PDA

View Full Version : My computer is sending hundreds of spam emails when online



shtirlic
2006-12-27, 22:08
I keep getting loads and loads of pop up messages from Symantec while connected to the internet :confused:

"Your email message was unable to be sent because your mail server rejected the message".

My computer seems to be sending many e-mails with spam. I got so many popups it was impossible to use the computer while online. I've stopped the "out-going message scan" on my antivirus to prevent little popup messages, but my computer will still be sending the spam. So far I have ran many different anti virus softwares, 2 free online checks and 2 different adware/spyware removers, but this little guy seems to be avoiding EVERYTHING.

I've searched the net for an answer with no prevail. I also checked the archives here, but couldnt find a solution that would work in my case.
My problem is very similar to http://forums.spybot.info/showthread.php?t=6059
Any help at all would be appreciated My hijackthis log is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 8:54:31 PM, on 12/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AT-AR215\AT-AR215 USB ADSL WAN Adapter\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\eMule\emule.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\sasha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163026742312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163029156561
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amdocs.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks in advanced

pskelley
2006-12-28, 15:57
Welcome to the forum, unfortunately the symptoms that showed in the HJT log you pointed to do not appear in your HJT log. It may be that the hackers have hidden their dirty work. First I need to point you to this information:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
You must have missed it since I see no log from the required online anti-virus scan? Please follow the directions in this link and post the scan log along with a new HJT log.

I need to know about this item:
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
Do you know what this is? A check of that number comes back with this information:
http://whois.domaintools.com/217.237.148.70
and shows a Blacklist Status: Currently Listed on that address?

Does Symantec/Norton supply a firewall and have you looked to see what is being sent from your computer?

Review the instructions in the "BEFORE you POST" and follow them all, post the scan report and a new HJT log and the information I requested. Include any other information you think will help.

Thanks

shtirlic
2006-12-30, 12:55
Hi,
thanks for the help. Here is a result of scan by Panda Online Scan:

Incident Status Location

Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\sasha\Cookies\sasha@fe.lea.lycos[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\sasha\Cookies\sasha@toplist[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\sasha\Cookies\sasha@tucows[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\sasha\Cookies\sasha@yadro[2].txt

As i understand there is not much.

I also run Spyboot in safe mode: there was 5 items found and i remove them.

Here is hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 11:47:57 AM, on 12/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AT-AR215\AT-AR215 USB ADSL WAN Adapter\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\sasha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163026742312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163029156561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amdocs.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

About HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142 - i don't know what that, it appears immidiatly after i connect to Internet.

Thanks for your help again,
Alex

shtirlic
2006-12-30, 12:57
Norton reports about sending spam to different e-mail addresses mainly in Russian language

pskelley
2006-12-30, 13:54
Hello Alex and thanks for returning the information I requested and your feedback. Is it possible the language we are dealing with is German? That is what this is pointing:
217.237.148.70 217.237.149.142 see this information in case you did not already.
remarks: ******************************************************************
remarks: * Abuse Contact: http://www.t-com.de/ip-abuse in case of Spam, *
remarks: * Hack Attacks, Illegal Activity, Violation, Scans, Probes, etc. *
remarks: **********************************************************

Does not look like anyone you would want to have access to your computer but if you have any doubt check with your ISP, we will remove it.

I don't see a lot more in your log besides that so I would like to look for a rootkit infection by running Blacklight. We will do this at the end of the instructions.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3) Ad-Aware: Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Restart the computer and then follow these instructions:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml
Save it to its own folder in the Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created
The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please provide the log created by BlackLight in your next reply.

Post that results of the Blacklight scan and a new HJT log. Please let me know how the computer is running now.

Thanks

You should not have a problem, but if you have any connections issues, use these instructions:
If You have connection problems or that 017 item returns:
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.

You have an out of date Java program, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version and uninstall all old versions in add remove programs. You can update vis the Java console in the Control Panel, but if you need a manual link:
http://www.java.com/en/download/manual.jsp

shtirlic
2007-01-01, 18:29
Hi,
actually during last two days after i run Spyboot i don't have a problem anymore :).
I will monitor it for couple of days if problem will appear i will follow steps you described. Anyway thanks a lot for your help !
Alex.

pskelley
2007-01-01, 18:36
Sounds good Alex, I want you to have this additional information:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

I will give it a few days before I close the topic:bigthumb:

Thanks...Phil
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

shtirlic
2007-01-03, 00:41
Hi,
it came again :(

i run all the programs as you said:
Blacklight found nothing.
Once ir removed this registry with hijackthis - i was not able to access anything on the net while posting in web browser and only after reconnect it wasfine again. I think this registry is related to my provider.

After some time Norton is simply failing with a message "out of memory" - i belive it's related to the number of the scanned messages.

Here is hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:37 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AT-AR215\AT-AR215 USB ADSL WAN Adapter\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Babylon\Babylon.exe
C:\Documents and Settings\sasha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163026742312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163029156561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amdocs.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

My impression that this process is hidden as one of the svchost.exe.

Any other proposals?
Thanks again,
Alex

pskelley
2007-01-03, 01:13
You can see the item back in the HJT log, did you follow these instructions:
If You have connection problems or that 017 item returns:
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.

Sometimes this has to be done several times, use HJT to kill the line and follow those directions:
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142

Then visit: http://whois.domaintools.com/217.237.148.70 <<< those folks with your shotgun. Actually ask your ISP how to add to the already "Blacklist" they have going. Let me know how it goes.


My impression that this process is hidden as one of the svchost.exe.
Look in your TaskManager to see if you can spot anything that should not be there.

Post an uninstall list so we can make sure nothing in there you don't know about:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Thanks

shtirlic
2007-01-03, 10:02
Hi,
settings of the connection are exactly as described (automatic).
Anyway once i remove it from registry new browser window is not connected to internet, but old one still OK.

The uninstall list is:

Ad-Aware SE Professional
Adobe Acrobat 4.0
Adobe MPEG Encoder
Adobe Photoshop 5.5
Adobe Premiere 6.5
Adobe Shockwave Player
Advanced RealMedia Export Plug-in for Premiere 6.0
ArcSoft ShowBiz DVD 2
AT-AR215 USB ADSL WAN Adapter
Babylon
BSPlayer
Call of Duty
CC_ccProxyExt
ccCommon
ccPxyCore
Citrix Program Neighborhood
Creative WebCam Pro eX Driver (1.00.09.0821)
DivX Player
DivX Pro Codec
DivX User Guide
Dr.DivX
eMule
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
HP DVD Movie Writer
HP DVD Movie Writer Capture Device
HP Software Update
J2SE Development Kit 5.0 Update 8
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12
Kesha - Taiti
K-Lite Codec Pack 2.69 Full
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Lizardtech DjVu Control
Macromedia Flash Player 8
Magic ISO Maker v4.9 (build 0144)
MailDownloader_v3.14
MailDownloader_v3.15
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Media Video 9 VCM
Mozilla Firefox (2.0.0.1)
MSRedist
muvee autoProducer 3.0 - HPC
Nero 6 Ultra Edition
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton CleanSweep
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
Pando
PowerDVD
QuickTime
RealPlayer
RecordNow!
Scholastic's I SPY Treasure Hunt
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Skype 2.0
SolSuite
Sonic Simple Backup
Sonic Update Manager
SPBBC
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Stronghold Crusader
SubRip 1.17.1 (remove only)
Subtitle Workshop 2.50
Symantec Script Blocking Installer
SymNet
System Alert Popup
TC Native Essentials 2.02
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
WebEx
WebSite-Watcher 4.10 Beta-10
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XoftSpy
Zuma Deluxe RA

Is it possible somehow just block all outgoing e-mails?

I didn't understand your post related to IP - what can i do related to this blacklist?

Thanks,
Alex

pskelley
2007-01-03, 16:42
Hi Alex, I am not sure from your comments at the beginning of this post if you were successful removing that item?

Uninstall list, I will post what I suggest. You might want to take a good look at the list, it's a good time to clean out stuff you no longer use. Here is what I see:

eMule <<< file sharing is a quick way to get infected, also illegal at times:
http://pcpitstop.com/spycheck/p2p.asp

J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_12
Java 2 SDK, SE v1.4.2_12

I posted this for you before???
You have an out of date Java program, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

I see you downloading Codec, you may want to read this information:
http://forums.spybot.info/showthread.php?t=7344

MailDownloader_v3.14
MailDownloader_v3.15
What are those? This is what I get when I google MailDownloader_v3.14
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=MailDownloader%5fv3%2e14
If you did not put that there, I would uninstall it.

Quite a few programs I do not recognize, look that list over good.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=how+to+block+outgoing+email

I encourage you to involve your ISP in this, they may be able to advise you. Ask them what to do about the blacklist, I believe what they are doing is illegal.

Something here might help you:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=how+to+add+to+domain+blacklist

Take a look at these tools: http://www.domaintools.com/ especially this free one:
http://www.domaintools.com/monitor/

Let me know how you are doing, has the junk stayed out of the HJT log this time.

Thanks

shtirlic
2007-01-05, 01:42
Hi,
i found interesting thing.
I've installed EmailSupervisor program and i block all outgoing emails.
It was reporting that all e-mails were sent by explorer.exe ! So i create a rule to block all e-mails sent by explorer and full info looks like:

Windows Explorer, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
C:\WINDOWS\explorer.exe

I checked this program and i don't see it was changed last half a year (at least create and edit dates are old).
Any idea what it could be? How to track what is going on?

Thanks, Alex

pskelley
2007-01-05, 02:27
Maybe something here will help:
http://experts.about.com/q/Microsoft-Internet-Explorer-1054/IE-6-0-2900-1.htm

Have you considered downloading Internet Explorer 7?
http://www.microsoft.com/windows/ie/default.mspx?mg_id=10017
http://www.microsoft.com/windows/ie/downloads/default.mspx

Thanks

shtirlic
2007-01-05, 23:12
Hi,
i'm a bit confused - you're talking about windows Internet explorer?
The problem as i understand problem is in windows explorer. I don't think there's a problem in browser. Currently i'm using new Mozilla.
Thanks, Alex

pskelley
2007-01-06, 00:27
OK, let have a new look at this. Keep in mind you are working with one computer and I am working with around twenty or so right now.

The first thing I want to know is what are these programs you have installed on your computer? This is the google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=MailDownloader%5fv3%2e14
MailDownloader_v3.14
MailDownloader_v3.15

Please follow the the directions in the link:
http://forums.security-central.us/showthread.php?t=3165

Follow these directions:
Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.
and post the AVG Anti-Spyware scan results, the combofix log, a new HJT log and information about the two programs I asked about.

Thanks

shtirlic
2007-01-06, 23:01
Hi,
i've removed those programs.
The result of AVG:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 01:20 07-01-06
+ Scan result:

HKLM\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\Control\\ActiveService -> Adware.GoodByeSpyware : No action taken.
:mozilla.157:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.67:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.161:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.162:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.150:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.177:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.54:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.192:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.193:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.158:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Ivwbox : No action taken.
:mozilla.66:C:\Documents and Settings\sasha\Application Data\Mozilla\Firefox\Profiles\ew9na0n6.default\cookies.txt -> TrackingCookie.Spylog : No action taken.

::Report end

Result of the CoboBox:

sasha - 07-01-06 1:21:37.00 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\sasha\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-06 to 2007-01-06 ))))))))))))))))))))))))))))))))))


2007-01-06 00:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-06 00:27 <DIR> d-------- C:\Program Files\Grisoft
2007-01-04 21:55 46,880 --a------ C:\WINDOWS\system32\unmail.exe
2007-01-04 21:55 <DIR> d-------- C:\Program Files\EmailSupervisor
2006-12-28 23:36 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-28 23:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-28 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-27 08:56 <DIR> d-------- C:\Program Files\Scooby-Doo. Showdown In Ghost Town
2006-12-26 12:04 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-26 12:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-26 12:00 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-25 22:32 <DIR> d-------- C:\Documents and Settings\sasha\Application Data\Mozilla
2006-12-25 22:31 <DIR> d-------- C:\Program Files\Mozilla Firefox
2006-12-25 17:14 <DIR> d-------- C:\Program Files\SymNetDrv
2006-12-25 16:39 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-12-25 16:39 <DIR> d-------- C:\Program Files\Norton Internet Security
2006-12-25 16:37 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-12-25 16:37 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-12-25 16:37 <DIR> d-------- C:\Program Files\Symantec
2006-12-25 16:37 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-25 15:59 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-25 00:22 <DIR> d-------- C:\Program Files\SpywareBlaster
2006-12-24 20:26 314,368 --a------ C:\WINDOWS\IsUninstR.Exe
2006-12-24 18:48 <DIR> d-------- C:\Program Files\a-squared Free
2006-12-24 18:42 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2006-12-09 12:35 <DIR> d-------- C:\cygwin

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-06 01:18 -------- d-------- C:\Program Files\eMule
2007-01-04 23:54 -------- d-------- C:\Program Files\Common Files
2007-01-04 21:54 -------- d-------- C:\Program Files\MailUtilities
2007-01-04 21:50 -------- d-------- C:\Program Files\Java
2007-01-02 23:32 -------- d-------- C:\Program Files\Babylon
2006-12-29 00:36 -------- d-------- C:\Program Files\WinRAR
2006-12-29 00:36 -------- d-------- C:\Program Files\Windows Defender
2006-12-29 00:26 -------- d-------- C:\Program Files\Internet Explorer
2006-12-27 08:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-26 13:23 -------- d-------- C:\Program Files\Windows Media Player
2006-12-23 00:23 -------- d-------- C:\Program Files\FlashGet
2006-12-23 00:15 -------- d-------- C:\Program Files\XoftSpy
2006-12-14 01:00 -------- d-------- C:\Program Files\Outlook Express
2006-12-14 01:00 -------- d-------- C:\Program Files\Common Files\System
2006-12-04 22:53 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-24 23:48 -------- d-------- C:\Program Files\URUSoft
2006-11-24 23:46 -------- d-------- C:\Program Files\SubRip
2006-11-19 20:57 12208 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2006-11-17 20:19 -------- d-------- C:\Documents and Settings\sasha\Application Data\Canon
2006-11-17 19:58 -------- d-------- C:\Program Files\MacroVirus
2006-11-14 16:33 -------- d-------- C:\Program Files\Math
2006-11-10 03:14 -------- d-------- C:\Program Files\Messenger
2006-11-09 01:56 96256 --a------ C:\WINDOWS\system32\drivers\sptd3757.sys
2006-11-09 01:33 -------- d-------- C:\Program Files\Movie Maker
2006-11-09 01:27 -------- d-------- C:\Program Files\Windows NT
2006-11-09 01:27 -------- d-------- C:\Program Files\NetMeeting
2006-11-08 06:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-10-19 14:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 21:47 4096 --------- C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 21:47 4096 --------- C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 21:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\WpdShext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-13 13:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 13:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 13:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"2kadiras"="2kadiras.exe"
@=""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"EmailSupervisor"="rundll32 EmailSupervisor.dll, DoAutoRun"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}"="Network Neighborhood"
"{3c767c6b-602d-4b9b-829d-a3dc5b2d89dd}"="haematobia"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - sasha.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 07-01-06 1:24:41.00
C:\ComboFix.txt ... 07-01-06 01:24

shtirlic
2007-01-06, 23:02
Logfile of HijackThis v1.99.1
Scan saved at 8:41:49 AM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AT-AR215\AT-AR215 USB ADSL WAN Adapter\dslmon.exe
C:\Program Files\Babylon\Babylon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sasha\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [2kadiras] 2kadiras.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163026742312
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163029156561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://amdocs.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

It's strange - last two days (since i've installed E-mail blocker) it seems again no e-mails sent.
Is it possible to replace my explorer.exe with surly good one?

Thanks for your help.

pskelley
2007-01-07, 00:01
OK, let's look at what you have to say:

It's strange - last two days (since i've installed E-mail blocker) it seems again no e-mails sent.
I would say to continue to monitor until you are sure this has stopped.


Is it possible to replace my explorer.exe with surly good one?
Could you say that again, I am not sure I understand your question.

This item is back in the log, please look at the information I provided in the link, if you do not know why it is in the log, ask your Internet Service Provider if they do. If they do not and you do not know why it is there, then use HJT to remove the line.
http://whois.domaintools.com/217.237.148.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142
Then see this information:
http://www.updatexp.com/dns-windows-xp.html
More information:
http://www.tech-faq.com/flush-dns.shtml

You Java program need to be updated:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_09\ <<< out of date

For some reason you choose to "No action taken" take no action, please scan again and delete or at least quarantine what you find. Most are cookies, but the first item looks suspicious.

C:\WINDOWS\system32\unmail.exe <<< scan this item to make sure it is safe
http://virusscan.jotti.org/

C:\Program Files\EmailSupervisor <<<< is this the program you installed to monitor? What kind of results are you getting from the monitoring?

If you would like to try another rootkit scan in case Blacklight missed something, you can try this one.

* Click here to download AVG Anti Rootkit and save it to your desktop.
http://beta.grisoft.cz/beta/betarep.files/antirootkit/AVG_AntiRootkit_1.0.0.13.exe
Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
Click "I Agree" to agree to the EULA.
By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
Click "Next" to begin the installation then click "Install".
It will then ask you to reboot now to finish the installation.
Click "Finish" and your computer will reboot.
After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
Click on the "Perform in-depth search" button to begin the scan.
The scan will take a while so be patient and let it complete.
When the scan is finished, click the "Save result to file" button.
Save the scan results to your desktop then come back here to copy and paste the results in your next reply to this thread.

Thanks

shtirlic
2007-01-09, 23:01
Hi,
the problem is coming is every 2 -3 days, then disappear.

1.O17-HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142 -
I'm not able to remove it, after removal and reconnection it's coming back.

2. I've update java

3. unmail.exe - i scan it it's fine. I think it's related to the EmailSuperviser program. This program as i mentioned before is blocking all outgoing e-mails from my PC. It's reporting that spam e-mails sent by the explorer.exe . What i meant by my question - is it safe to replace my current explorer.exe with proved good executable? Because i suspect it was hacked.

4. I've scan also with AVG_AntiRootkit - no results :(

Thanks again,
Alex

pskelley
2007-01-09, 23:14
Have you asked your Internet Service Provider for help removing that as I suggested?

If they don't know how, all I can think of is to edit the registry. I will supply a free tool and instruction. You must execute the instructions carefully. You must also back up your registry before doing this. If you have any doubts about your ability to do this, then ask someone with more computer experience to assist.

Here are the instructions for backing up your registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
________________________________________

Here is the link to the tool, this tool is probably going to find other junk, follow the directions and remove the junk it suggests. This is the item you are after:
HKLM\System\CCS\Services\Tcpip\..\{686D2A3C-008D-40E4-8F9F-0017BCA60D5A}: NameServer = 217.237.148.70 217.237.149.142 - Try deleting just the stuff in red to see what happens.

_______________________________________

Here is the link to the tool and the instructions:
http://www.hoverdesk.net/freeware.htm

I recommend you download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.

Let me know how things turn out, you still may need to clean the item from the HJT log using HJT?

Thanks

shtirlic
2007-01-15, 22:03
Hi,
i run this program - about 1000 items were cleaned.
There are still 350 which are not removed even after number of runs.
The Server entry is still there - it appears again and again after internet connection.
I will monitor if e-mails are sent for next days.
Thanks for your help anyway.

shtirlic
2007-01-15, 22:18
Hi,
just after previous post it appears again :( - it's reporting that explorer.exe sending spam e-mails.
What do you think about replacement of this exe with new one?
Thanks, Alex

pskelley
2007-01-15, 23:37
Alex, I am just not sure how to fix this one. Have you considered a reformat? Please go back over the instructions from the beginning to make sure you have followed all directions. Then post a new HJT log giving me as much information as possible and I will look at it again.

Thanks

pskelley
2007-01-16, 00:03
Once you have looked to make sure you did not miss any of the earlier instructions, please follow these:

Download MWAV from here: http://www.mwti.net/products/mwav/mwav.asp

Select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
During this period the tool will scan and clean what it finds. See if you can save the results in the lower pane to post for me so I can see what it located and removed if possible.

Thanks

tashi
2007-01-24, 21:05
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.