1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

OE-6 virus

Discussion in 'Virus & Other Malware Removal' started by skyman, Apr 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    I am running IE 6, Win 98, Outlook Express 6, Sygate firewall and NAV, with all the definitions updated.

    I am getting messages in my email saying I have sent emails with viruses
    to other people. I have not sent any email to the people they reference.

    I ran my NAV scan and it showed no virus. I ran Housecall and it showed no virus. I ran RAV and it showed 3 infected files and 2 viruses in email and cleaned them.

    Today I got the same type message in my email that I had sent email with viruses to people I had never sent email to. I ran RAV again and they gave me the same 3 infected files and 2 viruses in email but would not clean.
    NAV still does not detect anything.

    I tried running Panda but it would not load the definitions.

    I must have a worm or a trojan but NAV is my anti virus and is not detecting.

    I need help on getting rid of this and advice on what to use to keep from getting it again.

    Many thanks...
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hey there ;)

    How about a hijack this log.

    I get a rash of those emails too, sometimes they aren't for real.......
     
  3. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    Thanks Candy, here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:01 PM, on 4/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
    C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE
    C:\PROGRAM FILES\VENTURI2\CONFIGURATOR\VENTCFG.EXE
    C:\PROGRAM FILES\VENTURI2\CLIENT\VENTC.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
    O4 - HKCU\..\Run: [AutoSizer] "C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE" /h
    O4 - Startup: Venturi 2.lnk = C:\Program Files\Venturi2\Configurator\ventcfg.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.7984953704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  4. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Sounds suspiciously like someone who has you in their address book has the Netsky virus, but it isn't you :D

    Your Hijack this log looks clean apart from one aspect and that is that your winsock is damaged

    Go to this page, download and run LSPFix

    Click the box that says I know what I am doing and then click B

    Restart your computer and post a fresh Hijack this log when done
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Thanks PAS, you are in good hands skyman......

    Not a log guru......had to beckon help :)
     
  6. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Nor am I, still loads to learn, .....but I'm getting there :D
     
  7. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    The message I got in my email was:

    Symantec mail security detected that you sent a message with an unscannable attachment or body.

    Subject: Re: Details
    Recipient: Paul Barnside

    This message came from:

    [email protected]


    Here is my new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:34:05 PM, on 4/6/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
    C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE
    C:\PROGRAM FILES\VENTURI2\CONFIGURATOR\VENTCFG.EXE
    C:\PROGRAM FILES\VENTURI2\CLIENT\VENTC.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
    O4 - HKCU\..\Run: [AutoSizer] "C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE" /h
    O4 - Startup: Venturi 2.lnk = C:\Program Files\Venturi2\Configurator\ventcfg.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.7984953704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  8. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    That looks clean.:D It isn't you that has the virus, though remember not to open any of those that you receive
     
  9. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    Scanned
    ============================
    Objects: 11874
    Directories: 766
    Archives: 367
    Size(Kb): -2046758
    Infected files: 3

    Found
    ============================
    Viruses found: 2
    Suspicious files: 1
    Disinfected files: 0
    Mail files: 254


    Scanned
    ============================
    Objects: 143
    Directories: 766
    Archives: 34
    Size(Kb): 8615
    Infected files: 3

    Found
    ============================
    Viruses found: 2
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 203



    This is what the RAV antivirus program showed on it's scan of my files and email.

    What does this mean...
     
  10. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Are your email messages from RAV antivirus as well? Because I had about 30 when I returned from being away for 12 days.
     
  11. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    -----------------------
    This e-mail is generated by the delta.acabtu.com.mx mail server to warn you that the e-mail
    having the subject: <Re: Your document> is infected.
    The infected mail was sent by [email protected] to [email protected], .

    Info for the sender:
    -------------------
    The scanned e-mail has your address in the From: header field. Either your
    computer is infected or someone's computer having has your e-mail address
    in the address book has been infected.

    (Please note that some viruses are sending e-mails directly from your computer.
    Our advise is to check your computer using an up-to-date antivirus product).

    Info for the receiver:
    ---------------------
    Please contact the sender: very probably he doesn't know he has a computer virus.

    Actions taken for the infected files:
    -------------------------------------


    The file (part0002:your_document.pif) attached to mail (with subject:Re: Your document) sent by [email protected] to [email protected],
    is infected with virus: Win32/[email protected]
    Cannot clean this file.
    The mail was not delivered because it contained dangerous code.

    ------------------------
    this is a copy of the e-mail header:



    Copyright (c) since 1995 GeCAD The Software Company. All rights reserved.
    Registered version for 14 domain(s).
    Running on host: delta.acabtu.com.mx

    Scan engine 8.11 for i386.
    Last update: Mon, 22 Mar 2004 13:35:10 -06
    Scanning for 92816 malwares (viruses, trojans and worms).

    You can download a free 30-days evaluation version of RAV AntiVirus v8
    (yet fully functional) from:

    http://www.ravantivirus.com



    Kind of like that ;)
     
  12. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    No, they are not...

    "Dumbfounded"...
     
  13. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    As I said you haven't got the virus

    The virus works something like this:

    You = A

    Friend = B

    Friend of a friend = C

    Both A & C are in B's address book
    B contracts Netsky virus

    Netsky searches B's Address book and finds A & C's address

    Netsky sends virus from B to C using A's address in the senders field

    C's mail servers antivirus picks up virus and bounces back email to A, as IT thinks that A is the one who sent the email.

    A gets confused as you don't know C

    B does know C, but does not know that he/she has netsky
     
  14. skyman

    skyman Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    1,234
    Thanks for all your help. Your explanation explained this perfectly. I understand that this is about the 10th variant in this worm.

    I sent the information to everyone who I receive regular emai from and so far 3 of them have found that they have the virus and have gotten rid of it.

    Again, thanks...
     
  15. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    You're welcome! I just wish people would use the AV's they install on their systems
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217750

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice