« previous next »
Pages: [1]

Author Topic: Virus/Spyware keeps trying to email  (Read 1484 times)

Offline cosmicbliss85

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« on: December 11, 2005, 04:36:54 PM »
Hey

I think my computer has been infected with a virus or some spyware.  My XP desktop has gone blue and says 'SPYWARE INFECTION' in big red letters. I think this is just windows warning me, I dont know. Anyway, it keeps trying to send out emails to what appear to be random emails like sunni43Email Removed etc.  And for the life of me I cant get it to stop. Keeps popping up. For now, ive stopped it from doing it after about 20 minutes, by closing random processes.

Ive scanned with hijack this, some odd things in there. I've tried removing some, one was secure32 things, that wasnt there before. I'm gonna post my generated list.  One thing I notice is the shell= line...as if its been changed to something other than explorer.exe. Anyway, I'm scared to switch off my pc now incase it wont start up again.  Whats going on! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Thanks for the help.

StartupList report, 11/12/2005, 21:23:42
StartupList version: 1.52.2
Started from : E:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\HJT\HijackThis.exe
E:\WINDOWS\system32\taskmgr.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
BJCFD = E:\Program Files\BroadJump\Client Foundation\CFD.exe
NeroFilterCheck = E:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Evidence Eliminator = E:\Program Files\Evidence Eliminator\ee.exe /m
NAV Agent = E:\PROGRA~1\NORTON~1\navapw32.exe
Symantec NetDriver Monitor = E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
EPSON Stylus Photo R200 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Product Registration Reminder = E:\WINDOWS\Temp\RegModule.exe
Share-to-Web Namespace Daemon = E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
iTunesHelper = "E:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
SsAAD.exe = E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
PayTime = E:\WINDOWS\system32\paytime.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = E:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background
Shell = "E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
Windows installer = C:\winstall.exe
aupd = E:\WINDOWS\system32\sywsvcs.exe

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe                                                                                                    "E:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=E:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - E:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = E:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/msnmesse...pdownloader.cab

[ZoneIntro Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\Zintro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\system32\webcheck.dll
SysTray: E:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,620 bytes
Report generated in 0.047 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
Logged

Offline i like cheese

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« Reply #1 on: December 11, 2005, 04:43:26 PM »
REMOVED
« Last Edit: December 11, 2005, 05:23:48 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Virus/Spyware keeps trying to email
« Reply #2 on: December 11, 2005, 05:08:07 PM »
i Like Cheese, I have no idea what your doing but please stop!!

cosmicbliss85, you posted a startup list from Hijackthis
We should have no problems getting you clean, but can you do the following please

Open Hijackthis.exe
Do a "SCAN and Save a Log file"
A text file should open
Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cosmicbliss85

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« Reply #3 on: December 11, 2005, 05:30:16 PM »
Thanks for the reply Quest http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />.  I've already been touching stuff trying to get rid of it, because it came back again.  Anyway, for now, it seems to have gone. Although the desktop wallpaper is still that blue screen saying Spyware infection.  The log you requested is here:

Logfile of HijackThis v1.98.2
Scan saved at 22:20:34, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Evidence Eliminator] E:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] E:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab






 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />  Here is what my start up list looks like now.  

StartupList report, 11/12/2005, 22:23:54
StartupList version: 1.52.2
Started from : E:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\HijackThis.exe
E:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
BJCFD = E:\Program Files\BroadJump\Client Foundation\CFD.exe
NeroFilterCheck = E:\WINDOWS\system32\NeroCheck.exe
RemoteControl = "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Evidence Eliminator = E:\Program Files\Evidence Eliminator\ee.exe /m
NAV Agent = E:\PROGRA~1\NORTON~1\navapw32.exe
Symantec NetDriver Monitor = E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
EPSON Stylus Photo R200 Series = E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
EPSON Product Registration Reminder = E:\WINDOWS\Temp\RegModule.exe
Share-to-Web Namespace Daemon = E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
iTunesHelper = "E:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
SsAAD.exe = E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = E:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
MSMSGS = "E:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=E:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - E:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = E:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MessengerStatsClient Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn.com/download/msnmesse...pdownloader.cab

[ZoneIntro Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\Zintro.ocx
CODEBASE = http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\system32\webcheck.dll
SysTray: E:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,289 bytes
Report generated in 0.031 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only


Hows everything look?  Does anything suggest my computer wont start up if I was to restart?  I'll probably do some major backing up to dvd anyway just to be on the safe side http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Thanks for all your help.


