Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

RE: Missing mails [RESOLVED]


  • This topic is locked This topic is locked

#1
dhnish

dhnish

    Member

  • Member
  • PipPip
  • 30 posts
Hi

Kindly hve a look at this log, is there anything wrong? Whenever i download mails
via OE, the next time i open it its all gone?
Pls advice
Thank you and have a nice day

Yours in service


Logfile of HijackThis v1.98.2
Scan saved at 10:58:01 AM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rfthmj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Utilities\HijackThis tool\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_h.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: - {c2d43d86-d08b-4b6c-b5fa-729710ca9370} - C:\WINDOWS\System32\nrtluwk.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [kkgofay] C:\WINDOWS\System32\rfthmj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Before we fix anything could you mail me zipped copies of:
C:\WINDOWS\_h.html
C:\WINDOWS\_s.html
C:\WINDOWS\System32\nrtluwk.dll
C:\WINDOWS\System32\rfthmj.exe
Use this address: pieterATwilderssecurity.org (replace AT with @)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_h.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll

O2 - BHO: - {c2d43d86-d08b-4b6c-b5fa-729710ca9370} - C:\WINDOWS\System32\nrtluwk.dll

O4 - HKLM\..\Run: [kkgofay] C:\WINDOWS\System32\rfthmj.exe

O15 - Trusted Zone: *.xxxtoolbar.com

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Reboot and post back with a new HijackThis log.

Regards,

Pieter
  • 0

#3
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

Have done as per requested.Here is the new log.What do i do next?
Thank you and have a nice day

Yours in service
dhnish

Logfile of HijackThis v1.98.2
Scan saved at 3:20:56 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Utilities\HijackThis tool\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts

C:\WINDOWS\System32\r_server.exe

Did you install this?:
http://www.famatech.com/
  • 0

#5
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

If u are refering to remote admin tool, yes i did install it. I'am remotely accessing the troubled laptop
Hope its okay.
Thank you and have a nice day

Yours in service
dhnish
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)

O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)

Then reboot and remove:
C:\WINDOWS\ex.htm

Regards,

Pieter
  • 0

#7
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
:tazz: Hi
Have done as per requested, here is the new log.
Is there anything else I need to do?
Pls advice
Thank you and have a nice day

Yours in service
dhnish

Logfile of HijackThis v1.98.2
Scan saved at 5:33:48 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Utilities\HijackThis tool\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Not where the spyware is concerned.

Did this also solve your OE problem?

Regards,

Pieter
  • 0

#9
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
:tazz: Hi
Yes,indeed it did.
Thanks a lot for the assistance .
Well appreciated
Thank you and have a nice day

Yours in service
dhnish
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Glad we could help. :tazz:

Safe Surfing,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP