Jump to content

Zombie Infection?


Recommended Posts

First, apologies if this isn't an appropriate place to ask this. But I'm trying everything.


My wife Karen owns her own domain: kcentral.com (hosted here, of course). Recently she's been getting bunches of bounced mail (spam) -- and its bounced from mail she hasn't sent. I.e., her domain is being spoofed. But it's worse.


I get bounces like this once in a while when a spammer spoofs one of my domain names. But the mail that generated Karen's bounces actually appears to have come from her: "Karen Ireland Kantor" and karen@kcentral.com. Further, the IP address from the header of the orgininating message is our IP address. (We have a cable "modem" and a hardware firewall, so our actual PCs are 192.something, but the firewall's IP matches what's on the bounces.)


Just to be sure, Karen changed her name in Outlook to "Karen I Kantor." Today came a new batch of bounces -- they come sporatically -- and these had "Karen I Kantor" in them. Ouch.


Obviously we have concerns about carrying a zombie on that particular computer. (The messages appear to be coming from a single computer on the network -- the laptop. Interestingly, it's the only one with an 802.11 connection, but I activated WEP on that a while ago. And I doubt any of my neighbors are sending spam from our machine.) BTW, it's running Win 98SE with all patches.


I've checked to be sure I have the latest updates for Norton Anti-Virus (2003), and I ran a full scan. Nada. Ditto for a full scan from Trend Micro's Web-based scanner. Ad-Aware only turned up the usual cookies, and Zone Alarm doesn't show any unexpected activity -- although it might not because Outlook is permitted to access the Net.


I'm at my wits end. Is there a chance that we have a trojan/zombie that's invisible to Norton and Trend Micro? Any way to check? I don't see any unusual processes when I hit Ctrl-Alt-Del and I don't know what else I can do.


Help! (And thanks!)




PS -- here's a typical header:


Return-path: <karen@kcentral.com>

Received: from dhcp26141213.columbus.rr.com ([]


by server6.totalchoicehosting.com with asmtp (Exim 4.24)

id 1AlpWf-0005tP-HG

for UCYVQ@finklfan.com; Wed, 28 Jan 2004 08:14:37 -0500

Reply-To: <karen@kcentral.com>

From: "Karen I. Kantor" <karen@kcentral.com>

To: <UCYVQ@finklfan.com>

Subject: Not read: What are the washing instructions?

Date: Wed, 28 Jan 2004 07:43:51 -0500

Message-ID: <00ba01c3e59c$62a8e2c0$6701a8c0@columbus.rr.com>

MIME-Version: 1.0

Content-Type: application/ms-tnef;


Content-Transfer-Encoding: base64

Content-Disposition: attachment;


X-Mailer: Microsoft Outlook, Build 10.0.2627

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

X-MS-TNEF-Correlator: 00000000FC5CA04C8222D81198870006252FBF44A4BA3400

Link to comment
Share on other sites

You can check here for some technical details about the MyDoom virus that just started spreading on Monday, including some details on what you can manually look for to see if it's infected. I'm suprised that NAV wouldn't catch that though, as it's caught many here at the office of those that slipped through our mail server before the virus definitions updated.


Is your wife's machine named "notebook" btw? Whichever machine is transmitting the emails apparantly is named "notebook" at the OS level, as is shown by the hello=notebook.

Link to comment
Share on other sites

Andrew, I would also suspect the newest worm (MyDoom) is what you have gotten. When you say you have gotten the latest "updates" did you get the ones including this one?


Information about it is here:



Nortons definition file is here:



Special removal tool is here:



Now I would suggest that you disconnect the laptop from the Internet, this will stop th emails. You can download the special removal tool and hopefully copy it to the laptop on a floppy and then remove the bugger.


Then I would suggest you update all the PC's in the house an scan them all with the new signatures.


Good luck

Link to comment
Share on other sites

Just an FYI, these problems started BEFORE the MyDoom Virus, I talked with them through a help desk ticket over a week ago. The e-mails are in fact being sent from their computer, figuring out what is sending them and killing the process is the problem.

Link to comment
Share on other sites

Thanks Mike, that just made our day :)


Well the plan of attack I would keep the same. Since the possible source "seems" to be the Laptop, from the change in names of emails, concentrate on that first. Disconnect from the Internet and leave it disconnected till you positively remove the offending program or determine it to be from another source.


Get the latest Virus Definitions from Nortons and upgrade and scan. A possibility here is that it a "stealth" worm and is avoiding detection. Try booting the PC into safe mode and then try scanning.

Link to comment
Share on other sites

Thank you all!


As Mike said, this started more than a week ago -- pre-MyDoom. (In fact, Norton has been catching several My-Dooms every day.)


Yes, the laptop's name is in fact "Notebook." I wasn't feeling creative. :)


I tried three different anti-trojan packages yesterday, including the one from MooSoft. Nada. (Other than some cookies and adware, including one called "Bridge," that is.)


She's not getting dozens of these bounces -- just a few a day. In fact, not even. It happens every few days.


In the back of my mind is the idea that someone is just spoofing her domain and we're misreading the header somehow. I figure that two anti-virus packages and three anti-trojan packages would find *something* if it was there.


The one thing I haven't tried is a Safe Mode scan. That's tonight.


Thanks again for your suggestions (and please keep 'em coming either here or to me directly: andrew -youknowwhatsymbol- kantor.com).

Link to comment
Share on other sites

Well it looks like you have covered all the bases and if its still happening then its time to start thinking "outside the box".


Are you sending these emails and not realizing it? Check the sent items folder and see if they are located in there as being sent from the laptop. Are those subjects familiar, are the addresses familiar?


Is someone else in the house sending them? Do you have kids, roommates ... ummm neighbors or relatives who use the laptop or have access to it?


If your computer had some backdoor trojan like Back Oriface I would expect one of the scanners you ran would catch it. But maybe its a new one or one specially written and is not being detected. Have you checked Task Manager and checked each program that is running, do you know what each and everyone is? Have you run MSCONFIG and checked in startup to see whats being loaded, and winini and autoexec and static.vxb.

Link to comment
Share on other sites

One more thing that he could check for is the instance of multiple .pst files on the machine, or multiple email accounts in Outlook.

Is the machine shared on your local network without password protection?

Do you have any administrative tools running on the machine that would allow remote management?

What is the reason given for the bounces? You didn't include that part.

Tracking down a Trojan (which I believe you have, and does differ from a virus) can be difficult.

Two things I would recommend:

1. Download Hijack This! from http://www.uselessfurball.com/hijackthis.zip

And post the log file here for analysis

2. Do a search for *.* and choose Modified within the past 2 weeks. Unless you have gone crazy installing all sorts of stuff, then this can reveal more than you think. Pay particular attention to the files modified on or directly around the date when you first started getting bounces.

Link to comment
Share on other sites

  • 2 weeks later...

No one else has access to the machine -- just Karen and me. And it just went a week or so without anything. Today, though, she got two bounces. She is convinced there is *something* on that machine, although I have to wonder. If someone had a zombie or trojan, wouldn't the machine be sending a LOT more spam (and thus she'd get a lot more bounces)?


I checked Task Manager and saw nothing odd. I have not yet run MSCONFIG -- that's next. And I already downloaded Hijack This but couldn't make heads or tails of what I saw. (That is, if there was something Bad running, I doubt I'd notice.) I'll run it again and post the log.


Thanks again for your help!



Link to comment
Share on other sites

I did a search for all files modified in the past two week. There were hundreds, mostly cookies, my normal mail files, etc. WAY too many to go through to find anything.


Here's my Hijack This log:


Logfile of HijackThis v1.97.7

Scan saved at 11:42:44 AM, on 2/7/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:























R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kantor.com/

O1 - Hosts: www.dcsresearch.com


O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE


O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"


O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe

O8 - Extra context menu item: MT It! - http://www.kantor.com/mt/mt.cgi?__mode=reg...s&bm_height=530

O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm

O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm

O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm

O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm

O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm

O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm

O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm

O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html

O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O15 - Trusted Zone: *.etradebank.com

O15 - Trusted Zone: *.etrade.com

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7894.7098263889

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Link to comment
Share on other sites

I went to the site at the IP address in the line and it was definitely not a reputable site. After reading around on the web for a bit, it appears that much of the stuff about dcsresearch is not reputable. I haven't looked deeply, but I would assume that there are spoofed copies floating around or something.

I did a little more research and nothing else in there is questionable.

As for the email issue, do you have ANYTHING else? I see nothing that would do this kind of thing to you.

You maybe could grab a copy of SpyBot or something and scan with that. This is a more thorough scan, but it is still mainly for malware and spyware... not virus or trojan activities.

If you do the search for dll, exe and other files of the executable type it will narrow your search and give you a better shot at finding the culprit. Typically, you will be able to spot a smoking gun quickly. Try to narrow your search to the day before and day of the questionable email.

To be honest, you will typically see a LOT more activity if you have a virus or trojan.

You could stoop and ask folks in your address list if they have received any odd messages from you lately, as those are typically the first places for viri and such to get some names from.

If you understand how, I can provide you with an ethernet sniffer so you can log everything and see if activity is going on behind the scenes. I will even be nice and tell you how to filter out passwords so you can feel safe sending the log files over for analyzing.


Let me know if you want to proceed with advanced diagnostics

Link to comment
Share on other sites

just a quick adder...

whatever it is, it has its own SMTP engine. I can say this because the "helo" name is the computer name. This will not happen in a standard email that is going through a remotely hosted email server (yours would be a FQDN like this example of an email to me "from 'username' by server54.totalchoicehosting.com with local-bsmtp (Exim 4.24)

id 1Aq68w-0004nA-Jp").

So whatever it is, it is on that machine for sure. I tried pinging and a short scan of the IP listed in your header for typical bad guy ports and nothing odd came up (your firewall is working well against amateurs, didn't really hit it hard).

Link to comment
Share on other sites

I've been having what seems like exactly the same problem for the past week or two - I receive a few bounced emails a day, which all appear to have been sent from this computer (the IPs match to whether I have been at home or using a dialup in the Netherlands). Nothing from Norton AV, but I will try the suggestions above.




P.S. Example mail:


Return-Path: <Andrew@AJMurray.freeserve.co.uk>

Received: from unknown (HELO LONJJZX70J) (amurray?owc@ with login)

by smtp105.mail.sc5.yahoo.com with SMTP; 10 Feb 2004 10:02:06 -0000

Reply-To: <Andrew@AJMurray.freeserve.co.uk>

From: "Andrew Murray" <Andrew@AJMurray.freeserve.co.uk>

To: <nfuizlzwrfpuo@aaronkwok.net>

Subject: Not read: Read: What's up, then?

Date: Tue, 10 Feb 2004 11:01:58 +0100

Message-ID: <00a301c3efbc$ed69cd50$531cf0c3@LONJJZX70J>

MIME-Version: 1.0

Content-Type: application/ms-tnef;


Content-Transfer-Encoding: base64

Content-Disposition: attachment;


X-Mailer: Microsoft Outlook, Build 10.0.2627

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

X-MS-TNEF-Correlator: 000000000045864123B0504BB412FEBD513BC520A4E33F00



Link to comment
Share on other sites

The other things didn't find anything, but the Hijack log is as below:


Can't see anything overtly evil, though I must admit I am not familiar with some of the running processes, particularly the ones within the system32 folder...





Logfile of HijackThis v1.97.7

Scan saved at 13:55:17, on 16/02/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:











C:\Program Files\NavNT\defwatch.exe


C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


C:\Program Files\Novell\ZENworks\nalntsrv.exe

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe

C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe




C:\Program Files\NetDrive\wdService.exe


C:\Program Files\Novell\ZENworks\wm.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe



C:\Program Files\Dell\AccessDirect\dadapp.exe

C:\Program Files\NavNT\vptray.exe



C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe




C:\Program Files\MSN Messenger\MsnMsgr.Exe






C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE


C:\Documents and Settings\AMurray\Local Settings\Temp\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm

O1 - Hosts: denotes1.mymow.com

O1 - Hosts: franotes1.mymow.com

O1 - Hosts: frasvr01.mymow.com

O1 - Hosts: frasvr02.mymow.com

O1 - Hosts: frasvr03.mymow.com

O1 - Hosts: fraunity1.mymow.com

O1 - Hosts: lonnotes1.mymow.com

O1 - Hosts: lonsvr01.mymow.com

O1 - Hosts: lonsvr02.mymow.com

O1 - Hosts: lonsvr03.mymow.com

O1 - Hosts: lonunity1.mymow.com

O1 - Hosts: madsvr01.mymow.com

O1 - Hosts: milsvr01.mymow.com

O1 - Hosts: mowchat01.mymow.com

O1 - Hosts: mowbes1.mymow.com

O1 - Hosts: mowgoback.mymow.com

O1 - Hosts: mowupdates.mymow.com

O1 - Hosts: nycnotes1.mymow.com

O1 - Hosts: nycsvr01.mymow.com

O1 - Hosts: nycsvr02.mymow.com

O1 - Hosts: nycsvr03.mymow.com

O1 - Hosts: nycunity1.mymow.com

O1 - Hosts: sinsvr01.mymow.com

O1 - Hosts: uknotes1.mymow.com

O1 - Hosts: usnotes1.mymow.com

O1 - Hosts: zenwsimport.mymow.com

O1 - Hosts: vpn1.mymow.com

O1 - Hosts: vpn2.mymow.com

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.107-big.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.107-big.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe

O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe

O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe

O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe


O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html

O9 - Extra button: Novell delivered applications (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab

O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} (WebInstall) - http://www.lucius2003.biz/uk/webinstall.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7985C439-23C4-4765-A8C0-21C0F5FB1874}: NameServer =

Link to comment
Share on other sites

ajm200, from a quick look I see two things I would question.


zentray.exe is a Remote Control program, do you remotely control your laptop? Did you install this program?


Next I believe you are infected with the "WinMuschi" virus...this line

O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m


see http://securityresponse.symantec.com/avcen....winmuschi.html


from the other lines I am looking at is this a work laptop? There are thing running that suggest this is connected to a company network. If it is a company laptop are you allowed to go changing things on it? The Remote Control Program may be there for a reason.

Link to comment
Share on other sites

Glenn -- you said that (assuming it exists) whatever is on my machine has its own SMTP engine. Any way to search for that?


My wife believes it only happens when we're running Outlook. She's been using Web-based mail for the past week and there are no bounces.



Link to comment
Share on other sites

  • 9 months later...

Hi everyone,


Did anyone ever find out what was causing these emails to be sent? I just started experiencing the exact same problem. My friends/family are getting emails from my account with the subject "Not read: [various text]". Each one contains a winmail.dat attachment. I use outlook to send all my email and i use hotmail from within outlook. the emails are coming from my hotmail account.


i'm in the process of performing all the tests and scans suggested in this thread, but no one ever posted if they solved the problem. or maybe i missed it?


any suggestions would be appreciated.



Link to comment
Share on other sites

  • 1 year later...



I have the same problem. Did anyone resolve this?




I have an email worm on Outlook that is sending out mails to my contacts with the sudject: Not Read: followed by the title of a previous mail.


I have read on totalchoicehosting about the same issue but there was no resolution: http://www.totalchoicehosting.com/fo...0&?do=findComment&comment=100528


I have McAfee Security Centre with current Virus DAT version 4679 (20th Jan 06). On running, this picked up two versions of W32/Bagel.dldr and deleted them - but this did not resolve the worm.


I have also tried Stinger (did not find anything), Panda online (did not find anything) and am currently running TrendMicro's Sysclean.


I have disable system restore.

Link to comment
Share on other sites

welcome to the forums Tuizner :)


Are you booting in safe mode when scanning ?


The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues.

Link to comment
Share on other sites

welcome to the forums Tuizner :)


Are you booting in safe mode when scanning ?


The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues.





The link is to this page actually, so don't worry.


Yes I am booting in safe mode.


Emails are being sent from one (my default POP3) of my accounts. All are entitiled Not Read: followed by the subject of an old email and the content is garbage.


Just for info, my Hijack file follows (sorry, it's big):


Logfile of HijackThis v1.99.1

Scan saved at 20:06:16, on 25/01/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
















C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe



C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe




C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe



C:\Program Files\Eraser\eraser.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe





C:\Program Files\Spyware Doctor\sdhelp.exe










C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

C:\Docs\My Documents\My Downloads\HiJackThis\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll

O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll

O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll

O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\sndoctor.exe" /Q

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START

O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: RpSync.exe.lnk = ?

O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE

O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll

O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase1524.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Link to comment
Share on other sites

You might want to look at this thread. THere is a log analyzer that may be of assistance.







Thanks for the info.


I think I have sorted the issue now.


It seems (fingers crossed) as though it was in fact not a virus, but something to do with McAfee AntiSpam getting it's knickers in a twist. I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails. Eventually I hit the "stop emails" button 407 times. This has, so far, cured the problem which hasn't recurred. I can only assume that the issue started due to McAfee AntiSpam because it's always been a bit temperamental on my Outlook 2003.


I wonder if others who had the same issue were running McAfee at the time?

Link to comment
Share on other sites

I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails.


McAfee was doing the job it was designed to do. It first detected a virus/worm and deleted it, as you mentioned in a previous post. BUT not before the virus spit out 407 emails. McAfee also caught these and asked you what you wanted to do with them, either mail them or delete them (just in case they were good emails). Deleting them was the correct action since they were not valid emails sent by you.


Once you had finished deleting those emails, that should be the end of your infection. Do you have any more symptoms?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...