34 replies to this topic

[nadog]

I received a very suspicious email on my outlook from a ghost address and I am worried that something was dropped into my computer. When I replied to the email a box popped up asking me if I wanted to save the changes. I selected no. Here is my HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 1:49:38 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\register\remind32.exe
C:\lotus\smartctr\suitest.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[Piatan]

Thanks for sending your information. We are sorry for the delay in responding. The volunteers here are swamped and unfortunately not all logs get answered as quickly as we'd like.

If you still need help with your problem, please run Hijack This again. Scan and copy the log, then post it here, in this topic . We do need to see a current logfile.

To post, please use the Post Reply feature, so I will be notified.

Please provide a description of the problem.

Please do not edit your Hijack This log. We need to see the entire logfile, with no revisions.

[nadog]

Hey;

Thanks for the help. Here is a new HijackThis scan.

Logfile of HijackThis v1.99.1
Scan saved at 8:46:31 AM, on 1/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\register\remind32.exe
C:\lotus\smartctr\suitest.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[nadog]

Hey Piatan; Sorry, I neglected to answer one of your questions in the previos post. The person who sent me the email in question has a history of installing keystroke spyware on other people's computers. He has also manipulated Outlook on other people's computers so that every email sent out would be cc'd back to him. I checked my outlook settings and nothing seems out of the ordinary but my geek skill is very low so I'm not sure. I just want to make sure he isn't monitoring me. Thanks, nadog

[Piatan]

Hi nadog;

Behavior such as that you say the individual is responsible for is not acceptable anywhere and he should be banned. Any site that would put up with this is not a site I would frequent. The Internet is too big, with enough sites that would not put up with him. No site I frequent would allow him to remain a member.
If the site will not cooperate and ban him, you can block all messages from him and from anyone that communicates with him. That should protect you. However, a better choice would be not to frequent that site.
I would certainly block him from my email. However, he could trick or coerce someone else to send you an infected email, so be sure your Anti-Virus is scanning your emails. Never open an attachment from anyone, unless you know and trust them. Even then, scan it to be sure no virus is present.

I do not find a keylogger, or any signs of Malware in your HJT logfile.


Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
Click on Fix Checked when finished.

If you have no unresolved problems, I would recommend the following.


One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  
  Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
  -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing.

[nadog]

Hi Piatan;

I followed your recommendations and they all went smoothly until I got to the one replacing the "hosts" file. I downloaded the file and followed the "read me" directions. After start/run services.msc, scrolling down to DNS Client, selecting properties and changing the startup type to manual, I rebooted and now my computer if frozen. It will boot up normally to the point where I log on as administrator but after loading my personal settings I get a "Dr. Watson" message saying there was an error and asking me to report it to Microsoft. Whether I select yes or no, the computer freezes after that. I cannot open Explorer or Outlook or anything on the desktop including the function of the start button. If I use cntrl/alt/delete I get the end task box which allows me back into the "services.msc" and I went in and changed the DNS client back to Automatic but there is still nothing. I don't know how to reverse the function which caused the problem. My machine is essentially non functional. Can you help me get it back? I can access my email from a remote location.

Thanks,
nadog

Hi nadog;

Behavior such as that you say the individual is responsible for is not acceptable anywhere and he should be banned. Any site that would put up with this is not a site I would frequent. The Internet is too big, with enough sites that would not put up with him. No site I frequent would allow him to remain a member.
If the site will not cooperate and ban him, you can block all messages from him and from anyone that communicates with him. That should protect you. However, a better choice would be not to frequent that site.
I would certainly block him from my email. However, he could trick or coerce someone else to send you an infected email, so be sure your Anti-Virus is scanning your emails. Never open an attachment from anyone, unless you know and trust them. Even then, scan it to be sure no virus is present.

I do not find a keylogger, or any signs of Malware in your HJT logfile.


Close all Windows and browsers, leaving only HijackThis running.

Place a check against each of the following.:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
Click on Fix Checked when finished.

If you have no unresolved problems, I would recommend the following.


One of the best features of Windows XP is the System Restore option, however if Malware infects a computer with this operating system the Malware can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  
  Download the new Ad-Aware SE version, and follow the instructions on how to do a full scan: http://forums.spywar...showtopic=11150
  -reboot after using Ad-Aware SE. Also while there get the VX2 plugin and follow the instructions to run it also.
  
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

And also see TonyKlein's good advice
http://castlecops.co...tlite7736-.html
So how did I get infected in the first place?

Safe surfing.

[Piatan]

Hi nadog; Sorry for your difficulties. I do not believe the problem is due to the Hosts file, since it is downloaded and used be untold numbers of individuals every day. It is commonly recommended by most security professionals. That does not lessen the problem you are having, so lets see what can be done about it. Are you able to sign in under any other Administrator, or any other user ? If so, do that and see if the same problem arises. Failing that, try to boot up in SAFE MODE and see if the problem exists. To restart in Safe Mode: Restart your computer. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. If you are able, please post the error message.

Edited by Piatan, 04 February 2006 - 03:16 PM.

[nadog]

Hi Piatan;

I was unable to boot up in safe mode, no matter when I keyed F8. I was, however, able to log in under my guest profile including accessing Internet Explorer (which makes it easier to communicate with you rather than driving across town to another computer).

I went back to the administrator and tried unsuccessfully to get the thing to function. Same issues. The mouse arrow will not do anything and it just shows me the hourglass when I try to click on anything including the start button.

The error message was as follows. I couldn't copy and paste it because nothing was working.

DrWatson Postmortem Debugger has encountered a problem and needs to close, etc.
Error Signature Event type: BEX P1:drwtsn32.exe P2: 5.1.2600.0 P3: 3b7d84a2 P4: dbghelp.dll
P5: 5.1.2600.2180 P6: 4110969a P7: 0001295d P8: c0000409 P9: 00000000
Techincal info: The following files will be included in Error Report
C:\DOCUMEN~1\MDGUSE~1\LOCALS~1\TEMP\WER19cc.dir00\DRWTSN32.exe.mdmp
" " " " " " " " dir00\appcompat.txt

Thanks for your attention and help. People like yourself who volunteer their time to help others display an amazing level of integrity.

nadog

Hi nadog;
Sorry for your difficulties. I do not believe the problem is due to the Hosts file, since it is downloaded and used be untold numbers of individuals every day. It is commonly recommended by most security professionals.
That does not lessen the problem you are having, so lets see what can be done about it.

Are you able to sign in under any other Administrator, or any other user ? If so, do that and see if the same problem arises.

Failing that, try to boot up in SAFE MODE and see if the problem exists.
To restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

If you are able, please post the error message.

[Piatan]

Hi nadog; As one Expert said, one must be a computer engineer with 25 years at Microsoft, to understand Dr. Watson post mortem messages. In order to have any success with this, being logged on as an Administrator may be necessary. Is there another Administrator account in which you can log on ? If so, please do that. Let me know if you are able to do so.

[nadog]

Hi Piatan; I only have the one Administrator account. Is there any other way in there? Nadog

[Piatan]

In your Administrator account, use ctl/alt/delete to get into Task Manager. If that does not work, try RIGHT CLICKING in a blank space on your Taskbar and clicking on "TASK MANAGER'. If you are successful, then look for Dr. Watson in Task Manager, hilight it and then click on "END PROCESS". If that works, is your Administrator account now functional ? From any account that is funcitonal, Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK. Be sure to do the following for every user/Administrator. Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Reboot and let me know if this helped.

[nadog]

Piatan; Selecting "end process" on Dr. Watson32.exe in the task manager allowed my admin account to become functional. It gave me access to the internet via Explorer but when I tried to open my Outlook Dr. Watson kicked in again and locked things up. I followed your instructions down to the point where I re-applied the "hide protected operating system files" and then I tried a reboot so I could get into safe mode. The F8 didn't work. Maybe I'm keying it at the wrong time? I'm not sure if completing the recommendations without being in safe mode is safe to do. I went back into my "guest " account to send this and it is working the same as it was. nadog

[Piatan]

You may need to be in your Administrator account to do some things. If so use the method that worked for you previously to do so. Avoid doing anything that experience tells you causes Dr. Watson to kick back in.
Since we know the problem is effecting only your present Administrators account, you may want to create another Administrator account. You'll need to get your old Administrator account to working, at least long enough to do that.

About the difficulty getting into safe mode.

The following link will provide you with an optional method for booting into Safe Mode.
Please use the method described for your particular Operating System.

http://service1.syma...src=sec_doc_nam

Problems doing anything after getting into SAFE MODE ?

After booting in "safe mode", push these three keys at the same time:

<Ctrl><Alt><Del>

The task manager appears on the screen.

Click on the Applications tab, then click New task.

Then click on Browse. You can then go to the Program needed.

Hope this helps.

[nadog]

Hi Piatan; Okay, I've gone through the entire process that you outlined. I managed to get safe mode running and made all the changes you recommended. When I restarted the Dr. Watson thing came up again in my main admin account. But it didn't in the secondary admin account or guest account. This time, I shut down completely for a few hours and booted up again and I have gained access to my main admin account with no sign of Dr. Watson. However, it looks like a couple of things off my bottom task bar have disappeared, such as the MSN Messenger icon. I rarely use that anyway and I don't remember what else was down there Remaining outstanding is the fact that the other day I downloaded the new host file program and it is somewhere in my computer (I don't know where). I had followed the install instructions to the point when it asked me to change the services.msc/DNS Client/Properties to manual. I did this and then when I re-booted my computer froze. So I haven't actually done the manual install and after it was frozen I changed the setting back to automatic. During the early part of the process I had selected "run" once when prompted. Later in the instructions it says that the MVPS HOSTS file can be removed by doing a couple of "simple" things which don't look too simple to me. I don't know where to find the file, I don't know if it's half installed, I don't know if it should be removed or the installation should be finished. I don't surf into dangerous sites. I generally just stick to professional sites like airlines, etc. No porn or risky places. What do you recommend I do? Thanks, nadog

[Piatan]

Hi nadog;

That is good news indeed. I'd be very interested to know exactally what caused this difficulty, but that will probably never be known.
Whether or not you choose to continue with the MVPS HOSTS installation, do an all files search for it. Be sure to include "hidden files" and you will likely find what you require.
If you choose to remove it, I would recommend following those removal instructions you mentioned, just to be sure all traces are gone.
I agree, those things are hardly ever as simple as some claim. Personally, I would remove it, since you can't be sure how much of the installation actually finished and I'm sure you feel reluctant to continue with the installation, under the circumstances.

If you do remove it, I would suggest using the following, to replace your original hosts files.
Download the Hoster program and run it.
http://members.aol.c...dbee/hoster.zip
When it opens, click on the Restore Original Hosts button and then exit Hoster.

I'm sure you can download MSN Messenger whenever you need, if it is indeed missing. It is probably still on your PC and only the Icon is missing and can be replaced.

Good luck and please let me know how it goes.