My hotmail is sending a virus or spam email to everyone on my messenger list. It has done so twice. I need to stop this any help would be great Here is the message it is mailing, Date: Wed, 17 May 2006 11:37:29 -0300 Hi! How are you? You know I've created my own website! Can you check how it works? It's http://www.kisenfad.com/test Can you see video? Bye!
Hi tdurham. You propably have malware on your computer that is sending those messages. Please post a HijackThis log to here and we'll get you cleaned. Instructions for posting -> http://forums.afterdawn.com/thread_view.cfm/263784 (steps 3-5)
Thanks for the help my email list will appreciate it here is the log, Logfile of HijackThis v1.99.1 Scan saved at 6:02:21 PM, on 5/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Connected\AgentSrv.EXE C:\WINDOWS\etlisrv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\mcshield.exe C:\Program Files\Network Associates\VirusScan\vstskmgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Oracle\Ora817\BIN\TNSLSNR.exe C:\Program Files\Novadigm\radexecd.exe C:\Program Files\Novadigm\radsched.exe C:\Program Files\Novadigm\Radstgms.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe C:\Program Files\Timbuktu Pro\tb2launch.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Timbuktu Pro\Tb2Logon.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\PROGRA~1\Novadigm\radtray.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Apoint\Apntex.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Connected\CBSysTray.exe C:\WINDOWS\system32\etlitr50.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe c:\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [Sun ONE Synchronization - iPlanet] C:\Program Files\Common Files\XCPCSync\Translators\iPlanet\iPlanetTray.exe O4 - HKLM\..\Run: [Password Reminder] remind.vbs O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [GetInfo] C:\Program Files\Network Associates\Common Framework\GetInfo.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136561317500 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.slb.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing) O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing) O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe O23 - Service: OracleOraHome817Agent - Oracle Corporation - C:\Oracle\Ora817\bin\dbsnmp.exe O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE O23 - Service: OracleOraHome817DataGatherer - Oracle Corporation - C:\Oracle\Ora817\bin\vppdc.exe O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Hi again. You don't have a firewall on your computer. Download and install one firewall. These are good (free) firewalls: ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com Do you know anything about this entry? O4 - HKLM\..\Run: [Password Reminder] remind.vbs Then you could run th following virus scan: Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe Run the file mwav.exe and unzip it to its default location, C:\Kaspersky 1. Updating the scanner (close the eScan window if open) -> Go to My Computer -> C:\ -> Kaspersky -> Run the file kavupd.exe, it starts downloading updates -> When downloading is finished, go to C:\Downloads -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V -> Answer Yes to all when it asks about replacing files -> Now the scanner has been updated 2. Scanner settings -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe) -> The scanner window opens -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg -> When ready, press the Scan Clean button -> Scanning for infections begins 3. Posting the results -> When the scan has finished (scan may take a quite long time), you'll need to post the findings -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg -> Click the field, press CTRL+A, CTRL+C -> Then open Notepad and paste the findings into a new document by pressing CTRL+V -> Save the document to your desktop -> Post the contents of that textfile to here
I don't know anything about that particular entry? I went through all the directions you posted (thanks again) and yet there was nothing in the field you specified. THis is a bran new computer the problem began on an old computer that is not connected. Hotmail has sent one mass email since through my account though. Am I stuck having to delete the account I've had for almost 10 years now? This would be a real pain....
Ok it is possible that your email adress has been added to some spamming list... Cleaning instructions: Move HijackThis into its own folder C:\HJT Download and install Ewido anti-malware -> http://www.ewido.net/en/download Update it, but do NOT run a scan yet. We'll use it later. Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked O4 - HKLM\..\Run: [Password Reminder] remind.vbs O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing) Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml Use the Windows "search" function -> Start -> Search -> All files and folders -> More advanced options Checkmark these options: - "Search system folders" - "Search hidden files and folders" - "Search subfolders" ->Search for this and delete if found: remind.vbs Scan and clean your computer with Ewido and save the report. Clean the Recycle bin and make your hidden files visible again. Restart your computer normally. Post the following logs to here: -> a fresh HijackThis log -> Ewido's log
