DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
Hardware and Software
>
Microsoft Windows
>
Viruses, Spyware and other Nasties
>
Help...symantec keeping sending email
Have something to say? Contribute New Article Reply to this Article Help...symantec keeping sending email
Hi, symantec keeping dozen of mail to unknown email address once I connected into internet. I scan lots of times with different antivirus software and a few spyware software, nothing was found. Please help.
this is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:21:28 PM, on 5/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elantech\ktp.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Julyn\LOCALS~1\Temp\Rar$EX00.078\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [KTPWare] C:\Program Files\Elantech\ktp.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DVD43] C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132502234640
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4759/mcfscan.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
I don't see any signs of infections in your log. What exactly do you mean when you say: "symantec keeping dozen of mail"? Please post any and all details possible.
Everytime I connect to the internet, my outlook express will start to send email out, and is in dozen. I got my antivirus scan the outgoing mail therefore, all the scanning box will pop out. Few minutes later, symantec will give me all the error message that says the server was unable to connect.
Each time the email address stated are unknown and definitely not sent by me. It will continue for around 30 minutes then stops. But if I restart my computer, it will comes again. I also had my comp scanned thousand times by different antivirus but it doesnt seem to find any.
there must be something because when I sent a file to my friend, he got the same problem as me.
Let's look a little deeper:
* Download RootkitRevealer into a new folder of its own and unzip the contents of the downloaded file into that folder.
* Open the RootkitRevealer.exe program and click on the "Scan" button in the lower right-hand corner of the main window. When the scan completes, the findings (if any) will be displayed.
* If the program does find malicious items, click on the "File" menu option at the top left of the program window and choose the "Save..." option. Save thescan report file in the RootkitRevealer folder you created; the file will be named RootkitRevealer.txt.
* Double-click on the txt file to open it in Notepad and then Cut-N-Paste the contents of the file into your next post here.
* Download SilentRunners.vbs , save it into its own folder, and then double-click on it to run it. If you get a warning prompt about running script files, choose to allow the script to run. It will save a log file into the Silent Runners folder; post that log along with the RootkitRevealer report.
DMR
Wombat At Large
Team Colleague
7,229 posts since Dec 2003
Reputation Points: 221
Solved Threads: 370
Silent runner:
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchApp" = "Alaunch" ["Acer Inc."]
"KTPWare" = "C:\Program Files\Elantech\ktp.exe" ["ELANTECH Devices Corp."]
"PCMService" = ""C:\Program Files\Arcade\PCMService.exe"" ["CyberLink Corp."]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"eRecoveryService" = "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" ["acer Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"FinePrint Dispatcher v4" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe" ["FinePrint Software, LLC"]
"IMEKRMIG6.1" = "C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"DVD43" = "C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe /hidden" ["Fengtao Software Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {HKLM...CLSID} = "SpywareGuardDLBLOCK.CBrowserHelper"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{93994DE8-8239-4655-B1D1-5F4E91300429}" = (no title provided)
-> {HKLM...CLSID} = "DVDIdleShell Class"
\InProcServer32\(Default) = "C:\PROGRA~1\DVDREG~1\DVDShell.dll" ["Fengtao Software Inc."]
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {HKLM...CLSID} = "SpywareGuard.Handler"
\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
[disables Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Disable Active Desktop}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop disabled via Group Policy.
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Julyn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Startup items in "Julyn" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Julyn\Start Menu\Programs\Startup
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"Bluetooth" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Event Planner Reminders Tray Icon" -> shortcut to: "C:\Program Files\Sierra\Planner\Plnrnote.exe" ["Creative Home"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Service, btwdins, "c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Notebook Manager Service, anbmService, "C:\Acer\eManager\anbmServ.exe" ["OSA Technologies Inc."]
OFPZ, OFPZ, "C:\DOCUME~1\Julyn\LOCALS~1\Temp\OFPZ.exe" ["Sysinternals - www.sysinternals.com "]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
Canon BJ Language Monitor i550\Driver = "CNMLM49.DLL" ["CANON INC."]
FPR4:\Driver = "fpmon4.dll" ["FinePrint Software, LLC"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
PRTmate\Driver = "PRTmate.dll" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 97 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 141 seconds)
RootKitRevealer:
HKLM\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Status 5/17/2006 2:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 5/17/2006 2:24 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sysbus32 5/17/2006 2:25 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sysbus32 5/17/2006 2:25 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS 11/21/2005 9:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#ivillage.com 1/5/2006 3:29 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#ivillage.com\SETTINGS.SOL 1/5/2006 3:29 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#LOCAL 2/10/2006 10:49 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#LOCAL\SETTINGS.SOL 2/10/2006 10:49 PM 75 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#LOREAL.COM 3/13/2006 10:12 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#loreal.com.sg 12/8/2005 11:00 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#loreal.com.sg\SETTINGS.SOL 12/8/2005 11:00 PM 83 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#LOREAL.COM\SETTINGS.SOL 3/13/2006 10:12 PM 80 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#mediaonenetwork.net 12/22/2005 7:21 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#mediaonenetwork.net\SETTINGS.SOL 12/22/2005 7:21 PM 89 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#NOKIA.COM 2/28/2006 10:19 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\#NOKIA.COM\SETTINGS.SOL 2/28/2006 10:19 PM 79 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.emocorp.com 2/4/2006 3:48 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.emocorp.com\SETTINGS.SOL 2/4/2006 3:48 PM 85 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.magicmushroomfarm.com 12/30/2005 3:18 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.magicmushroomfarm.com\SETTINGS.SOL 12/30/2005 3:18 PM 95 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.youtube.com 4/29/2006 9:23 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\# www.youtube.com\SETTINGS.SOL 4/29/2006 9:23 PM 85 bytes Hidden from Windows API.
C:\Documents and Settings\Julyn\Application Data\Macromedia\Flash Player\macromedia.com\SUPPORT\flashplayer\SYS\SETTINGS.SOL 2/19/2006 8:32 PM 492 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf 5/17/2006 2:36 PM 16.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\AUTORUN\Drivers\Audio\Sys 9/16/2005 11:33 AM 0 bytes Hidden from Windows API.
C:\WINDOWS\SYSTEM32\AUTORUN\Drivers\Audio\Sys\CleanUp.exe 4/17/2002 2:05 PM 44.00 KB Hidden from Windows API.
C:\WINDOWS\SYSTEM32\AUTORUN\Drivers\Audio\Sys\DSndUp.exe 12/8/2004 4:16 PM 48.00 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS 2/16/2006 12:31 AM 0 bytes Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS\LOCKING.H 3/19/2003 9:49 AM 1.33 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS\STAT.H 3/19/2003 9:49 AM 5.40 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS\TIMEB.H 3/19/2003 9:49 AM 2.96 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS\TYPES.H 3/19/2003 9:49 AM 2.02 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\CRT\SRC\SYS\UTIME.H 3/19/2003 9:49 AM 3.61 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS 2/16/2006 12:33 AM 0 bytes Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS\LOCKING.H 5/31/2002 2:28 PM 997 bytes Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS\STAT.H 5/31/2002 2:28 PM 4.58 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS\TIMEB.H 5/31/2002 2:28 PM 2.18 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS\TYPES.H 5/31/2002 2:28 PM 1.50 KB Hidden from Windows API.
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\INCLUDE\SYS\UTIME.H 5/31/2002 2:28 PM 2.80 KB Hidden from Windows API.
Hi,
SOME ONE HAS TEMPERED WITH MY EMAIL ADDRESS AND KEEPS RECEIVING AND REPLYING MY MAILS. TELL ME WHAT I HAVE GOT TO DO. ITS MORE THAN I CAN BEAR AS I HAVE LOST A LOT OF MONEY BECAUSE OF THAT
For one, look at the date of the first post.
For two, why can't you just change ur password!! :-/
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
