10:45:26 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS.eml#2803712\important-details.zip#619352719\important-details.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\You have successfully updated your password.eml#2720288\new-password.zip#110514495\new-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Important Notification.eml#2636864\account-details.zip#4015516192\account-details.doc .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Security measures.eml#2552912\account-info.zip#889252256\account-info.txt .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Your password has been successfully updated.eml#2468960\email-password.zip#2104105021\email-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:30 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\WARNING MESSAGE- YOUR SERVICES NEAR TO BE CLOSED..eml#2385536\account-report.zip#3843741432\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:31 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Your password has been updated.eml#3643760\updated-password.zip#1794715719\updated-password.doc .scr\[Yoda]\[UPX]" file.
7/16/2005 10:47:31 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Deleted Items.dbx\Rwjv.eml#3560336\account-report.zip#71893056\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:42 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Inbox.dbx\-DETECTED- Online User Violation.eml#21117392\account-report.zip#409807067\account-report.htm .scr\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Security measures.eml#13269200\account-info.zip#889252256\account-info.txt .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Important Notification.eml#13354208\account-details.zip#4015516192\account-details.doc .exe\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\You have successfully updated your password.eml#13440272\new-password.zip#110514495\new-password.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:48 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\YOUR ACCOUNT IS SUSPENDED FOR SECURITY REASONS.eml#13525280\important-details.zip#619352719\important-details.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:47:49 PM default 3164 Sign of "Win32:SdBot-1274 [Trj]" has been found in "C:\Documents and Settings\default\Application Data\Identities\{CE142344-9F3A-4AB2-9A1D-7198FC4CED8D}\Microsoft\Outlook Express\Sent Items.dbx\Rwjv.eml#13613984\account-report.zip#71893056\account-report.htm .pif\[Yoda]\[UPX]" file.
7/16/2005 10:51:46 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP453\A0031705.exe" file.
7/16/2005 10:54:52 PM default 3164 Sign of "Win32:Trojano-1714 [Trj]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP460\A0038149.exe" file.
7/16/2005 10:54:59 PM default 3164 Sign of "Win32:Adan-104 [Adw]" has been found in "C:\System Volume Information\_restore{F4325899-9BC5-48C7-8A3D-919913C62682}\RP460\A0038150.exe" file.
And just in case, a new HijackThis log from after the Avast fixes
Logfile of HijackThis v1.99.1
Scan saved at 6:58:47 AM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
So all is well now?
You guys rock!