PDA

View Full Version : My PC i sending out mails on my behalf ???!! HELP!!



GabrielOakUK
2006-04-16, 12:04
Hi, I have a couple of problems which I wondered if any of you guys coud help me with.

1. each and every day, starting from about a week ago, I receive between 5 and 20 mails a day into my outlook exporess box, which are returns from addresses I do not know and have never sent mail to, telling me that "my" mail could not go through for whatever reason. It appears to me that mails are being sent out from my PC to random E mail addresses. Could this be happening, and if so how on earth can I stop it or detect and delete whatever bug is causing this?

2. This might or might not be related to the above. When I run Ad-Aware SE it comes up with a number of "tracking cookies", the names being:

Trak_SE.781
Trak_SE.10340
Trak_SE.10419

and sometimes some others.

If I delete these by using Ad-Aware they have returned by the time I restart my computer.

I alos use Norton anti virus but again, this does not seem to do the trick. I went on line and did a Trend Micro |House call, which found the viruses , deleteed them and then once I turned the PC back on again trhey were back.

If anyone could give me some help with the one or both of the above I would be really grateful. I'd be happy to ppost or paste any further information needed.

Yoyurs, from North devon in the UK, Gabriel :confused:

tashi
2006-04-19, 21:17
Hello.
Apart from the business of this forum, one reason for delayed assistance is not having followed the procedure here:
BEFORE you post a log, and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288) ;)

GabrielOakUK
2006-04-20, 17:01
Norton, Ad aware and trend micro all tell me that |i have no virus on my PC (so I have no log to post).

However each and every day my pc is sending out mails from "me" from outlook express without my approval (I know this as i get out of office replies from sytrangers in response to my mails). How do i stop this, how can i find out more information??

I'd be grateful for any help even if it is to redirect me to another forum!!

Cheers,

Gabriel:scratch:

tashi
2006-04-20, 18:44
Hello. :)

If you do not follow the instructions to post a HJT log I don't see how we can help. :scratch:

illukka
2006-04-20, 22:42
hi

* Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply. Use The Post Reply -button!
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

GabrielOakUK
2006-04-21, 19:29
Hi I am getting these mails every day, telling me that "my" mail could not be sent for whatever reason.

The other problem I have is that if I search on ad-aware I find tracking cookies, about 15 of them. I delete them but when I turn the PC on again they are back.

Any help for either or both problems would be very much appreciated!

Cheers,
Gabrieloak.:scratch:





Logfile of HijackThis v1.99.1
Scan saved at 17:24:00, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eTCertManger] C:\WINDOWS\system32\eTCrtMng.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/132p/html/gtdownlr.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145084537359
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Knowledge Systems, Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

GabrielOakUK
2006-04-21, 19:32
Illuka,

sorry i forgot to thank your for your help! I Am so counfounded and troubled by this thing and so out of my depth my manners were lost.. Thanks I do apprciate your help.

Gabriel

illukka
2006-04-21, 19:56
hi

i see nothing in the log that could be a spambot

lets dig deeper:

Download and Save Blacklight (http://www.f-secure.com/blacklight/try.shtml) to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


edit:

i see you have two antiviruses installed, and that they both are running real time.
this is not recommended, as the scanners will be competing to scan a file on access, causing an excessive system lag.
also 2 different antiviruses can lead to conflicts and system instabilities

please either uninstall the other, or completely disable it's components and keep only one antivirus running real time

GabrielOakUK
2006-04-22, 15:43
:scratch: :) Hi,thanks (as ever) for the advice, much appreciated. I ran backlight and the log is pasted below.

In terms of anti vusus programmes I have on here Norton anti virus, Ad-aware and AVG. I pay for Norton but the others are free. I guess I should get rid oif AVG then? Can I still run adawre if I keep only Norton?


04/22/06 13:37:08 [Info]: BlackLight Engine 1.0.35 initialized
04/22/06 13:37:08 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/22/06 13:37:08 [Note]: 7019 4
04/22/06 13:37:08 [Note]: 7005 0
04/22/06 13:37:11 [Note]: 7006 0
04/22/06 13:37:11 [Note]: 7011 3700
04/22/06 13:37:12 [Note]: 7026 0
04/22/06 13:37:12 [Note]: 7026 0
04/22/06 13:37:12 [Note]: FSRAW library version 1.7.1015

Is the reappearing tracking cookies related to the mails being sent out: are they entirely separate things?

Cheers, Gabriel.

illukka
2006-04-22, 15:59
hi

anti spyware applications are different that anti viruses, no conflicts
AV's have file system drivers, they hook the sysytem in a more global way. thats why the conflicts if several av's are running

you dont necessarily have to uninstall avg, just completely disable its processes and services

there was nothing in the blacklight log

lets try one more scan:



Make a new folder in the c:\drive called silentrunners

Download 'silent runners" from here: (direct download)

http://www.silentrunners.org/Silent%20Runners.vbs

Save it to your silentrunners folder.

Click start> run> type cmd and hit enter

Type the following exactly and hit enter after each line.

cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

wait until it pops up saying its completed, then post the resulting logfile here
it will be very large
you may need several posts to include everything

GabrielOakUK
2006-04-22, 17:01
Hi, am appreciating your help. Just a quick query. I doiwnloaded the silent runners file, saved it to a silent runners fole on my c drive as detected. However my Norton AV ja scome up with a noteice saying "Malicious script detected, High risk etc it recommedns i stop the script, what shall I do???

I assume I shoud carry on regardless but just wanted to be sure!!

Thanks ...:scratch:

illukka
2006-04-22, 19:31
Hi, am appreciating your help. Just a quick query. I doiwnloaded the silent runners file, saved it to a silent runners fole on my c drive as detected. However my Norton AV ja scome up with a noteice saying "Malicious script detected, High risk etc it recommedns i stop the script, what shall I do???

I assume I shoud carry on regardless but just wanted to be sure!!

Thanks ...:scratch:

hi
my bad, i should've warned you about it in advance

yes, allow the script to run, it is definitely not malicious :)

GabrielOakUK
2006-04-23, 10:23
Illuka,

here is the first bit...

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"TPKMAPHELPER" = "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper" ["IBM Corp."]
"TpShocks" = "TpShocks.exe" ["IBM Corp."]
"TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data]
"TP4EX" = "tp4ex.exe" ["IBM Corporation"]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"(Default)" = (empty string)
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" ["IBM"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"IBMPRC" = "C:\IBMTOOLS\UTILS\ibmprc.exe" ["IBM Corp."]
"QCTRAY" = "C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" ["IBM Corp."]
"QCWLICON" = "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" ["IBM Corp."]
"PWRMGRTR" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor" [MS]
"BLOG" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"eTCertManger" = "C:\WINDOWS\system32\eTCrtMng.exe" ["Aladdin Knowledge Systems, Ltd."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\IBM RecordNow!\shlext.dll" [null data]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

GabrielOakUK
2006-04-23, 10:25
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! QConGina\DLLName = "QConGina.dll" ["IBM Corp."]
INFECTION WARNING! tphotkey\DLLName = "tphklock.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Charles Read\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\PLANET~1.SCR" (Planet Earth.scr) ["ScreenTime Media"]


Startup items in "Charles Read" & "All Users" startup folders:
--------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BTTray" -> shortcut to: "C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe" ["Broadcom Corporation"]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Charles Read" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\
"ButtonText" = "Software Installer"
"Exec" = "C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe" ["Lenovo Group Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

GabrielOakUK
2006-04-23, 10:29
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Bluetooth Service, btwdins, "C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation"]
eToken Notification Service, ETOKSRV, "C:\WINDOWS\system32\eTSrv.exe" ["Aladdin Knowledge Systems, Ltd."]
EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
IBM HDD APS Logging Service, TPHDEXLGSVC, "System32\TPHDEXLG.EXE" ["IBM Corporation"]
IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]
IBM PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" [null data]
IBM Rapid Restore Ultra Service, IBM Rapid Restore Ultra Service, ""C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe"" [empty string]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, ""C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe"" ["Symantec Corporation"]
QCONSVC, QCONSVC, "System32\QCONSVC.EXE" ["IBM Corp."]
RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
STI Simulator, STI Simulator, "C:\WINDOWS\System32\PAStiSvc.exe" [null data]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "TPInput" ["IBM Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation"]
Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 61 seconds, including 18 seconds for message boxes)



Illukka,

Hope I've done the above correctly, i think I have. As ever this is really kind and I am so glad there are people out there like you.

I am still getting the mails plus i am still finding tracking cookies on my PC. I remove them with ad aware , then once the PC is on again they seem to be back.

However the main problem is still the mails being sent out! I am getting 2 or 3 returnes a day: Lord knows how many "I" am actually sending out that reach their intended destination!

Anyway, have a great day and thanks again. PS shall I now delete the silent runners folder?? :)

illukka
2006-04-23, 22:36
hi

as far as i know there is no signs of any malware.

one more scan to do:

Download unzip then scan RootkitRevealer.exe
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
when its done go file > save
attach the log back here in your next reply
Not to worry, normal there are alot of items.
Its an intensive scan, I suggest you disconnect from the internet and leave the PC alone until its finished.

Because the log can be very large please edit out items in C:\RECYCLER\NPROTECT if there.
And C:\System Volume Information, before posting

next:

Scan for Hidden Data Streams

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on "Open ADS Spy.."
Click on "Scan"
Click on "Save Log..."
Copy and past the List from the notepad into your next post


you can now delete the silent runners folder
it is a possibilty that those mails are fake.
email viruses fake the senders, it inst necessarily you( or your comp ) that is sending the mails ;)

or if it is malware its extremely well hidden and possibly previously unknown

GabrielOakUK
2006-04-24, 11:48
Hi Illukka,

Will do that tonight once I am home from work and send you the log as per your mail.

Out of interest, in the log I posted from silent runners (the second instalment) there were the entries:

"INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! QConGina\DLLName = "QConGina.dll" ["IBM Corp."]
INFECTION WARNING! tphotkey\DLLName = "tphklock.dll" [null data]"

I assumed these were the issue and hoped we had found the problem ! I looked up "Tphklock.dll" on the net and found an entry that said it was "highly dangerous and should be removed immediately etc"I will carry on as per your mail but in the meantime shoud I ignore the tphklock.diil file?

Hope you have a great day and thanks as ever! :)

illukka
2006-04-24, 19:29
hi

the
INFECTION WARNING! tphotkey\DLLName = "tphklock.dll" [null data]"

that file is part of IBM think pad system tools

infection warning is listed on any non_microsoft file

GabrielOakUK
2006-04-29, 10:50
Illukka ,

Hi, hope you are well. Sorry for not getting back sooner but I had to go away for a few days.

Last night I ran Rootkitrevealer.exe and have posted the log below. It did not turn out to be too long, I am pretty sure I did everything properly but perhaps not. Anyway the log is:

C:\RRUbackups\Documents and Settings 02/12/2005 13:49 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator 02/12/2005 13:49 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data 02/12/2005 13:49 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft 02/12/2005 13:49 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 27/10/2005 02:14 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 28/04/2006 20:26 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500 27/10/2005 02:14 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500\37d0ce41-489a-4999-ad38-da8e83caa8ab 28/04/2006 20:26 388 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500\Preferred 28/04/2006 20:26 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User 02/12/2005 13:51 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data 02/12/2005 13:51 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft 02/12/2005 13:51 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 02/12/2005 13:51 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 28/04/2006 20:26 24 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500 02/12/2005 13:51 0 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500\37d0ce41-489a-4999-ad38-da8e83caa8ab 28/04/2006 20:26 388 bytes Hidden from Windows API.
C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-4090738588-6493292-3205962274-500\Preferred 28/04/2006 20:26 24 bytes Hidden from Windows API.
C:\RRUbackups\hints.dat 02/12/2005 13:51 8.00 KB Hidden from Windows API.
C:\RRUbackups\pu.dat 02/12/2005 13:51 224 bytes Hidden from Windows API.
C:\RRUbackups\SAM 02/12/2005 13:51 256.00 KB Hidden from Windows API.
C:\RRUbackups\system 02/12/2005 13:51 4.75 MB Hidden from Windows API.
C:\RRUbackups\system.dat 02/12/2005 13:51 12.00 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\REALONEMESSAGECENTER.EXE-0F115151.pf 28/04/2006 23:14 11.96 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\Prefetch\REALPLAY.EXE-1BF219BD.pf 28/04/2006 23:14 49.51 KB Visible in directory index, but not Windows API or MFT.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 28/04/2006 23:13 64.00 KB Visible in directory index, but not Windows API or MFT.

I then ran Hijack This as per your instructions but after I scanned with ADS spy the scan came back complete but with no entries (so there is no log to post!).

As to the problem with mails, I am stil receiving them, each day at least ten. They are returns from people's mail boxs saying either they are out or it is the wrong address etc but in all cases saying "my" mail would not go through for whatever reason. I don't know if this is detrimental to my computer but it is certainly annoying. I know you thought that t is not neccessarily my laptop sending these and that they might even be simply using my address and nothing more.

The other issue I have (which may or may not be related) is that again every day I run Ad-Aware and each time I detect about 12 to 20 Tracking cookies or data miners. I remove them and then within a day I have them back.

Is there some system or programme which will stop these cookies being reactivated or reinserted onto my system?

Anyway, as ever, many many thanks for your help, it is really appreciated. All this stuff seems so incredibly complicated so I am glad of your help. Your name sounds Scandanavian although your location (pits of Hell) implies that you could be from Oldham in Lancashire like me.!

I'm not sure (as this post is now quite a way down the list if you will actually see this so I willtake the liberty if I have not heard from you a 4 or 5 days of droping you a direct note. Hope this isn't too intrusive or presumptious!

Thanks and have great day.:)

illukka
2006-05-01, 22:53
i really think the mails are fake, as all scans turn up negative

check your PM's by the way

as for the cookies, spyware blaster will prevent them:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

GabrielOakUK
2006-05-01, 23:31
Illukka,

Thanks for getting back to me and helping me through the various processes.

Glad to hear the E mail thing isn't a problem; I guess they will just stop after a while..

I'll download spyware blaster to get rid of the cookies.

Cheers!:bigthumb:

illukka
2006-05-02, 22:00
ok

thanks for the sample mails, they got through just fine

i think they are fake, bounces of mails sent by viruses yes, but the main thing is that viruses fake the senders, so those are not really sent from your computer

the scenario would be like this:
someone who you know is infected with an email virus. to spread viruses send emails containing the the virus as attachment, taking the sender names it uses from the addres book of the infected computer. often viruses even make up new sender addresses by mixing parts of the existing addies in the infected computers outlook express contacts.. for example if there are 2 addies in the addres book, lets say jon.doe@email.com and joanna.moe@email.com the virus would make addies joanna.doe@, jon.moe@, doe.moe@ and moe.doe@...


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showthread.php?t=2559

GabrielOakUK
2006-05-03, 12:02
Illukka,

Many thanks for this, I have saved a copy of your advice and will implement it later today.

I think (I'll check ) I already have a firewall, Norton anti virus has one and I'm pretty sure and my wirless netgear router has one too.

All the other stuff is great am sorting it today.

Interesting about the email virus, today I got over 30 returns. I am actually looking to chnage my ISP soon anyway so that will stop it!

Not sure if you,ll see this so I'll mail you direct too.

Mate I have really appreciated you help, you've been just great. Nice to know that whilst there ar load of half wits out there creating viruses etc there are good people happy to help, so many, many thanks.

Have a great day.:bigthumb:

illukka
2006-05-07, 00:48
hi

as the problem here is resolved this topic will now be archived

contact the forum staff to get it reopened
this applies to the original poster only, everyone else with similar problems start a new topic

glad we could help :)