[email protected] Have I got it?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
While waiting for guidance from the forum on a frozen ie page I have, I began to read to read the article on [email protected] and decided to search my registry and the words [email protected] turned up in the search. I have got it Haven't I?
Perhaps this could go a long way to explaining my stolen home pages, foul abusive e-mails and frozen ie pages etc. What do I do please, Please can you advise.
Turner
Ps tried to folllow repair kit instructions but found it beyond me at present. My os is windows 98.
many thanks.
PPs I have been usung active scannig from Panda as recommended but it didn't detect it.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
I have run the removal tool and it says [email protected] is not there but I know when I do a search in the registry it says it is present. Would you recommend removing those items from the registry?
or does this mean that it is not active and should be left alone?
 
Joined
Feb 23, 2003
Messages
16,274
Are you sure that it is a virus and not temp files ? In any event download Hijack this , unzip it , do a scan as well as save the log. Then copy and paste that log here.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
I have cleared all my temp files and ran a search again. The [email protected] and words [email protected] appeared on two lines in HKEY_CURRENT_USER\software\microsoft\current version\explorer\docfindspecmru
and here is the HJTlog
Logfile of HijackThis v1.97.2
Scan saved at 23:25:33, on 06/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Disconnect Telebizz Connection (HKLM)
O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
many thanks
turner
 
Joined
Feb 23, 2003
Messages
16,274
Only thing I would remove would be the following:


O14 - IERESET.INF: START_PAGE_URL=
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
please exscuse my ignorance how do I remove it? Do I useHJT and just check it
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
To motherboard,
I have tried twice to remove O14 - IERESET.INF: START_PAGE_URL= and it wont let me do it. I remember that I was advised to remove it before and couldn't do it then either. According to the info HJT gives on it, it is a command to reset and re infect my home page, searchalot uses this hijack,so I still have a problem. Any advice welcome. thank you.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
I tried to remove the O14 - IERESET.INF: START_PAGE_URL= in safe mode and no luck. any further suggestions (polite ones please!)
many thanks
turner
 
Joined
Feb 23, 2003
Messages
16,274
Its not a threat at the moment as it doesn't have an address assingned to it. Most aren't harmful as they either have the pc supplier like Dell or your isp like comcast. I wouldn't worry too much over it at the moment.
 

turner

Thread Starter
Joined
Sep 9, 2003
Messages
158
To motherboard
Thank you so much for your help. As it has been said many times before this is a great site and those who offer help are greatly appreciated by those of us who need it
Cheers, Turner
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top