HI,

I'm sure I'm infected with some kind of bug.
Part of my emails (many emails) are suddenly lost. It is not in trash or anywhere but just could not find it. Also, suddenly emails are unable to send out. Are they people who hijack emails? Or it may be spam attack. I did receive notice from AVG:

"This is the AVG E-mail Scanner program.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

-------------------------------------------------------------------
roystan@tamura-k.com.sg: Message rejected because ([210.24.200.237]) [210.24.200.237] is blacklisted
at dnsbl.njabl.org see open proxy -- 1100484005
-------------------------------------------------------------------

Your e-mail message is being returned to you in the next part of this
message. Try to send the message again.

Should you need assistance, please contact your administrator or your
internet service provider. "



Anyway below is my hijackthis. Kindly check for me soonest, urgently..THnaks thanks! thks!!!

Logfile of HijackThis v1.99.0
Scan saved at 1:18:35 AM, on 1/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Documents and Settings\Roystan\My Documents\BACKUP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsthosting.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Roystan\Application Data\Mozilla\Profiles\default\7pe16aes.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Roystan\Application Data\Mozilla\Profiles\default\7pe16aes.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo Scheduler server.lnk = C:\Program Files\InterVideo\WinDVD4PR\SchSvr.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{558BBA43-B6F0-4C28-847D-BDEEC6461324}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB052CDC-F213-4F1C-B17B-30CF67F0DFE5}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{558BBA43-B6F0-4C28-847D-BDEEC6461324}: NameServer = 192.169.34.181 203.120.90.40
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Intel® Active Monitor - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: InCD File System Service - Unknown - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Hi dstme,

I cannot find any problems in your HijackThis log, however, that only is looking in certain areas of your PC where spyware is known to hide.

I think you should try a on line AV scan (full system) at any of the following. Let us know how that comes out

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Perhaps this is also just a problem with AVG.

HI thanks for quick reply.

From AVG there was no viruses detected, but with the online scan with Panda, it was more than 300 viruses. All diseffected except 4 still unclean. But it then freez my PC. I have to reboot my PC.
On 2nd time I scan online with Panda, only 4 were detected, and then whole PC stop "freeze"

I have to reboot again, and now trying to scan online with RAV Anti virus.

Question is why AVG could not detect anything but Panda detected more than 300 viruses. And I do not know what kind of viruses it detected because before scanning half way, it freeze my computer. Also like you said, hijackthis looks clean.

I will post any result from RAV, if it manage to scan the whole PC.

PC seems freez again. I will post it when ready.

I did a scan with another PC and it was infected as well. It was detected by RAV Antivirus.:
RAV did not clean for me. And AVG did not detect the virus. Can you help me to disinfect them? Please.. Thanks

File: C:\Documents and Settings\Roystan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-29592d84-4ddaba7e.zip->Gummy.class
Virus: Trojan:Java/ClassLoader.D Status: Infected

File: C:\Documents and Settings\Roystan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-29592d84-4ddaba7e.zip->Counter.class
Virus: Trojan:Java/ClassLoader.D Status: Infected

File: C:\Documents and Settings\Roystan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-29592d84-4ddaba7e.zip->VerifierBug.class
Virus: Trojan:Java/ClassLoader.D

For those, follow the directions here to clear your Java cache

http://java.com/en/download/help/cache_virus.jsp

I'm not sure your PC is freezing, but it sometimes take some time to scan very large files on your PC that makes it seem that way.

thank you for the link. I will remove the bugs.
On my the other PC, I have hard time, because it freeze everytime. So I have to stop the scanning midway, so I can identify which virus. It is:
W2/Sober.I.worm and seems that the online antivirus unable to disinfect. Any solution to it?
Thanks again.

Go to the link below and get the free tool from McAfee to scan for worms. Copy the directions on the site and keep them handy to follow. I would suggest you run the tool in SAFE MODE.

Download Stinger by Mcafee
http://vil.nai.com/vil/stinger/

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Windows XP
To use the System Configuration Utility method

1. Close all open programs.
2. Click Start, and then click Run. The Run dialog box appears.
3. As shown in this illustration, type msconfig and then click OK.
4. The System Configuration Utility appears, go to the tab at the top named Boot.ini. Check the "/SAFEBOOT" option, and then click OK.
5. You then see the prompt to restart the computer. Click Restart.
6. The computer restarts in Safe mode. (This can take several minutes.)
7. Perform the troubleshooting steps for which you are using Safe Mode.
8. When you are finished with troubleshooting in Safe mode repeat steps 1-5, but in step 4, uncheck "/SAFEBOOT"
9. Close all programs and restart the computer as you normally would.
................................
To use the F8 method
Use this method only if Windows XP is the only operating system installed on your computer.

1. Start Windows, or if it is running, shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.
.....................................

A very BIG problem you have there is an unpatched operating system and IE. Without the latest Windows Critical Security Updates and Service packs you are likely to reinfected again right away. Today's worms and malware that exploit unpatched systems can shut down your resident Antivirus Program/Firewall and other numerous security programs. Get the patches here!!

http://v5.windowsupdate.microsoft.com/en/default.asp

Thank you again for your info.
Both PCs are now disinfected. I think viruses have been removed. But when I run the Stinger by Mcaffee, it did not remove the virus for me even I run in safe mode and disable the system restore.
Is there a reason why it did not remove the viruses?

Also, I still do not know why AVG did not detect any viruses at all.

I will run another scan. Hope everything is ok.

THanks for your GREAT help!

Is there anyway to retrieve my lost email? I'm using Netscape 7.1

I can't answer that question without knowing the file name and exact location (full path) of the infected files found. I can't remember if Stinger makes a log for you when you scan, but if it does, post it and perhaps I can help interpret the findings for you.

I suspect your AVG has been damaged by one of the viruses on your system. Some of them are written intentionally to disable and damage security software to avoid detection. I would advise you to completely uninstall your AVG and reinstall a fresh copy. Get the updates for it and scan your system to see if it finds anything more. If so, please post the log here, .


I'm sorry I don't have an answer for you. I not an expert in Netscape or lost email retrieval, if possible. Try asking in one of our other sections of the forum where there may be others who can help you with that.

You have been great help. :)



Below is the Stinger log. About 300 virus were disinfected by Panda except these few files. I have empty the email trash, and then I have manually delete backup files that are infected.

McAfee AVERT Stinger Version 2.4.7 built on Jan 3 2005

Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Dec 14 2004.

Ready to scan for 47 viruses, trojans and variants.



Scan initiated on Sat Jan 08 23:38:58 2005

C:\Documents and Settings\Roystan\Application Data\Mozilla\Profiles\default\7pe16aes.slt\Mail\mail.norexvenue-1.com\Trash\00001184.EML\000001a3.EML\00000720.EML\00000977.EML\re_mail4407.zip

Found the W32/Sober.j@MM!zip virus !!!

C:\Documents and Settings\Roystan\My Documents\BACKUP\syscom\backup-syscom.edu.sg-10-29-2004.tar.gz\backup-syscom.edu.sg-10-29-2004.tar\inbox\Informations.zip

Found the W32/Netsky.z@MM!zip virus !!!

C:\Documents and Settings\Roystan\My Documents\BACKUP\syscom\backup-syscom.edu.sg-10-29-2004.tar.gz\backup-syscom.edu.sg-10-29-2004.tar\inbox\000083f0.EML\information.zip

Found the W32/Netsky.p@MM!zip virus !!!

C:\Documents and Settings\Roystan\My Documents\BACKUP\syscom\backup-syscom.edu.sg-10-29-2004.tar.gz\backup-syscom.edu.sg-10-29-2004.tar\inbox\000083f0.EML\0000bbdf.EML\Data.zip

Found the W32/Netsky.z@MM!zip virus !!!

C:\Documents and Settings\Roystan\My Documents\BACKUP\syscom\backup-syscom.edu.sg-10-29-2004.tar.gz\backup-syscom.edu.sg-10-29-2004.tar\inbox\000083f0.EML\0000bbdf.EML\002a802b.EML\Informations.zip

Found the W32/Netsky.z@MM!zip virus !!!

Number of clean files: 170708

Number of infected files: 5


Further, I have remove and reinstall the AVG. Hope it is working now.

I found the email files was corrupted, and it can't be opened. I renamed the file(.txt) and when opened, found all my emails are inside. I'm not sure why it cannot display in Netscape. Anyway, I delete some emails using wordpad, then rename back to original, and it works. I'm not sure, but maybe part of the email has the virus or simply after disinfected by Panda, the file is corrupted.