Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RE: Missing mails [RESOLVED]

Started by dhnish , Jan 05 2005 09:14 PM

  • This topic is locked This topic is locked

#1
dhnish
Posted 05 January 2005 - 09:14 PM

dhnish

    Member

  • Member
  • PipPip
  • 30 posts
Hi

Kindly hve a look at this log, is there anything wrong? Whenever i download mails
via OE, the next time i open it its all gone?
Pls advice
Thank you and have a nice day

Yours in service


Logfile of HijackThis v1.98.2
Scan saved at 10:58:01 AM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\System32\rfthmj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Utilities\HijackThis tool\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_h.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: - {c2d43d86-d08b-4b6c-b5fa-729710ca9370} - C:\WINDOWS\System32\nrtluwk.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [kkgofay] C:\WINDOWS\System32\rfthmj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

Advertisements

#2
Metallica
Posted 06 January 2005 - 06:42 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Before we fix anything could you mail me zipped copies of:
C:\WINDOWS\_h.html
C:\WINDOWS\_s.html
C:\WINDOWS\System32\nrtluwk.dll
C:\WINDOWS\System32\rfthmj.exe
Use this address: pieterATwilderssecurity.org (replace AT with @)

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\_s.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\_h.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\_h.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-v.net/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ls0.net/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll

O2 - BHO: - {c2d43d86-d08b-4b6c-b5fa-729710ca9370} - C:\WINDOWS\System32\nrtluwk.dll

O4 - HKLM\..\Run: [kkgofay] C:\WINDOWS\System32\rfthmj.exe

O15 - Trusted Zone: *.xxxtoolbar.com

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Reboot and post back with a new HijackThis log.

Regards,

Pieter
  • 0

#3
dhnish
Posted 07 January 2005 - 01:55 AM

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

Have done as per requested.Here is the new log.What do i do next?
Thank you and have a nice day

Yours in service
dhnish

Logfile of HijackThis v1.98.2
Scan saved at 3:20:56 PM, on 1/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Utilities\HijackThis tool\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

#4
admin
Posted 07 January 2005 - 12:26 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts

C:\WINDOWS\System32\r_server.exe

Did you install this?:
http://www.famatech.com/
  • 0

#5
dhnish
Posted 09 January 2005 - 06:49 PM

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

If u are refering to remote admin tool, yes i did install it. I'am remotely accessing the troubled laptop
Hope its okay.
Thank you and have a nice day

Yours in service
dhnish
  • 0

#6
Metallica
Posted 10 January 2005 - 06:51 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file)

O9 - Extra button: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {9EDB3430-7B52-459D-9700-D4315BD99185} - (no file) (HKCU)

Then reboot and remove:
C:\WINDOWS\ex.htm

Regards,

Pieter
  • 0

#7
dhnish
Posted 12 January 2005 - 07:43 PM

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
:tazz: Hi
Have done as per requested, here is the new log.
Is there anything else I need to do?
Pls advice
Thank you and have a nice day

Yours in service
dhnish

Logfile of HijackThis v1.98.2
Scan saved at 5:33:48 PM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\r_server.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Utilities\HijackThis tool\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [QCTRAY] C:\PROGRA~1\ThinkPad\CONNEC~1\Qctray.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095321347495
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95C2E78C-7421-48DA-B149-540C327A68B2}: NameServer = 202.188.1.5,202.188.0.133
  • 0

#8
Metallica
Posted 13 January 2005 - 06:05 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Not where the spyware is concerned.

Did this also solve your OE problem?

Regards,

Pieter
  • 0

#9
dhnish
Posted 13 January 2005 - 10:22 PM

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
:tazz: Hi
Yes,indeed it did.
Thanks a lot for the assistance .
Well appreciated
Thank you and have a nice day

Yours in service
dhnish
  • 0

#10
Metallica
Posted 14 January 2005 - 04:18 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Glad we could help. :tazz:

Safe Surfing,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP