Tech Support banner

Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1
Hi,

This is my first post, I'm very new. So thanks for reading!

Right into it then.

I'm quietly browsing when suddenly I get bombarded with dozens and dozens of very confusing popup window messages from my (non web-based) email account, telling me that my attempts to send dozens of emails to people I'd never heard of before had failed.

All of the popup window messages helpfully contained the subject line, and all the subjects were very broad, which leads me to think that I have somehow unwittingly become a spam host, or something equally noxious.

Please bestow upon me your wisdom!

Thanks in advance,

Alabaster
 

·
Premium Member
Joined
·
1,611 Posts
Alabaster, welcome to the forums !!!
Does the popups say why your messages didnt make it to their recipients ? It might be that your email was a part of recent virus hoopla...Can you post more info about what the popus said? What were some of the subject lines ?

:D
 

·
Registered
Joined
·
45 Posts
I had the same problem once. A bunch of mail was getting 'returned' to me because 'a virus was detected on them'. I then ran a virus can and found that my whole computer was infected. Cleaned it out and then the returned emails stopped. I'm not sure how my account got effected by a virus on my system though because it was hotmail. I don't use any email programs. I suggest you scan for viruses.
 

·
Registered
Joined
·
18 Posts
Sounds like you have been a victim of the [email protected] virus. Your system does not necessarily have the virus, but you (along with millions of others!!) have been victimized by someone who does have it on their machine.

For more info, see this link ==> http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

On the above referenced webpage, there is also a link to a removal tool if you want to run it (just for kicks!!).

Also, if you don't have an up-to-date virus scanning software program on your system, I suggest that you get one pronto!!

Good Luck!! :sleep:
 

·
Registered
Joined
·
3 Posts
Discussion Starter #5
Hello!

Thanks to all of you for your prompt replies! :D

I downloaded and ran the sobig remover tool, but the messages are still coming!

I've run ad-aware several times, but there isn't anything unusual (just tracking cookies).

The subject lines are all the same at the moment -

"<insertemailaddresshere>, sure your wife or husbane hasn't a lover?"

aargh!!! I'm a spam lord!!

I've run hijackthis - would it help out if I posted the results?

Thanks again!

Alabaster
 

·
Registered
Joined
·
5,955 Posts
alabaster said:
Hello!

Thanks to all of you for your prompt replies! :D

I downloaded and ran the sobig remover tool, but the messages are still coming!

I've run ad-aware several times, but there isn't anything unusual (just tracking cookies).

The subject lines are all the same at the moment -

"<insertemailaddresshere>, sure your wife or husbane hasn't a lover?"

aargh!!! I'm a spam lord!!

I've run hijackthis - would it help out if I posted the results?

I think that is a good option, now.

Thanks again!

Alabaster
I think posting the log would be a good idea at this point.
 

·
Registered
Joined
·
5,955 Posts
alabaster said:
Hello!

Thanks to all of you for your prompt replies! :D

I downloaded and ran the sobig remover tool, but the messages are still coming!

I've run ad-aware several times, but there isn't anything unusual (just tracking cookies).

The subject lines are all the same at the moment -

"<insertemailaddresshere>, sure your wife or husbane hasn't a lover?"

aargh!!! I'm a spam lord!!

I've run hijackthis - would it help out if I posted the results?

I think that is a good option, now.

Thanks again!

Alabaster
 

·
Registered
Joined
·
3 Posts
Discussion Starter #8
My Hijackthis log

Logfile of HijackThis v1.97.2
Scan saved at 10:50:56 AM, on 19/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Windows\system32\HpSrvUI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Inoculator\inoc.exe
C:\WINDOWS\winww\sn00.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Big Pond Advance\BIGPOND.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?840828 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
O1 - Hosts: 645238813 auto.search.msn.com
O1 - Hosts: server-au.imrworldwide.com localhost
O1 - Hosts: server-uk.imrworldwide.com localhost
O1 - Hosts: server-dk.imrworldwide.com localhost
O1 - Hosts: server-fi.imrworldwide.com localhost
O1 - Hosts: server-us.imrworldwide.com localhost
O1 - Hosts: server-nz.imrworldwide.com localhost
O1 - Hosts: server-sg.imrworldwide.com localhost
O1 - Hosts: server-se.imrworldwide.com localhost
O1 - Hosts: server-no.imrworldwide.com localhost
O1 - Hosts: server-pl.imrworldwide.com localhost
O1 - Hosts: server-de.imrworldwide.com localhost
O1 - Hosts: server-by.imrworldwide.com localhost
O1 - Hosts: server-ee.imrworldwide.com localhost
O1 - Hosts: server-lv.imrworldwide.com localhost
O1 - Hosts: server-lt.imrworldwide.com localhost
O1 - Hosts: server-ru.imrworldwide.com localhost
O1 - Hosts: server-ua.imrworldwide.com localhost
O1 - Hosts: server-jp.imrworldwide.com localhost
O1 - Hosts: server-it.imrworldwide.com localhost
O1 - Hosts: server-br.imrworldwide.com localhost
O1 - Hosts: telstra.imrworldwide.com localhost
O1 - Hosts: ninemsn.imrworldwide.com localhost
O1 - Hosts: secure-au.imrworldwide.com localhost
O1 - Hosts: secure-us.imrworldwide.com localhost
O1 - Hosts: secure-uk.imrworldwide.com localhost
O1 - Hosts: secure-jp.imrworldwide.com localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [Inoculator] C:\Program Files\Inoculator\inoc.exe
O4 - HKLM\..\Run: [yfoqvp] rundll32 C:\WINDOWS\System32:yfoqvp.dll,Init 1
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CreateCD] C:\WINDOWS\winww\sn00.exe -r
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [*yfoqvp] rundll32 C:\WINDOWS\System32:yfoqvp.dll,Init 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://about.chatspace.com/Java/cs4fs084.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs8.chat.sc5.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
 

·
Citizen of the world
Joined
·
51,041 Posts
Well, these lines jump out at me, since I've heard of this one before. As I recall, this comes from X-rated sites, and is somewhat difficult to get rid of.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://out.true-counter.com/c/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?840828 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?840828 (obfuscated)
Here's another spyware entry, though Gator is usually easier to get rid of.

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download...ptdmgainads.cab
 

·
Registered
Joined
·
5,955 Posts
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)



O4 - HKLM\..\Run: [yfoqvp] rundll32 C:\WINDOWS\System32:yfoqvp.dll,Init 1 ????
O4 - HKLM\..\RunOnce: [*yfoqvp] rundll32 C:\WINDOWS\System32:yfoqvp.dll,Init 1

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download...ptdmgainads.cab

JW got the biggest part of them. One of the big problems is, if you continue to use Gator, your machine will be cruddy again in no time. When this is over, go to other software forum and ask us for alternatives to Gator.

Entry 02 can be deleted.

I am really concerned about the two 04 entries (yfoqvp) because I can't find anything out about them with any of my resources. That's kinda spooky. I can't ell you to get rid of them, because I don't know what they do, but I would dump them in a hot second and take the consequences if this were my logfile.

Start HJT, check the appropriate entries, and tell HJT to fix them.

Let us know how everything is afterwards.

JG
 

·
Registered
Joined
·
12 Posts
All the O1 host files can go too


O1 - Hosts: 645238813 auto.search.msn.com
O1 - Hosts: server-au.imrworldwide.com localhost
O1 - Hosts: server-uk.imrworldwide.com localhost
O1 - Hosts: server-dk.imrworldwide.com localhost
O1 - Hosts: server-fi.imrworldwide.com localhost
O1 - Hosts: server-us.imrworldwide.com localhost
O1 - Hosts: server-nz.imrworldwide.com localhost
O1 - Hosts: server-sg.imrworldwide.com localhost
O1 - Hosts: server-se.imrworldwide.com localhost
O1 - Hosts: server-no.imrworldwide.com localhost
O1 - Hosts: server-pl.imrworldwide.com localhost
O1 - Hosts: server-de.imrworldwide.com localhost
O1 - Hosts: server-by.imrworldwide.com localhost
O1 - Hosts: server-ee.imrworldwide.com localhost
O1 - Hosts: server-lv.imrworldwide.com localhost
O1 - Hosts: server-lt.imrworldwide.com localhost
O1 - Hosts: server-ru.imrworldwide.com localhost
O1 - Hosts: server-ua.imrworldwide.com localhost
O1 - Hosts: server-jp.imrworldwide.com localhost
O1 - Hosts: server-it.imrworldwide.com localhost
O1 - Hosts: server-br.imrworldwide.com localhost
O1 - Hosts: telstra.imrworldwide.com localhost
O1 - Hosts: ninemsn.imrworldwide.com localhost
O1 - Hosts: secure-au.imrworldwide.com localhost
O1 - Hosts: secure-us.imrworldwide.com localhost
O1 - Hosts: secure-uk.imrworldwide.com localhost
O1 - Hosts: secure-jp.imrworldwide.com localhost

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) is a mico$oft money BHO, entirely up to you on that one

Certainly uninstall Gator

I also suggest that you downbload and run Coolwebshredder from here (47kb freeware)
 

·
Registered
Joined
·
1 Posts
sn00.exe

Hey Alablaster, this is my first time on here too and I got on here just so I could possibly figure out your sn00.exe problem. I read all the replies and your comments also. Everyone has their suggestions and ideas, I'm sure they were all meaning well and trying to help you. But, one thing i did not see in the replies is someone else that had that file on their computer also. Well, don't worry, cause it's not a worm, virus, porn thing or anything bad like that. I looked thru your directory listings that you posted and I noticed this
C:\WINDOWS\winww\sn00.exe
was in there. Well good news, you're not the only one with that file, I have the exact same one on mine, in the exact same place. Let me ask you this, does the icon next to the sn00.exe file have a big green X in a square? I bet it does. Now, right click on the sn00.exe file and click on properties, then when that window comes up click on the version tab, then read what's all in there. Down in the "Item name" box in the left you can also click on those individual things and in the other box marked "Value" it well tell you what it is.

I'll make another bet that you have Microsoft Excel on your computer.

That's what I did, then I just double clicked on the sn00.exe file and it opened up Excel for me.

Well, I hope I was at least some help to you.

Oh yeah, by the way, if you're still having alot of problems with your computer and can't seem to do anything to fix the problems, sometimes it's best to just reformat your hard drive and start fresh. If you don't know how to do that yourself, then don't try to do it yourself the first time. When you reformat a hard drive you wipe everything out and reinstall Windows and whatever else you may need to reinstall. You will lose your personal stuff doing this. so you want to make sure certain things are saved and backed up on second hard drive or removable media.

Well, good luck with whatever you end up doing!!!

Have a good day!!
 

·
Registered
Joined
·
113 Posts
alabaster

You have been hijacked by Coolweb

Download "CoolWebShredder" from the link supplied by putasolutions

Run it and then post a new log so that we can see what is left

steam
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top