FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Is it a Virus?!?!





Xavier
hey

pls help me out sum weird stuff is happenin on my pc since morning....dese mails r getting sent n blocked by symantec...and i dont use ne mail client

its not evn sending to mails on my conctac or nething, ive not hrd of these email addresses

and the subjects r weird things like 'revoke' or 'prefer'

this only happens wen im connected, btw...if im just using the pc then it dont happen

i connect using a wireless lan so i dont kno if it only works wen the net is on or even if jus a network is enabled..

ive attached a screenshot and a hijack this log...




hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 12:31:02 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
d:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apoint.exe
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
D:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Wisdom-soft ScreenHunter Free\ScreenHunter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&continue=http%3A%2F%2Fgmail.google.com%2Fgmail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://vaio-online.sony.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&continue=http%3A%2F%2Fgmail.google.com%2Fgmail
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vaio-online.sony.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B51FA93-B7C4-47D2-9413-1FAFA91C7DBF}: NameServer = 172.16.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WBSrv - D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - d:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)



Can anyone help me figuring this out?! Question
johanfh
Looked through it and it didn't seem very strange to me. But maybe I overlooked something. What kind of mails are sent out? Can you tell us something more about what is actually happening?

Thanks!
JohanFH
Clash
I'm not going to list your entire hijack this log, but there is an awful lot going on in your machine. Never mind the running processes for the moment. Go through all the items in the Hijack this Scan, and satisfy yourself that you know what each one of them is doing. If the reference is to a file on your hard disk, go to that file and view the properties for it. The first thing to look at is the version tab. Does it have the manufacturers copyright on it?, does the description match your idea of what it's doing?.

Go through them all carefully. Be especially anal about items that refer to a cab file at a web address. Check out t hat web address and see is it genuine and is it for something you actually want. There are a few items in there that would arouse my suspicion especially the winsock entry.

Good luck
TheGeek
I to looked it over and from what i can see i didnt notice anything out of the ordinary, however, without knowing exactly what you have on your computer i cant tell you if any of that i truely legit, though i checked all the companies that were listed as well as all links and they all seem legit so unless there is something from a company on that list that you dont have anything installed from then nothing is out of the ordinary.

Try running AVG and their email client, it tells you what emails are being sent out and they include a little blurb about where its coming from and where its going to.
tufansaba
i think install kaspersky on your computer Wink
AftershockVibe
The windows kernel has SMTP rountines built into it so you more than likely won't be able to catch it directly if it is latched into another program - most likely Internet Explorer.

I'd suggest downloading AVG and some form of antispyware - try AdAware or Microsoft's Antispyware.
Clash
Well obviously something is sending email, that's a given. The addresses could be taken from anything, even a text file. So whether there your contacts or not is irrelevant.

Lot's of viruses have their own built-in SMTP mail client, so they don't need yours. Also they could be running as a hidden service, or as a tack on to an existing service, so it won't show up on your hijack this log. Something like Process Explorer would tell you what exactly is running.

The first thing is to get a proper A/V. I know you've Norton, but (a) it's crap and (b) if you have an older version (say 2004/05) It won't be as good at catching new variants as the latest version even if your defs are up to date. So download AVG free and install that. You'll have to remove Norton first.

The last thing to check are ADS's. Hijack this has a built in ADS scanner, so use that initially in it's default setting to scan your Windows folder, but also scan the entire disk(s).

That should get you some way to solving the problem.
prettygood
may be it is a keylogger or an adware you should scan ur computer with adaware or spybot search and destroy spysweeper ...

this may solve ur problem...

of course last chance is formatting the pc Very Happy (but we dont want it do we??)
Xeniczone
with windows it is a sure beat it is a virus Laughing

Try going to mcafee I think they offer free scans from there site.
bladesage
Xeniczone wrote:
with windows it is a sure beat it is a virus Laughing

Try going to mcafee I think they offer free scans from there site.


DO NOT USE MACAFEE UNLESS YOU ARE A PAYING CUSTOMER! They do offer free scans, but they don't remove anything they find unless you purchase their software. If you want a quick fix, try Etrust. Get their entire security suite, at least the trial if nothing else. They will scan, and remove/quarantine anything they find. What's more, they will provide a real-time scanner. This miracle scanner will automatically find, destroy, and PREVENT malware of any kind.

If you need to find them, try using download.com.

They are absolutely amazing Cool. That sums it right up.
yjwong
Alternatively, you can go to http://hijackthis.de.

Paste your log file there. Your log will be anaylsed and they will show you the results, about what program is safe or is suspected to be a virus or spyware.
futurcat
yjwong wrote:
Alternatively, you can go to http://hijackthis.de.

Paste your log file there. Your log will be anaylsed and they will show you the results, about what program is safe or is suspected to be a virus or spyware.


That portal was purchased by a bigger company, but still offers that same service, which I consider very useful for a first assessment.

Later on you can google for you concrete problem, because hijackthis.de would typically not fix this.
Related topics
Reply to topic    Frihost Forum Index -> Computers -> Computer Problems and Support

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.