1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[email protected] Have I got it?

Discussion in 'Virus & Other Malware Removal' started by turner, Oct 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    While waiting for guidance from the forum on a frozen ie page I have, I began to read to read the article on [email protected] and decided to search my registry and the words [email protected] turned up in the search. I have got it Haven't I?
    Perhaps this could go a long way to explaining my stolen home pages, foul abusive e-mails and frozen ie pages etc. What do I do please, Please can you advise.
    Turner
    Ps tried to folllow repair kit instructions but found it beyond me at present. My os is windows 98.
    many thanks.
    PPs I have been usung active scannig from Panda as recommended but it didn't detect it.
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  3. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    I have run the removal tool and it says [email protected] is not there but I know when I do a search in the registry it says it is present. Would you recommend removing those items from the registry?
    or does this mean that it is not active and should be left alone?
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Are you sure that it is a virus and not temp files ? In any event download Hijack this , unzip it , do a scan as well as save the log. Then copy and paste that log here.
     
  5. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    I have cleared all my temp files and ran a search again. The [email protected] and words [email protected] appeared on two lines in HKEY_CURRENT_USER\software\microsoft\current version\explorer\docfindspecmru
    and here is the HJTlog
    Logfile of HijackThis v1.97.2
    Scan saved at 23:25:33, on 06/10/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\PROGRAM FILES\ERASER\ERASER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
    C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
    O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Disconnect Telebizz Connection (HKLM)
    O9 - Extra 'Tools' menuitem: Disconnect Telebizz Connection (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.4969212963
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    many thanks
    turner
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Only thing I would remove would be the following:


    O14 - IERESET.INF: START_PAGE_URL=
     
  7. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    please exscuse my ignorance how do I remove it? Do I useHJT and just check it
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Yes , rescan with hijack and check it then click fix.
     
  9. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    To motherboard,
    I have tried twice to remove O14 - IERESET.INF: START_PAGE_URL= and it wont let me do it. I remember that I was advised to remove it before and couldn't do it then either. According to the info HJT gives on it, it is a command to reset and re infect my home page, searchalot uses this hijack,so I still have a problem. Any advice welcome. thank you.
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Do the removal from safe mode.
     
  11. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    I tried to remove the O14 - IERESET.INF: START_PAGE_URL= in safe mode and no luck. any further suggestions (polite ones please!)
    many thanks
    turner
     
  12. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Its not a threat at the moment as it doesn't have an address assingned to it. Most aren't harmful as they either have the pc supplier like Dell or your isp like comcast. I wouldn't worry too much over it at the moment.
     
  13. turner

    turner Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    158
    To motherboard
    Thank you so much for your help. As it has been said many times before this is a great site and those who offer help are greatly appreciated by those of us who need it
    Cheers, Turner
     
  14. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    .[​IMG]
     

    Attached Files:

  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169972

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice