Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

OE *event* & now I can't find it. HELP!

Mar 16, 2004 10:49AM PST

Howdy,

My g/f's Dad is having an issue with his XP home ~1.8G P-IV box and I'm looking for ideas and direction. I've tried a few things to correct the situation, but so far I've found about nothing...


The background info is that last Thursday evening (3/11) he got a pair of e-mails with .pif attachments into OE 6 from his copper.net account. His OE was set-up not to view in a preview pane, but he says he did select at least one of them to read the text in the body. At that point..he said his computer started "churning" for a few seconds (BubbleBoy style attack?). He says he is certain he didn't click or open the attachments as he didn't know who sent them.

The results..on the surface..are a slow (imo) sluggish system that randomly wants to restart and all e-mails in the OE folders having gone missing. Also, about a dozen semi large & weird bitmap files appeared in the recycle bin.

FWIW..the system had McAfee's on it and all current M$ XP/OE 6 patches at the time of the incident.


So far..I have been unable to find a trace of whatever hit the system. I've used the updated (3/13) McAfee's (restore off & in safe mode) and Housecall scans. For lack of better things..I also ran Spybot, CWShredder and trial copy of Diamondcs TDS-3 (?). No entries in Hijack This caught my attention, but I'll attach the log at the end of this post just in case I missed something.

An "IT" guy where he used to work advised him to physically uninstall OE, so much to XP's dismay (safe mode) we gave that a try as nothing else was turning up.


Long story short..nothing much has changed. OE was reinstalled and the first batch of e-mails downloaded from the server disappeared after OE was restarted.

Ideas or directions as to why OE continues to "lose" messages? That has to stop........




Logfile of HijackThis v1.97.7
Scan saved at 9:25:53 PM, on 3/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\ScanPanel\ScnPanel.exe
C:\WINDOWS\System32\svchost.exe
C:\Misc\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: ScanPanel.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/194a8fc843d2c9b89a19/netzip/RdxIE601.cab
O16 - DPF: {5DBF08EF-4BDE-11D3-B8E4-0080C84E9C66} (Medi@Show Control) - http://www.cyberlink.com.tw/medi@show/tv/MediaShow.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.5225810185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Discussion is locked

- Collapse -
A thread for you to . . .
Mar 17, 2004 3:37AM PST
- Collapse -
Re:A thread for you to . . .
Mar 17, 2004 11:40PM PST

Thanks for the rely!

Having OE rebuild Folders.dbx looks to be promising.

Hopefully, that will solve the issue and whatever corrupted it isn't still present on the system.