Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Can't get rid of it. Everytime I launch IE narrator.exe (infected) appears out of nowhere and reaks havoc on my browser making it open up 100 times and disappear at various times. I can delete narrator.exe with cyberscrub, but as soon as i relauch IE it comes back.
History. Was on net on the 31st, then my browser went crazy (described above). Downloaded trial norton, which ID'd the trojan but couldn't delete it; however, after cyberscrub finally deleted narrator.exe I launched IE only to have norton pop up and again say it just deleted narrator.exe. Every subsequent page I attempt on IE causes Norton's exact message to reappear. i need to get rid of whatever is creating and launching narrator.exe repeatedly. It's respawn hell.
Below is what norton says about this new trojan. I also tried a trojan removal software but it didn't recognize trojan.narat. Also, i tried following norton's instructions below but I couldn't find any of what they said would be in the registry. I got to get some sleep. I've been at it for 11 hours.
Trojan.Narat
Discovered on: December 30, 2003
Last Updated on: December 31, 2003 10:50:32 AM
Trojan.Narat is a Trojan horse that sends confidential information back to the attacker. The existence of the file msnarrator.exe is an indication of a possible infection. The Trojan is a MFC windows application and is packed with UPX.
Type: Trojan Horse
Infection Length: 10,752 bytes
Systems Affected: Windows 2000, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX
Virus Definitions (Intelligent Updater) *
December 31, 2003
Virus Definitions (LiveUpdate™) **
December 31, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Low
Damage:
Low
Distribution:
Low
Damage
Payload Trigger: n/a
Payload: Sends information back to the hacker via HTTP.
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: n/a
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
DistributionSubject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When Trojan.Narat is executed, it does the following:
Copies itself as %Windir%\msnarrator.exe.
Adds the value:"msnarrator" = "%Windir%\msnarrator.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the values:"PingMDID" = "1"
"PingSDID" = "0"to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate
Attempts to send confidential information back to the attacker through HTTP.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as Trojan.Narat
Delete the value that was added to the registry.For specific details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with Trojan.Narat, click Delete.4. Deleting the value from the registry
----------------------
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
----------------------
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit and then click OK. (The Registry Editor opens.)
Navigate to the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:"msnarrator" = "%Windir%\msnarrator.exe"
Navigate to the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate
In the right pane, delete the values:"PingMDID" = "1"
"PingSDID" = "0"
Exit the Registry Editor.
Write-up by: Scott Gettis
0 
Robert, You may not have a virus at all. The Narrator.exe may somehow have gotten
into your Start/Programs group and has to be dragged back to the Start/Programs/Accessories/Accessibility group. The narrator.exe should be in your C:\Windows\System32 folder and is a viable Windows XP file. Notice that the Symantec instructions show "msnarrator.exe" not "narrator.exe" (different spelling).Post back,
Tufenuf
0
msnarrator.exe is what I keep deleting and then it reappears. I was dead tired when I wrote narrator.exe. Should have been msnarrator.exe. Norton keeps identifying that msnarrator.exe as a trojan.
Can you help?
0
I checked the system32 file for narrator.exe ; it's there, and in windows there is the trojan msnarrator.exe.
Can you help or do I have to wait until trojan.narat becomes well known?
I'm dying here. Thanks
0
Robert, Did you follow Notyon's instructions to delete the registry keys and also make a refistry backup as Norton recommends?
----------------------
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
----------------------
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit and then click OK. (The Registry Editor opens.)
Navigate to the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:"msnarrator" = "%Windir%\msnarrator.exe"
Navigate to the key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate
In the right pane, delete the values:"PingMDID" = "1"
"PingSDID" = "0"
Exit the Registry EditorTufenuf
0
Robert, If you're having trouble deleting the msnarrator.exe file do a Ctrl/Alt/Del to bring up Task Manager and see if the msnarrator.exe is running under the Process tab. If it is hilite it and click the End Process button then try to delete the msnarrator.exe in your Windows folder.
Tufenuf
0
could be some other piece of malware disabling Nortons. I wonder what else is on this system that is altering the browser?
0
I followed nortons directions for the registry keys deletion. The files they said to delete weren't there, even though msnarrator.exe was running. I also tried control alt delte and highlighted then deleted msnarrator.exe. It worked until I opened up the browser again, then msnarrator reappeared and the hell was reborn again.
0
Robert, That's strange that the registry keys weren't there. Try Start/Programs/Stratup folder and see if there's an entry for the msnarrator.exe in that folder. If there is right click it and click Delete. Also try Start/Run and type in MSCONFIG and click OK. Look under the Startup tab and see if msnarrator.exe is listed. if it is uncheck it, click Apply, click OK and restart your computer. Since it's a brand new Trojan I'm sure there will be other fixes available shortly. Keep us posted.
Tufenuf
0
Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.
HijackThis!
0
Logfile of HijackThis v1.97.7
Scan saved at 8:11:17 PM, on 1/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
C:\WINDOWS\System32\msvcmm32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msnarrator.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\1\Local Settings\Temp\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.craigslist.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\1\Application Data\Mozilla\Profiles\default\ifh52ygh.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\1\Application Data\Mozilla\Profiles\default\ifh52ygh.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9} - C:\WINDOWS\iempg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.exe
O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINDOWS\System32\msvcmm32.exe
O4 - HKLM\..\Run: [AutoProp] C:\PROGRA~1\MI1933~1\Office10\bots\fp_wmp\regprop.exe C:\PROGRA~1\MI1933~1\Office10\bots\fp_wmp\WMPaddin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [msnarrator] C:\WINDOWS\msnarrator.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [cdman.exe] "C:\Program Files\Paragon Software\Paragon CD-ROM Emulator\cdman.exe" /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {345CA9DC-1600-4CD2-BFCF-7B57DD1A32DA} (NeoworkInstall Control) - http://easyinstall.icons.com.ne.kr/easyinstall/ocx/ver1003/NeoworkInstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04a95b3de33f45ec2e03/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cameras.thibault.com/activex/AxisCamControl.ocx
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_pack_XP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37872.8693981481
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
0
Robert,
First of all you should move the HJT program to your desktop or folder so it will keep backups, otherwise the changes will be lost. If we have to restore an item we can.When that is completed let's see if a couple of steps will work out. Disable System Restore, enable Show Hidden Files
close all browser windows & programs except HiJack This. Put a check mark in the following for HJT to fix:R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9} - C:\WINDOWS\iempg.dll
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - (no file)
O4 - HKLM\..\Run: [msnarrator] C:\WINDOWS\msnarrator.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cabThere are others in the 016 catagory which I can't identify. MOst of the time you can delete them all, if they are needed again they will ask again to plug in.
Then....
Reboot into safe mode (tap F8 key on boot) and delete:
C:\WINDOWS\msnarrator.exe
Reboot normal post a new log or update the situation
Shep
0
Or you can run the whole thing from safe
mode which should eliminate startup processes problems.Dealers choice
Shep
0
I had the same problem with Trojan.Narat. But I'm happy to report that Ad Aware solved it...I hope.
Go to lavasoft and download Ad Aware. Download the definitions update and run it. It will find the "other" registry keys that Norton overlooked. I did and now IE works just fine!
Thank you, LavaSoft!!!
0
Hello Oh Supreme Shep:
I followed your advice and ran hijackthis.exe in safe mode and checked off what you told me to. My computer shows no signs of msnarrator.exe anymore. Also, Norton no longer pops up with an alert to narat warning.
In appreciation of your help, I took the liberty of setting you up with a free discount account at www.namesniffer.com . It is a domain reseller site backed by godaddy.com. At namesniffer you can purchase anything domain-related at wholesale prices. To start you off you now own sxshep.com . E-mail me at lawyer@loandesk.com and I'll provide you with the login name and password to your account. Once you log in you can change your "account settings" like your domain name ownership record "Shep Rules" to your real name. You should edit your, or should I say my address to reflect your present one.
FYI, I set up my own godaddy resellers account namesniffer because I buy a lot of domain names, etc. If you decide to take advantage of your discounted namesniffer account always check to see what godaddy.com's prices are first. Sometimes they offer some great promotional purchases. For example, right now thorugh the 31st they're offering dot-us and dot-biz domains for about five bucks each.
In any eveny, your sxshep.com domain name comes with 100 free email forwarding somethingorother, free masking, and web forwarding. Future dot-com purchase will be about $7.20 each. Other products will be discounted even more for you. When you shop at namesniffer I believe the discount won't show until you are ready to check out with your purchase(s). Your final purchase price will show the discount.
Best wishes and thanks for your help.
lawyer@loandesk.com
www.refi.biz
www.punies.comThanks
p.s. to Madzippy. I too tried lavasoft and it didn't work; but thanks anyway.
0
Thanks, but no thanks. and you are welcome.
If you want to donate, donate to this site to help keep it running.
shep
0
I had exactly the same problem - IE shortcuts deleted, IE history deleted, 100s of IE windows popping up. The same useless symptoms from Norton too. Also I couldn't open the registry editor in the normal way (had to use run>regedt32 instead of run>regedit as suggested by Symatec). I ran Ad-Aware and that seems to have sorted it. How can huge companies like Norton and Symatec be useless against this but a free ad scanner be perfect?!
0
nodsnods aestor
It is bizarre and amazing how frequently the giant company products fall over, and may I suggest you post those results of yours in a new topic, to make sure everything is ok?and shep,
I ain't seen a thankyou scam like that one before, canubelieveit?
o exalted supreme shepfulness rules!
heh heh
0
Ice,
I feel used, heh heh.
I helped a spammer!!
Although they are people too.
Bob if you are lurking here it's ok, everybody's gotta make a living.
On the off chance that you were sincere, you are most welcome
See ya
0
Thank you scam???
Please read the whois data below:
Registrant: Shep Rules P.O. Box 753 Orinda, California 94563 United States Registered through: namesniffer.com Domain Name: SXSHEP.COM Created on: 02-Jan-04 Expires on: 02-Jan-05 Last Updated on: 02-Jan-04 Administrative Contact: Rules, Shep lawyer@loandesk.com P.O. Box 753 Orinda, California 94563 United States 9999999999 Technical Contact: Rules, Shep lawyer@loandesk.com P.O. Box 753 Orinda, California 94563 United States 9999999999 Domain servers in listed order: PARK13.SECURESERVER.NET PARK14.SECURESERVER.NET
----------------Sincerely,
Robert Shanklin, Attorney at Law
www.punies.com
0
Spammer??? Funny, I had downloaded some bulk email software for evaluation at the time I got the trojan.narat . I was researching software comliance under the new federal Can-Spam law.
FYI, the new Can-Spam law makes it easier to spam people. The feds really screwed up on this one.
Regards,
Robert Shanklin, Esq.
0
Robert,
Thank you again. Don't have any aspirations regarding web site hosting. However it is comforting to know that if situation changes the option is available to me.
I am pleased that you were able to get rid of the bug that bit you. Renumeration was an unexpected and kind gesture, and sarcastic comments aside, appreciated.
Still you have to admit it is at the very least unorthodox.
Shep
0
No offence intended, Robert.
It's just a thankyou gift comes free,
not at a discount or wholesale prices!
Everything else is advertising for business,
which you do seem to be very good at.We remove unwanted Adware for a hobby, and I would be removing yours if it was in my power.
Just my thoughts,
please enjoy.iceblue
0
It's ba-aaaaack...
I followed your directions on how to rid my computer of narat. As a follow up precaution, I checked norton's site today for an update. You may read it here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.mpgcom.html
Needless to say, I followed their instructions (saw msnarrator again) and deleted mpgcom and corresponding registry entries. I think Norman Bates' mother is finally gone (Psycho movie). However, something called msvcmm32.exe is now trying to connect to a DNS or something. Finally, that pesky egroup egdial whatever was still there. I think its dlls are gone too. I'll check tomorrow.
I have to quit working so late.
Thanks for everything.
Thanks for everything.
Thanks for everything.
Thanks for everything.
(must be a spam keyboard issue)Regards,
Robert
0
Re-infection...but I deleted those email programs long before I attempted the first cleaning.
I guess it doesn't matter. I'll run another norton scan later to see.
On that note, I'll end with a greatful thank you. And I am not a spammer, although I did download a bulk email program to use for research and to contact a lot of lawyers to put them on notice of a particular legal event or issue before I noticed the infection. It's not quite like offering to help them to improve their vitality or get a date, although having a lawyer's personality is a natural form of birth control.
Regards,
RRRRRRRRRobert
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
