1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows XP home sp2-82 year old man needs help-virus-e-mail 98 at a time

Discussion in 'Virus & Other Malware Removal' started by xfile47, Oct 23, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Windows XP Home SP2
    I am trying to help an 82 year old guy fix his computer, he uses it to talk with his daughter in China and e-mail her etc.
    When he tries to send pics or anything in the e-mail it sends like 97 or 98 copies. only one person he has sent to says that it had said not to open anything cause there was a virus, he does not no what it was. He showed me 3 pages of 28 he printed out to show me and it is 3 pages of rrooefnqohfanfajl;335i43kl;nakfjafafmn, stuff like that. He has norton antivirus and it is upto date.he said he ran it and it showed nothing, I told him to run it again right before I came home to do this, he lives 20 miles from me. He did not know he had sp2, but he was on auto for windows updates so it downloaded it for him. he had norton firewall running and of course windows firewall was running by default so I turned the windows one off.

    I ran adware SE Personal 1.05 and caught 40 files, mostly tracking cookies, rans spyware and caught 5 DSO Exploit, 3 Wild Tangents, 1 Hotbar, 1 WebTrends Live, Ran spyblaster and got him covered there, ran cwshredder and caught nothing, check defrag and he didn;'t need it, deleted all temp files and cookies, and history, saw Backweb 137903 in his program files if that means anytning.

    Here is his HJT Log

    Logfile of HijackThis v1.98.2
    Scan saved at 5:50:48 PM, on 10/23/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
    C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\hpoipm07.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lifeclips.com/hp
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F87022F-30DE-447C-A31F-0F9CCC202CB4}: NameServer = 167.142.225.3 167.142.225.5

    I don't know what else to do but one e-mail said something about a virus and all the e-mails that get sent, he said it sends 98 give or take of each e-mail and then it all googelygop so please help me so I can get him going again, Thanks-I appreciate it very much
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The 5 DSO Exploits coming from Spybot is just a bug.

    Nothing jumps out in the log. Perhaps try another e-mail account/provider.
     
  3. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    I was wondering, I have two questions, I was going to take out of the HJT Log the two 04s about WildTangent and the two 04s one for ShadowBar and one for the BackWeb 137903 and then the two 09s about the MarketBrowser, would it be ok to take those out? My last question is this, the guy is 82 and in good health but doesn't understand everything. Anyway, I want to know if my thinking here might be right, It sounds to me like he took a couple of pictures and scanned them and then printed them on his printer, then he said he tried to print to e-mail or send them from the printer to e-mail and I was wondering, if he is trying to send scanned pic from a printer to send in e-mail would he then get all that gobbelygook stuff like it is trying to send the pixels or something on that order?? Or am I on the wrong track all together? I mean should'nt he just scan to e-mail not scan to printer and then print to e-mail, this is what I thought he said he was doing over the phone, anyway would that then send a bunch of pages of goobelygook stuff to the person being e-mailed????
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You can remove those items you suggested but first he needs to move HJT to a permanent folder.

    Looks like he has a digital camera, why not just upload the picture(s) and send them zipped as an attachment to the e-mail?
     
  5. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Yea, but he is 82 and its hard to get him to change or understand, two more questions if you have time, first, I feel dumb asking this but I keep trying to get HJT into a permanent folder but it keeps coming up temp. I go to mycomputer, double click on c drive and it brings up all the folders in C, then I right click on a plain area and make a new folder called HJT and then download HJT into that folder, must be wrong? what am I doing wrong?? Second is, What would he be doing wrong to have the people he e-mails to say they get anywhere form 28 to 98 pages of nothing but that googelygob stuff, What could he be doing to make that happen or does that mean there is a viurs somewhere? He said only one person ever said anything about getting a message about noth opening because of a virus, no one else did but all get that pages of stuff, Could you give me any idea's what to look for, and yes my wife has the same camera he has and is going to show him how to send them and download them or he could scan to e-mail or scan to a folder and then attach, But what is happening with the goobelgob stuff page after page, I WOULD REALLY appreciate any guideance you could give me on what to look for.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Your explination of placing HJT sounds correct, however when you download make sure you "Save" it to that folder you have created.

    I have saved it to My Documents and have a shortcut on the desktop. Here's what mine says, from the HJT log when I scan and save the log.
    C:\Documents and Settings\cybertech\My Documents\a TSG\HijackThis.exe

    So as you can see it runs from My Documents and saves the backups in a folder inside My Documents called backups.

    I think he's creating a file that contains information about the creation of the picture instead of the picture. He needs to be sending a jpg, bmp, gif or some type of picture. Ask him to open a picture and give you the file name, if it's correct instruct him to send you the picture and see if you can open it.
     
  7. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Ok, I will do that, and it sounds like he might be doing just that, when you save to my documents and settings do you make a new folder in documents and settings for the HJT or just save it there?
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I used to make a new folder but the current version of HJT creates a backups folder so putting it in my documents is fine.
     
  9. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    I tried to send a picture in an e-mail attachment from his e-mail to mine and the e-mail got there fine but when you open it, it just shows all letters and symbols, pages of the stuff, the picture says it is jpg can anyone help, he has outlook express, already ran adware,spybot,spyblaster,cwshredder, hjt, norton virus scan, there is nothing, need help really bad,
    Thanks
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Have him zip it first.
     
  11. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    but its only one pic, I have sent them before and he has to, this just started 3 weeks ago, if it was a bunch of pics then yes, but he wouldn't need to zip one ,,,would he??
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I'm PMing someone who may be able to offer a suggestion....
     
  13. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Great, hope so
     
  14. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
  15. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    I will try this tommorw when I go there and let you know how it came out, I thank you very much for the time and help, Thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/288032

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice