Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible email spamming going on from my PC

Started by memrich , Mar 10 2006 09:20 AM

  • Please log in to reply

#1
memrich
Posted 10 March 2006 - 09:20 AM

memrich

    Member

  • Member
  • PipPip
  • 10 posts
I believe that I may have some sort of email spammer attaching to my outlook. A couple of times a day it will act real strange and have trouble sending and receiving sometimes showing a message like "1 of 126 tasks performed". I try to close Outlook and it tells me there are still messages in my outbox , when I haven't sent one and there are none. OS is Windows XP if that means anything. Any suggestions on a way to check for this.
  • 0

Advertisements

#2
memrich
Posted 10 March 2006 - 09:27 AM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I looked at someone else's similar post in which they were instructed to install and run hijack this. I just did the same thingg because it seemed logical, though I have no idea what I am looking for here.



Logfile of HijackThis v1.99.1
Scan saved at 10:25:41 AM, on 3/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Netopia\C3kWepN.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloa...enClickLoan.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://www.resmae.com/ScriptX.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {56BCB794-783A-48F1-A4C2-110F32371830} (ContClickLoan Control) - https://www.clickloa...ntClickLoan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {960B6AEC-118A-4745-A070-819025E17534} (HostWin Class) - http://backup.capsur...restore/wbr.cab
O16 - DPF: {96D338F5-8757-4A1C-AFEA-770A4036752F} - https://setup.bellso...wActiveXCab.CAB
O16 - DPF: {A0C321EA-07EE-4DA3-96CB-6F6516FB4A43} (EnClickLoan Control) - https://www.clickloa...EnClickLoan.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.38/ttinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - https://www.clickloa...PtClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://novastarsupp...ort/ieatgpc.cab
O16 - DPF: {FD5A684E-B2FE-4039-9068-48CF8B740E14} (LOSInterface.LOSIface) - http://www.novastari...OSInterface.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#3
Metallica
Posted 10 March 2006 - 10:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Please download Rootkit Revealer (link is at the very bottom of the page)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
Regards,
  • 0

#4
memrich
Posted 10 March 2006 - 01:51 PM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
HKLM\.DEFAULT\RemoteAccess\InternetProfile 7/6/2005 4:46 AM 23 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1438460913-299318171-3561001427-1003\Software\Microsoft\At Work Fax\Transport Service Provider\Cover Page Editor 1/27/2004 6:03 PM 43 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-18\RemoteAccess\InternetProfile 7/6/2005 4:46 AM 23 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040D31900063D11C8EF00054038389C\Usage\OUTLOOKNonBootFiles 3/10/2006 1:50 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Support.com\Setup\ProviderList\BellSouth\monitoring\profiles\LastUpdated 3/10/2006 1:51 PM 50 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\All Users\Application Data\Support.com\Profiles\Owner\{BellSouth}\upload.que 3/10/2006 2:41 PM 12.14 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for RootkitRevealer.zip 3/10/2006 1:58 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for RootkitRevealer.zip\RootkitRevealer.chm 12/7/2005 2:19 PM 99.77 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF34E6.tmp 3/10/2006 2:29 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8AD0.tmp 3/10/2006 1:27 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8ADB.tmp 3/10/2006 1:27 PM 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA56.tmp 3/10/2006 2:28 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFA67.tmp 3/10/2006 2:28 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temp\~DFB04B.tmp 3/10/2006 1:28 PM 512 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\CAQ3W12R.gif 3/10/2006 2:03 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\frusty[1].gif 3/10/2006 2:02 PM 3.42 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\headscratch[1].gif 3/10/2006 2:02 PM 418 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\heart[1].gif 3/10/2006 2:02 PM 1.04 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\index[1].gif 3/10/2006 2:04 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\index[5].htm 3/10/2006 1:45 PM 72.25 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\index[6].htm 3/10/2006 2:03 PM 64.49 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\ranting[1].gif 3/10/2006 2:02 PM 17.94 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\rolleyes1[1].gif 3/10/2006 2:02 PM 1.32 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DP420V5B\yahoo[1].htm 3/10/2006 1:44 PM 42.71 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\CANEETZB.gif 3/10/2006 2:04 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\index[2].gif 3/10/2006 1:46 PM 43 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\index[4].htm 3/10/2006 2:04 PM 73.65 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\lightbulb[1].gif 3/10/2006 2:02 PM 8.97 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\nycsmall[1].jpg 3/10/2006 2:03 PM 2.37 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\smashcomp[1].gif 3/10/2006 2:02 PM 1.93 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GNS56LYN\taz[1].gif 3/10/2006 2:02 PM 1.42 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\beer[1].gif 3/10/2006 2:02 PM 17.84 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\CAB28NN5.gif 3/10/2006 2:03 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\CAO567GL.HTM 3/10/2006 1:59 PM 1.15 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\CAX3J1WC.gif 3/10/2006 2:04 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\cheers[1].gif 3/10/2006 2:02 PM 4.87 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\index[3].htm 3/10/2006 2:04 PM 72.75 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\index[4].htm 3/10/2006 1:44 PM 19.34 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\no[1].gif 3/10/2006 2:02 PM 974 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PANPLUKU\yahoo[1].htm 3/10/2006 2:03 PM 42.71 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\dry[1].gif 3/10/2006 2:02 PM 696 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\index[3].htm 3/10/2006 1:45 PM 72.83 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\laugh[1].gif 3/10/2006 2:02 PM 690 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\roflmao[1].gif 3/10/2006 2:02 PM 14.33 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\shutup[1].gif 3/10/2006 2:02 PM 19.46 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\spam[1].gif 3/10/2006 2:02 PM 1.94 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\wavey[1].gif 3/10/2006 2:02 PM 3.17 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q2Z9DF5J\yeah[1].gif 3/10/2006 2:02 PM 5.92 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\CAPLVJJV.gif 3/10/2006 2:04 PM 35 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\index[5].htm 3/10/2006 2:03 PM 19.34 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\index[6].htm 3/10/2006 2:04 PM 64.74 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\notworthy[1].gif 3/10/2006 2:02 PM 2.90 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\rockon[1].gif 3/10/2006 2:02 PM 1.63 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U7CLKFEN\spoton[1].gif 3/10/2006 2:02 PM 2.14 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\alarm[1].gif 3/10/2006 2:02 PM 508 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\CAM3WHEL.htm 3/10/2006 2:03 PM 8.58 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\index[3].htm 3/10/2006 1:45 PM 65.19 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\index[6].htm 3/10/2006 2:03 PM 2.02 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\killcomp[1].gif 3/10/2006 2:02 PM 8.88 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\mellow[1].gif 3/10/2006 2:02 PM 698 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WDMR4H6J\yes[1].gif 3/10/2006 2:02 PM 687 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\CA2NG7XA.htm 3/10/2006 2:04 PM 7.64 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\CAJMOR7X.htm 3/10/2006 2:04 PM 8.17 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\head_hurts_kr[1].gif 3/10/2006 2:02 PM 3.55 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\hug[1].gif 3/10/2006 2:02 PM 2.13 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\index[6].htm 3/10/2006 1:45 PM 64.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\oops[1].gif 3/10/2006 2:02 PM 1.64 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y163I7IX\prop[1].gif 3/10/2006 2:02 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\49_49[1].gif 3/10/2006 2:02 PM 1.14 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\CA071ZM6.htm 3/10/2006 2:04 PM 8.50 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\index[1].gif 3/10/2006 2:03 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\index[4].htm 3/10/2006 2:02 PM 20.89 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\w00t[1].gif 3/10/2006 2:02 PM 5.27 KB Hidden from Windows API.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\YPC7OZQL\winkiss[1].gif 3/10/2006 2:02 PM 1.94 KB Hidden from Windows API.
C:\WINDOWS\system32\spool\PRINTERS\FP00011.SHD 3/10/2006 2:38 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\spool\PRINTERS\FP00011.SPL 3/10/2006 2:38 PM 0 bytes Hidden from Windows API.
D: 0 bytes Error mounting volume
  • 0

#5
memrich
Posted 10 March 2006 - 01:52 PM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
By the way Metallica,
Thanks so much for your help here.

Marc
  • 0

#6
Metallica
Posted 10 March 2006 - 02:28 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
No problem Marc,

I despise spammers, especially if they use other peoples computers. :tazz:

But I can't find the guilty one in your logs (yet).

Please download and unzip StartupList
Run the program by doubleclicking Startuplist.exe and wait a few minutes for the scan to finish. Go to File>>Copy to Clipboard and copy the content into a notepad file.

Save that file as Startuplist.txt and attach it to your next post.
(It will be too big to paste into one Reply)

Regards,
  • 0

#7
memrich
Posted 10 March 2006 - 02:37 PM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the startup attachement

Attached Files


  • 0

#8
Metallica
Posted 10 March 2006 - 03:22 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Can you look if you can find a file called:
autoex9x.bat

If you find it, can you rightclick it, choose Open With .... Notepad
Copy & paste the content please.

Also, if you get a chance, make a HijackThis log when the activity you noticed is busy.

Regards,
  • 0

#9
memrich
Posted 10 March 2006 - 05:19 PM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I don't believe such a file exists on my computer
  • 0

#10
Metallica
Posted 11 March 2006 - 04:29 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Copy the part in bold below into notepad and save it as Runserv.reg
Set Filetype to "all files"

REGEDIT4

[HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\RunServices]
"AutoEx9x"=-

Doubleclick that file and confirm you want to merge it with the registry.

I'll wait for a log made during activity.
  • 0

#11
memrich
Posted 11 March 2006 - 08:39 AM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I did all that and the computer then asked if I was sure that I wanted to add runserv.reg to the registry. When I answered yes it then said there was an error accessing the registry.
  • 0

#12
Metallica
Posted 11 March 2006 - 09:03 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Your user account does have Administrator rights on the computer, right?

Regards,
  • 0

#13
memrich
Posted 11 March 2006 - 09:19 AM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
yes
  • 0

#14
Metallica
Posted 11 March 2006 - 09:26 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
OK. In that case I'll really have to wait for the log that is made with the malware busy.

Regards,
  • 0

#15
memrich
Posted 11 March 2006 - 09:35 AM

memrich

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ok ty
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP