Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - cosmicbliss85

Pages: [1]

Tech Clinic / Virus/Spyware keeps trying to email

« on: December 20, 2005, 01:15:41 PM »

Hey Did...

I've partially sorted my problem. If you still have that blue screen its because theres a registry entry causing windows to display an html file in the background. I cant remember what entry I deleted now...but it referred to 'desktop.html' which was in the windows system folder. See if you have that file, I opened it, and yep, it was the blue screen with Spyware infection...displayed in Internet Explorer.

So check if you have that file. It might also be called wallpaper.html I think. Then maybe search for that in the registry.

SO...now I have my wallpaper back and can change wallpapers...but now all the desktop icons have background on their texts...like in Windows 98 before icons become transparant. Anyone know how to get rid of this?

Tech Clinic / Virus/Spyware keeps trying to email

« on: December 11, 2005, 05:52:44 PM »

I've updated HJT.

Logfile of HijackThis v1.99.1
Scan saved at 22:49:23, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Microsoft Office\Office\WINWORD.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Evidence Eliminator] E:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] E:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

As well as the blue screen and not being able to get rid of it on desktop, my MSN crashes once I hit enter to send my login details...but I've probably messed something up. I've repaired MSN, but that didnt fix it.

Tech Clinic / Virus/Spyware keeps trying to email

« on: December 11, 2005, 05:30:16 PM »

Thanks for the reply Quest

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />. I've already been touching stuff trying to get rid of it, because it came back again. Anyway, for now, it seems to have gone. Although the desktop wallpaper is still that blue screen saying Spyware infection. The log you requested is here:

Logfile of HijackThis v1.98.2
Scan saved at 22:20:34, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Evidence Eliminator] E:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] E:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' /> Here is what my start up list looks like now.

StartupList report, 11/12/2005, 22:23:54
StartupList version: 1.52.2
Started from : E:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\HijackThis.exe
E:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
BJCFD = E:\Program Files\BroadJump\Client Foundation\CFD.exe
NeroFilterCheck = E:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Evidence Eliminator = E:\Program Files\Evidence Eliminator\ee.exe /m
NAV Agent = E:\PROGRA~1\NORTON~1\navapw32.exe
Symantec NetDriver Monitor = E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
EPSON Stylus Photo R200 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Product Registration Reminder = E:\WINDOWS\Temp\RegModule.exe
Share-to-Web Namespace Daemon = E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
iTunesHelper = "E:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
SsAAD.exe = E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = E:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=E:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - E:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = E:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/msnmesse...pdownloader.cab

[ZoneIntro Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\Zintro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\system32\webcheck.dll
SysTray: E:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,289 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hows everything look? Does anything suggest my computer wont start up if I was to restart? I'll probably do some major backing up to dvd anyway just to be on the safe side

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Thanks for all your help.

Ive just tried changing wallpapers in Display Properties to get rid of the blue wallaper with the warning message, but it wont let me select a wallpaper.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Is this the virus/spyware or is it windows? If its windows, how do you tell it that your systems now clean? (if it is clean!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> )

Thank you

Tech Clinic / Virus/Spyware keeps trying to email

« on: December 11, 2005, 04:36:54 PM »

Hey

I think my computer has been infected with a virus or some spyware. My XP desktop has gone blue and says 'SPYWARE INFECTION' in big red letters. I think this is just windows warning me, I dont know. Anyway, it keeps trying to send out emails to what appear to be random emails like sunni43Email Removed etc. And for the life of me I cant get it to stop. Keeps popping up. For now, ive stopped it from doing it after about 20 minutes, by closing random processes.

Ive scanned with hijack this, some odd things in there. I've tried removing some, one was secure32 things, that wasnt there before. I'm gonna post my generated list. One thing I notice is the shell= line...as if its been changed to something other than explorer.exe. Anyway, I'm scared to switch off my pc now incase it wont start up again. Whats going on!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Thanks for the help.

StartupList report, 11/12/2005, 21:23:42
StartupList version: 1.52.2
Started from : E:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\HJT\HijackThis.exe
E:\WINDOWS\system32\taskmgr.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
BJCFD = E:\Program Files\BroadJump\Client Foundation\CFD.exe
NeroFilterCheck = E:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Evidence Eliminator = E:\Program Files\Evidence Eliminator\ee.exe /m
NAV Agent = E:\PROGRA~1\NORTON~1\navapw32.exe
Symantec NetDriver Monitor = E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
EPSON Stylus Photo R200 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Product Registration Reminder = E:\WINDOWS\Temp\RegModule.exe
Share-to-Web Namespace Daemon = E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
iTunesHelper = "E:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
SsAAD.exe = E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
PayTime = E:\WINDOWS\system32\paytime.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = E:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background
Shell = "E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
Windows installer = C:\winstall.exe
aupd = E:\WINDOWS\system32\sywsvcs.exe

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe "E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=E:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - E:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = E:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/msnmesse...pdownloader.cab

[ZoneIntro Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\Zintro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\system32\webcheck.dll
SysTray: E:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,620 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - cosmicbliss85

Tech Clinic / Virus/Spyware keeps trying to email

Tech Clinic / Virus/Spyware keeps trying to email

Tech Clinic / Virus/Spyware keeps trying to email

Tech Clinic / Virus/Spyware keeps trying to email