Jump to content


Photo

Zombie Infection?


  • Please log in to reply
27 replies to this topic

#1 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 28 January 2004 - 01:12 PM

First, apologies if this isn't an appropriate place to ask this. But I'm trying everything.

My wife Karen owns her own domain: kcentral.com (hosted here, of course). Recently she's been getting bunches of bounced mail (spam) -- and its bounced from mail she hasn't sent. I.e., her domain is being spoofed. But it's worse.

I get bounces like this once in a while when a spammer spoofs one of my domain names. But the mail that generated Karen's bounces actually appears to have come from her: "Karen Ireland Kantor" and karen@kcentral.com. Further, the IP address from the header of the orgininating message is our IP address. (We have a cable "modem" and a hardware firewall, so our actual PCs are 192.something, but the firewall's IP matches what's on the bounces.)

Just to be sure, Karen changed her name in Outlook to "Karen I Kantor." Today came a new batch of bounces -- they come sporatically -- and these had "Karen I Kantor" in them. Ouch.

Obviously we have concerns about carrying a zombie on that particular computer. (The messages appear to be coming from a single computer on the network -- the laptop. Interestingly, it's the only one with an 802.11 connection, but I activated WEP on that a while ago. And I doubt any of my neighbors are sending spam from our machine.) BTW, it's running Win 98SE with all patches.

I've checked to be sure I have the latest updates for Norton Anti-Virus (2003), and I ran a full scan. Nada. Ditto for a full scan from Trend Micro's Web-based scanner. Ad-Aware only turned up the usual cookies, and Zone Alarm doesn't show any unexpected activity -- although it might not because Outlook is permitted to access the Net.

I'm at my wits end. Is there a chance that we have a trojan/zombie that's invisible to Norton and Trend Micro? Any way to check? I don't see any unusual processes when I hit Ctrl-Alt-Del and I don't know what else I can do.

Help! (And thanks!)

Andrew

PS -- here's a typical header:

Return-path: <karen@kcentral.com>
Received: from dhcp26141213.columbus.rr.com ([24.26.141.213]
helo=notebook)
by server6.totalchoicehosting.com with asmtp (Exim 4.24)
id 1AlpWf-0005tP-HG
for UCYVQ@finklfan.com; Wed, 28 Jan 2004 08:14:37 -0500
Reply-To: <karen@kcentral.com>
From: "Karen I. Kantor" <karen@kcentral.com>
To: <UCYVQ@finklfan.com>
Subject: Not read: What are the washing instructions?
Date: Wed, 28 Jan 2004 07:43:51 -0500
Message-ID: <00ba01c3e59c$62a8e2c0$6701a8c0@columbus.rr.com>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-MS-TNEF-Correlator: 00000000FC5CA04C8222D81198870006252FBF44A4BA3400
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#2 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 28 January 2004 - 02:25 PM

You can check here for some technical details about the MyDoom virus that just started spreading on Monday, including some details on what you can manually look for to see if it's infected. I'm suprised that NAV wouldn't catch that though, as it's caught many here at the office of those that slipped through our mail server before the virus definitions updated.

Is your wife's machine named "notebook" btw? Whichever machine is transmitting the emails apparantly is named "notebook" at the OS level, as is shown by the hello=notebook.
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#3 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 28 January 2004 - 03:29 PM

Andrew, I would also suspect the newest worm (MyDoom) is what you have gotten. When you say you have gotten the latest "updates" did you get the ones including this one?

Information about it is here:
http://securityrespo...ovarg.a@mm.html

Nortons definition file is here:
http://securityrespo...s.download.html

Special removal tool is here:
http://securityrespo...moval.tool.html

Now I would suggest that you disconnect the laptop from the Internet, this will stop th emails. You can download the special removal tool and hopefully copy it to the laptop on a floppy and then remove the bugger.

Then I would suggest you update all the PC's in the house an scan them all with the new signatures.

Good luck
BoB/ MadmanMCP

#4 TCH-Dick

TCH-Dick

    General Manager

  • Admins
  • PipPipPipPip
  • 5,786 posts

Posted 28 January 2004 - 03:40 PM

Just an FYI, these problems started BEFORE the MyDoom Virus, I talked with them through a help desk ticket over a week ago. The e-mails are in fact being sent from their computer, figuring out what is sending them and killing the process is the problem.

Dick DeVance
General Manager
TotalChoice Hosting, Inc
dick@totalchoicehosting.com


Posted Image


#5 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 28 January 2004 - 04:31 PM

Thanks Mike, that just made our day :)

Well the plan of attack I would keep the same. Since the possible source "seems" to be the Laptop, from the change in names of emails, concentrate on that first. Disconnect from the Internet and leave it disconnected till you positively remove the offending program or determine it to be from another source.

Get the latest Virus Definitions from Nortons and upgrade and scan. A possibility here is that it a "stealth" worm and is avoiding detection. Try booting the PC into safe mode and then try scanning.
BoB/ MadmanMCP

#6 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 28 January 2004 - 04:36 PM

Another idea is to try a Trojan "cleaner" to see what it finds.

http://www.moosoft.com/
BoB/ MadmanMCP

#7 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 29 January 2004 - 07:24 AM

Thank you all!

As Mike said, this started more than a week ago -- pre-MyDoom. (In fact, Norton has been catching several My-Dooms every day.)

Yes, the laptop's name is in fact "Notebook." I wasn't feeling creative. :)

I tried three different anti-trojan packages yesterday, including the one from MooSoft. Nada. (Other than some cookies and adware, including one called "Bridge," that is.)

She's not getting dozens of these bounces -- just a few a day. In fact, not even. It happens every few days.

In the back of my mind is the idea that someone is just spoofing her domain and we're misreading the header somehow. I figure that two anti-virus packages and three anti-trojan packages would find *something* if it was there.

The one thing I haven't tried is a Safe Mode scan. That's tonight.

Thanks again for your suggestions (and please keep 'em coming either here or to me directly: andrew -youknowwhatsymbol- kantor.com).
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#8 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 29 January 2004 - 08:28 AM

Well it looks like you have covered all the bases and if its still happening then its time to start thinking "outside the box".

Are you sending these emails and not realizing it? Check the sent items folder and see if they are located in there as being sent from the laptop. Are those subjects familiar, are the addresses familiar?

Is someone else in the house sending them? Do you have kids, roommates ... ummm neighbors or relatives who use the laptop or have access to it?

If your computer had some backdoor trojan like Back Oriface I would expect one of the scanners you ran would catch it. But maybe its a new one or one specially written and is not being detected. Have you checked Task Manager and checked each program that is running, do you know what each and everyone is? Have you run MSCONFIG and checked in startup to see whats being loaded, and winini and autoexec and static.vxb.
BoB/ MadmanMCP

#9 ThumpAZ

ThumpAZ

    Graveyard Guru

  • Members
  • PipPipPipPip
  • 968 posts

Posted 29 January 2004 - 10:45 AM

One more thing that he could check for is the instance of multiple .pst files on the machine, or multiple email accounts in Outlook.
Is the machine shared on your local network without password protection?
Do you have any administrative tools running on the machine that would allow remote management?
What is the reason given for the bounces? You didn't include that part.
Tracking down a Trojan (which I believe you have, and does differ from a virus) can be difficult.
Two things I would recommend:
1. Download Hijack This! from http://www.uselessfu.../hijackthis.zip
And post the log file here for analysis
2. Do a search for *.* and choose Modified within the past 2 weeks. Unless you have gone crazy installing all sorts of stuff, then this can reveal more than you think. Pay particular attention to the files modified on or directly around the date when you first started getting bounces.
Former Graveyard Guru

#10 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 07 February 2004 - 11:20 AM

No one else has access to the machine -- just Karen and me. And it just went a week or so without anything. Today, though, she got two bounces. She is convinced there is *something* on that machine, although I have to wonder. If someone had a zombie or trojan, wouldn't the machine be sending a LOT more spam (and thus she'd get a lot more bounces)?

I checked Task Manager and saw nothing odd. I have not yet run MSCONFIG -- that's next. And I already downloaded Hijack This but couldn't make heads or tails of what I saw. (That is, if there was something Bad running, I doubt I'd notice.) I'll run it again and post the log.

Thanks again for your help!

Andrew
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#11 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 07 February 2004 - 11:48 AM

I did a search for all files modified in the past two week. There were hundreds, mostly cookies, my normal mail files, etc. WAY too many to go through to find anything.

Here's my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 11:42:44 AM, on 2/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kantor.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: MT It! - http://www.kantor.co...s&bm_height=530
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.etradebank.com
O15 - Trusted Zone: *.etrade.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7894.7098263889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#12 ThumpAZ

ThumpAZ

    Graveyard Guru

  • Members
  • PipPipPipPip
  • 968 posts

Posted 08 February 2004 - 11:27 PM

Sorry for the slower reply... forgot all about this discussion.
I am looking into some items right now, but nothing looks immediately like it could cause the emails you described.
Former Graveyard Guru

#13 ThumpAZ

ThumpAZ

    Graveyard Guru

  • Members
  • PipPipPipPip
  • 968 posts

Posted 08 February 2004 - 11:59 PM

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
this is/can lead to spyware and should be removed
Other than that, I really don't see anything too suspicious. I will do some more research, though.
-Glenn
Former Graveyard Guru

#14 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 09 February 2004 - 07:38 AM

Funny, that was the first thing I noticed. But DCS Research is just one of the makers of the various spyware removers I was using. Still, I'll take it out.
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#15 ThumpAZ

ThumpAZ

    Graveyard Guru

  • Members
  • PipPipPipPip
  • 968 posts

Posted 10 February 2004 - 12:07 AM

I went to the site at the IP address in the line and it was definitely not a reputable site. After reading around on the web for a bit, it appears that much of the stuff about dcsresearch is not reputable. I haven't looked deeply, but I would assume that there are spoofed copies floating around or something.
I did a little more research and nothing else in there is questionable.
As for the email issue, do you have ANYTHING else? I see nothing that would do this kind of thing to you.
You maybe could grab a copy of SpyBot or something and scan with that. This is a more thorough scan, but it is still mainly for malware and spyware... not virus or trojan activities.
If you do the search for dll, exe and other files of the executable type it will narrow your search and give you a better shot at finding the culprit. Typically, you will be able to spot a smoking gun quickly. Try to narrow your search to the day before and day of the questionable email.
To be honest, you will typically see a LOT more activity if you have a virus or trojan.
You could stoop and ask folks in your address list if they have received any odd messages from you lately, as those are typically the first places for viri and such to get some names from.
If you understand how, I can provide you with an ethernet sniffer so you can log everything and see if activity is going on behind the scenes. I will even be nice and tell you how to filter out passwords so you can feel safe sending the log files over for analyzing.

Let me know if you want to proceed with advanced diagnostics
Former Graveyard Guru

#16 ThumpAZ

ThumpAZ

    Graveyard Guru

  • Members
  • PipPipPipPip
  • 968 posts

Posted 10 February 2004 - 12:18 AM

just a quick adder...
whatever it is, it has its own SMTP engine. I can say this because the "helo" name is the computer name. This will not happen in a standard email that is going through a remotely hosted email server (yours would be a FQDN like this example of an email to me "from 'username' by server54.totalchoicehosting.com with local-bsmtp (Exim 4.24)
id 1Aq68w-0004nA-Jp").
So whatever it is, it is on that machine for sure. I tried pinging and a short scan of the IP listed in your header for typical bad guy ports and nothing odd came up (your firewall is working well against amateurs, didn't really hit it hard).
Former Graveyard Guru

#17 ajm200

ajm200
  • Members
  • 2 posts

Posted 15 February 2004 - 10:28 AM

I've been having what seems like exactly the same problem for the past week or two - I receive a few bounced emails a day, which all appear to have been sent from this computer (the IPs match to whether I have been at home or using a dialup in the Netherlands). Nothing from Norton AV, but I will try the suggestions above.

Andrew

P.S. Example mail:

Return-Path: <Andrew@AJMurray.freeserve.co.uk>
Received: from unknown (HELO LONJJZX70J) (amurray?owc@195.240.28.83 with login)
by smtp105.mail.sc5.yahoo.com with SMTP; 10 Feb 2004 10:02:06 -0000
Reply-To: <Andrew@AJMurray.freeserve.co.uk>
From: "Andrew Murray" <Andrew@AJMurray.freeserve.co.uk>
To: <nfuizlzwrfpuo@aaronkwok.net>
Subject: Not read: Read: What's up, then?
Date: Tue, 10 Feb 2004 11:01:58 +0100
Message-ID: <00a301c3efbc$ed69cd50$531cf0c3@LONJJZX70J>
MIME-Version: 1.0
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-MS-TNEF-Correlator: 000000000045864123B0504BB412FEBD513BC520A4E33F00

eJ8+IgEKAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAFwAAAFJFUE9S

#18 ajm200

ajm200
  • Members
  • 2 posts

Posted 16 February 2004 - 07:59 AM

The other things didn't find anything, but the Hijack log is as below:

Can't see anything overtly evil, though I must admit I am not familiar with some of the running processes, particularly the ones within the system32 folder...

Andrew


Logfile of HijackThis v1.97.7
Scan saved at 13:55:17, on 16/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\nslsvice.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Lotus\Notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\ERICSSON\COMMUN~1\MOBILE~1\EPMWOR~1.EXE
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\ntaskldr.EXE
C:\WINNT\SYSTEM32\VpnStats.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\AMurray\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
O1 - Hosts: 172.22.2.41 denotes1.mymow.com
O1 - Hosts: 172.22.2.241 franotes1.mymow.com
O1 - Hosts: 172.22.2.151 frasvr01.mymow.com
O1 - Hosts: 172.22.2.155 frasvr02.mymow.com
O1 - Hosts: 172.22.2.165 frasvr03.mymow.com
O1 - Hosts: 172.20.2.79 fraunity1.mymow.com
O1 - Hosts: 172.21.2.241 lonnotes1.mymow.com
O1 - Hosts: 172.21.2.151 lonsvr01.mymow.com
O1 - Hosts: 172.21.2.155 lonsvr02.mymow.com
O1 - Hosts: 172.21.2.165 lonsvr03.mymow.com
O1 - Hosts: 172.20.2.77 lonunity1.mymow.com
O1 - Hosts: 172.23.2.151 madsvr01.mymow.com
O1 - Hosts: 172.26.2.151 milsvr01.mymow.com
O1 - Hosts: 172.20.2.42 mowchat01.mymow.com
O1 - Hosts: 172.20.2.43 mowbes1.mymow.com
O1 - Hosts: 172.20.2.72 mowgoback.mymow.com
O1 - Hosts: 172.20.2.51 mowupdates.mymow.com
O1 - Hosts: 172.20.2.241 nycnotes1.mymow.com
O1 - Hosts: 172.20.2.151 nycsvr01.mymow.com
O1 - Hosts: 172.20.2.155 nycsvr02.mymow.com
O1 - Hosts: 172.20.2.165 nycsvr03.mymow.com
O1 - Hosts: 172.20.2.75 nycunity1.mymow.com
O1 - Hosts: 172.25.2.151 sinsvr01.mymow.com
O1 - Hosts: 172.21.2.41 uknotes1.mymow.com
O1 - Hosts: 172.20.2.41 usnotes1.mymow.com
O1 - Hosts: 172.21.2.160 zenwsimport.mymow.com
O1 - Hosts: 63.111.194.182 vpn1.mymow.com
O1 - Hosts: 63.111.193.175 vpn2.mymow.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: Novell delivered applications (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} (WebInstall) - http://www.lucius200.../webinstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7985C439-23C4-4765-A8C0-21C0F5FB1874}: NameServer = 195.241.49.33 195.241.48.33

#19 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 16 February 2004 - 09:33 AM

ajm200, from a quick look I see two things I would question.

zentray.exe is a Remote Control program, do you remotely control your laptop? Did you install this program?

Next I believe you are infected with the "WinMuschi" virus...this line
O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m

see http://securityrespo....winmuschi.html

from the other lines I am looking at is this a work laptop? There are thing running that suggest this is connected to a company network. If it is a company laptop are you allowed to go changing things on it? The Remote Control Program may be there for a reason.
BoB/ MadmanMCP

#20 Andrew

Andrew

    Distant Family

  • Members
  • PipPipPip
  • 134 posts

Posted 22 February 2004 - 10:43 AM

Glenn -- you said that (assuming it exists) whatever is on my machine has its own SMTP engine. Any way to search for that?

My wife believes it only happens when we're running Outlook. She's been using Web-based mail for the past week and there are no bounces.

Andrew
Andrew K.
Geographically: Roanoke, VA
Metaphorically: New York, New York
www.kantor.com (among others)
- - -
"Reality is a convenient consensus."

#21 mratch

mratch
  • Members
  • 1 posts

Posted 25 November 2004 - 03:25 AM

Hi everyone,

Did anyone ever find out what was causing these emails to be sent? I just started experiencing the exact same problem. My friends/family are getting emails from my account with the subject "Not read: [various text]". Each one contains a winmail.dat attachment. I use outlook to send all my email and i use hotmail from within outlook. the emails are coming from my hotmail account.

i'm in the process of performing all the tests and scans suggested in this thread, but no one ever posted if they solved the problem. or maybe i missed it?

any suggestions would be appreciated.

mike

#22 Tuizner

Tuizner
  • Members
  • 3 posts

Posted 25 January 2006 - 09:52 AM

Hi

I have the same problem. Did anyone resolve this?



I have an email worm on Outlook that is sending out mails to my contacts with the sudject: Not Read: followed by the title of a previous mail.

I have read on totalchoicehosting about the same issue but there was no resolution: http://www.totalchoi....0

I have McAfee Security Centre with current Virus DAT version 4679 (20th Jan 06). On running, this picked up two versions of W32/Bagel.dldr and deleted them - but this did not resolve the worm.

I have also tried Stinger (did not find anything), Panda online (did not find anything) and am currently running TrendMicro's Sysclean.

I have disable system restore.

#23 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 25 January 2006 - 10:16 AM

Hi Tuizner, welcome to the forums. I have not seen anything but hang tight and we will see if anyone has any sugestions.

#24 TCH-Andy

TCH-Andy

    Immediate Family

  • Members
  • PipPipPipPip
  • 4,699 posts

Posted 25 January 2006 - 10:43 AM

welcome to the forums Tuizner :)

Are you booting in safe mode when scanning ?

The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues.
Andy Beckett
-----------------
Part of the TCH family since the beginnings of time.

#25 Tuizner

Tuizner
  • Members
  • 3 posts

Posted 25 January 2006 - 03:07 PM

welcome to the forums Tuizner :)

Are you booting in safe mode when scanning ?

The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues.



Sorry

The link is to this page actually, so don't worry.

Yes I am booting in safe mode.

Emails are being sent from one (my default POP3) of my accounts. All are entitiled Not Read: followed by the subject of an old email and the content is garbage.

Just for info, my Hijack file follows (sorry, it's big):

Logfile of HijackThis v1.99.1
Scan saved at 20:06:16, on 25/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Docs\My Documents\My Downloads\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\sndoctor.exe" /Q
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: RpSync.exe.lnk = ?
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.ans...nswersSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety....lscbase1524.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...677/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#26 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 25 January 2006 - 03:22 PM

You might want to look at this thread. THere is a log analyzer that may be of assistance.

http://www.totalchoi...showtopic=24345

#27 Tuizner

Tuizner
  • Members
  • 3 posts

Posted 30 January 2006 - 04:41 AM

You might want to look at this thread. THere is a log analyzer that may be of assistance.

http://www.totalchoi...showtopic=24345





Thanks for the info.

I think I have sorted the issue now.

It seems (fingers crossed) as though it was in fact not a virus, but something to do with McAfee AntiSpam getting it's knickers in a twist. I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails. Eventually I hit the "stop emails" button 407 times. This has, so far, cured the problem which hasn't recurred. I can only assume that the issue started due to McAfee AntiSpam because it's always been a bit temperamental on my Outlook 2003.

I wonder if others who had the same issue were running McAfee at the time?

#28 Madmanmcp

Madmanmcp

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,542 posts

Posted 30 January 2006 - 07:12 AM

I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails.


McAfee was doing the job it was designed to do. It first detected a virus/worm and deleted it, as you mentioned in a previous post. BUT not before the virus spit out 407 emails. McAfee also caught these and asked you what you wanted to do with them, either mail them or delete them (just in case they were good emails). Deleting them was the correct action since they were not valid emails sent by you.

Once you had finished deleting those emails, that should be the end of your infection. Do you have any more symptoms?
BoB/ MadmanMCP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users