Ive just tried changing wallpapers in Display Properties to get rid of the blue wallaper with the warning message, but it wont let me select a wallpaper. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> Is this the virus/spyware or is it windows? If its windows, how do you tell it that your systems now clean? (if it is clean! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> )

Thank you
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Virus/Spyware keeps trying to email
« Reply #4 on: December 11, 2005, 05:30:26 PM »
Can I have you do the following please

Your running an old version of Hijackthis
From my signature below
Download and save Hijackthis 1.99.1 to
E:\HJT\ <-this folder

Allow to overwrite the old version if prompted

Run this version of Hijackthis and post a fresh hijackthis log
I don't need to see a Startuplist unless asked, thanks

Are you controlling anything from starting on startup with msconfig or a startup manager??
« Last Edit: December 11, 2005, 05:31:26 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cosmicbliss85

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« Reply #5 on: December 11, 2005, 05:52:44 PM »
I've updated HJT.

Logfile of HijackThis v1.99.1
Scan saved at 22:49:23, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\BroadJump\Client Foundation\CFD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\NORTON~1\navapw32.exe
E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Evidence Eliminator\Ee.exe
E:\Program Files\Microsoft Office\Office\WINWORD.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Evidence Eliminator] E:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] E:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


As well as the blue screen and not being able to get rid of it on desktop, my MSN crashes once I hit enter to send my login details...but I've probably messed something up. I've repaired MSN, but that didnt fix it.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Virus/Spyware keeps trying to email
« Reply #6 on: December 11, 2005, 05:59:41 PM »
Let's try some more cleanup on this machine

Since you have done fixes yourself, I'll just look at your last log and we'll see how everything runs afterwards

If you have this tool, delete yours and download this version
Download SmitRem.exe by Noahdfear and save the file to your desktop.
DON'T run it yet
But make sure you download this version

Additionally,
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

If you don't have Ad-Aware SE personal 1.06
Download and Install the free version of Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Instead
Please  save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: Well Ewido is running, don't open any other windows, let it do it's job

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Reboot back to Normal mode

Back in Windows, I need to see a few logs please
1. Scan and save logfile with Hijackthis again,  post a fresh log
2. Post the Whole contents of Ewido's report
3. Post the log made from SmitRem located here C:\Smitfiles.txt
« Last Edit: December 11, 2005, 06:00:00 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline V DidDy 210

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« Reply #7 on: December 19, 2005, 08:18:51 PM »
Hey
HELP!
i have this same problem,
i did an ad-aware and spy bot search,
nothing came up on either, but my EZ Anti Virus showed a few things which it deleted,
so now i'm at the boiling point, the blue screen with the words SPYWARE INFECTION just won't go away!
i did a hijackthis! scan, didn't change anything and i'm gonna post it so that we can get right down to the problem.

LOG REMOVED>>I seen you post your log in your own topic
We'll work with you in the other thread
~guestolo~
« Last Edit: December 20, 2005, 07:19:17 PM by guestolo »
Logged

Offline cosmicbliss85

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Virus/Spyware keeps trying to email
« Reply #8 on: December 20, 2005, 01:15:41 PM »
Hey Did...

I've partially sorted my problem. If you still have that blue screen its because theres a registry entry causing windows to display an html file in the background.  I cant remember what entry I deleted now...but it referred to 'desktop.html' which was in the windows system folder.  See if you have that file, I opened it, and yep, it was the blue screen with Spyware infection...displayed in Internet Explorer.

So check if you have that file. It might also be called wallpaper.html I think. Then maybe search for that in the registry.

SO...now I have my wallpaper back and can change wallpapers...but now all the desktop icons have background on their texts...like in Windows 98 before icons become transparant. Anyone know how to get rid of this?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Virus/Spyware keeps trying to email
« Reply #9 on: December 20, 2005, 07:18:25 PM »
cosmicbliss85, should I lock this topic as you haven't done nothing I said?
Just let me know and I'll lock it up
No need for me to go further with this if your not willing to try what I posted above

It's too bad as all your problems may have been resolved
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »