Andrew Posted January 28, 2004 Posted January 28, 2004 First, apologies if this isn't an appropriate place to ask this. But I'm trying everything. My wife Karen owns her own domain: kcentral.com (hosted here, of course). Recently she's been getting bunches of bounced mail (spam) -- and its bounced from mail she hasn't sent. I.e., her domain is being spoofed. But it's worse. I get bounces like this once in a while when a spammer spoofs one of my domain names. But the mail that generated Karen's bounces actually appears to have come from her: "Karen Ireland Kantor" and karen@kcentral.com. Further, the IP address from the header of the orgininating message is our IP address. (We have a cable "modem" and a hardware firewall, so our actual PCs are 192.something, but the firewall's IP matches what's on the bounces.) Just to be sure, Karen changed her name in Outlook to "Karen I Kantor." Today came a new batch of bounces -- they come sporatically -- and these had "Karen I Kantor" in them. Ouch. Obviously we have concerns about carrying a zombie on that particular computer. (The messages appear to be coming from a single computer on the network -- the laptop. Interestingly, it's the only one with an 802.11 connection, but I activated WEP on that a while ago. And I doubt any of my neighbors are sending spam from our machine.) BTW, it's running Win 98SE with all patches. I've checked to be sure I have the latest updates for Norton Anti-Virus (2003), and I ran a full scan. Nada. Ditto for a full scan from Trend Micro's Web-based scanner. Ad-Aware only turned up the usual cookies, and Zone Alarm doesn't show any unexpected activity -- although it might not because Outlook is permitted to access the Net. I'm at my wits end. Is there a chance that we have a trojan/zombie that's invisible to Norton and Trend Micro? Any way to check? I don't see any unusual processes when I hit Ctrl-Alt-Del and I don't know what else I can do. Help! (And thanks!) Andrew PS -- here's a typical header: Return-path: <karen@kcentral.com> Received: from dhcp26141213.columbus.rr.com ([24.26.141.213] helo=notebook) by server6.totalchoicehosting.com with asmtp (Exim 4.24) id 1AlpWf-0005tP-HG for UCYVQ@finklfan.com; Wed, 28 Jan 2004 08:14:37 -0500 Reply-To: <karen@kcentral.com> From: "Karen I. Kantor" <karen@kcentral.com> To: <UCYVQ@finklfan.com> Subject: Not read: What are the washing instructions? Date: Wed, 28 Jan 2004 07:43:51 -0500 Message-ID: <00ba01c3e59c$62a8e2c0$6701a8c0@columbus.rr.com> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: 00000000FC5CA04C8222D81198870006252FBF44A4BA3400 Quote
MikeJ Posted January 28, 2004 Posted January 28, 2004 You can check here for some technical details about the MyDoom virus that just started spreading on Monday, including some details on what you can manually look for to see if it's infected. I'm suprised that NAV wouldn't catch that though, as it's caught many here at the office of those that slipped through our mail server before the virus definitions updated. Is your wife's machine named "notebook" btw? Whichever machine is transmitting the emails apparantly is named "notebook" at the OS level, as is shown by the hello=notebook. Quote
Madmanmcp Posted January 28, 2004 Posted January 28, 2004 Andrew, I would also suspect the newest worm (MyDoom) is what you have gotten. When you say you have gotten the latest "updates" did you get the ones including this one? Information about it is here: http://securityresponse.symantec.com/avcen...ovarg.a@mm.html Nortons definition file is here: http://securityresponse.symantec.com/avcen...s.download.html Special removal tool is here: http://securityresponse.symantec.com/avcen...moval.tool.html Now I would suggest that you disconnect the laptop from the Internet, this will stop th emails. You can download the special removal tool and hopefully copy it to the laptop on a floppy and then remove the bugger. Then I would suggest you update all the PC's in the house an scan them all with the new signatures. Good luck Quote
TCH-Dick Posted January 28, 2004 Posted January 28, 2004 Just an FYI, these problems started BEFORE the MyDoom Virus, I talked with them through a help desk ticket over a week ago. The e-mails are in fact being sent from their computer, figuring out what is sending them and killing the process is the problem. Quote
Madmanmcp Posted January 28, 2004 Posted January 28, 2004 Thanks Mike, that just made our day Well the plan of attack I would keep the same. Since the possible source "seems" to be the Laptop, from the change in names of emails, concentrate on that first. Disconnect from the Internet and leave it disconnected till you positively remove the offending program or determine it to be from another source. Get the latest Virus Definitions from Nortons and upgrade and scan. A possibility here is that it a "stealth" worm and is avoiding detection. Try booting the PC into safe mode and then try scanning. Quote
Madmanmcp Posted January 28, 2004 Posted January 28, 2004 Another idea is to try a Trojan "cleaner" to see what it finds. http://www.moosoft.com/ Quote
Andrew Posted January 29, 2004 Author Posted January 29, 2004 Thank you all! As Mike said, this started more than a week ago -- pre-MyDoom. (In fact, Norton has been catching several My-Dooms every day.) Yes, the laptop's name is in fact "Notebook." I wasn't feeling creative. I tried three different anti-trojan packages yesterday, including the one from MooSoft. Nada. (Other than some cookies and adware, including one called "Bridge," that is.) She's not getting dozens of these bounces -- just a few a day. In fact, not even. It happens every few days. In the back of my mind is the idea that someone is just spoofing her domain and we're misreading the header somehow. I figure that two anti-virus packages and three anti-trojan packages would find *something* if it was there. The one thing I haven't tried is a Safe Mode scan. That's tonight. Thanks again for your suggestions (and please keep 'em coming either here or to me directly: andrew -youknowwhatsymbol- kantor.com). Quote
Madmanmcp Posted January 29, 2004 Posted January 29, 2004 Well it looks like you have covered all the bases and if its still happening then its time to start thinking "outside the box". Are you sending these emails and not realizing it? Check the sent items folder and see if they are located in there as being sent from the laptop. Are those subjects familiar, are the addresses familiar? Is someone else in the house sending them? Do you have kids, roommates ... ummm neighbors or relatives who use the laptop or have access to it? If your computer had some backdoor trojan like Back Oriface I would expect one of the scanners you ran would catch it. But maybe its a new one or one specially written and is not being detected. Have you checked Task Manager and checked each program that is running, do you know what each and everyone is? Have you run MSCONFIG and checked in startup to see whats being loaded, and winini and autoexec and static.vxb. Quote
ThumpAZ Posted January 29, 2004 Posted January 29, 2004 One more thing that he could check for is the instance of multiple .pst files on the machine, or multiple email accounts in Outlook. Is the machine shared on your local network without password protection? Do you have any administrative tools running on the machine that would allow remote management? What is the reason given for the bounces? You didn't include that part. Tracking down a Trojan (which I believe you have, and does differ from a virus) can be difficult. Two things I would recommend: 1. Download Hijack This! from http://www.uselessfurball.com/hijackthis.zip And post the log file here for analysis 2. Do a search for *.* and choose Modified within the past 2 weeks. Unless you have gone crazy installing all sorts of stuff, then this can reveal more than you think. Pay particular attention to the files modified on or directly around the date when you first started getting bounces. Quote
Andrew Posted February 7, 2004 Author Posted February 7, 2004 No one else has access to the machine -- just Karen and me. And it just went a week or so without anything. Today, though, she got two bounces. She is convinced there is *something* on that machine, although I have to wonder. If someone had a zombie or trojan, wouldn't the machine be sending a LOT more spam (and thus she'd get a lot more bounces)? I checked Task Manager and saw nothing odd. I have not yet run MSCONFIG -- that's next. And I already downloaded Hijack This but couldn't make heads or tails of what I saw. (That is, if there was something Bad running, I doubt I'd notice.) I'll run it again and post the log. Thanks again for your help! Andrew Quote
Andrew Posted February 7, 2004 Author Posted February 7, 2004 I did a search for all files modified in the past two week. There were hundreds, mostly cookies, my normal mail files, etc. WAY too many to go through to find anything. Here's my Hijack This log: Logfile of HijackThis v1.97.7 Scan saved at 11:42:44 AM, on 2/7/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kantor.com/ O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACROBAT\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O8 - Extra context menu item: MT It! - http://www.kantor.com/mt/mt.cgi?__mode=reg...s&bm_height=530 O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O15 - Trusted Zone: *.etradebank.com O15 - Trusted Zone: *.etrade.com O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7894.7098263889 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab Quote
ThumpAZ Posted February 9, 2004 Posted February 9, 2004 Sorry for the slower reply... forgot all about this discussion. I am looking into some items right now, but nothing looks immediately like it could cause the emails you described. Quote
ThumpAZ Posted February 9, 2004 Posted February 9, 2004 O1 - Hosts: 64.91.255.87 www.dcsresearch.com this is/can lead to spyware and should be removed Other than that, I really don't see anything too suspicious. I will do some more research, though. -Glenn Quote
Andrew Posted February 9, 2004 Author Posted February 9, 2004 Funny, that was the first thing I noticed. But DCS Research is just one of the makers of the various spyware removers I was using. Still, I'll take it out. Quote
ThumpAZ Posted February 10, 2004 Posted February 10, 2004 I went to the site at the IP address in the line and it was definitely not a reputable site. After reading around on the web for a bit, it appears that much of the stuff about dcsresearch is not reputable. I haven't looked deeply, but I would assume that there are spoofed copies floating around or something. I did a little more research and nothing else in there is questionable. As for the email issue, do you have ANYTHING else? I see nothing that would do this kind of thing to you. You maybe could grab a copy of SpyBot or something and scan with that. This is a more thorough scan, but it is still mainly for malware and spyware... not virus or trojan activities. If you do the search for dll, exe and other files of the executable type it will narrow your search and give you a better shot at finding the culprit. Typically, you will be able to spot a smoking gun quickly. Try to narrow your search to the day before and day of the questionable email. To be honest, you will typically see a LOT more activity if you have a virus or trojan. You could stoop and ask folks in your address list if they have received any odd messages from you lately, as those are typically the first places for viri and such to get some names from. If you understand how, I can provide you with an ethernet sniffer so you can log everything and see if activity is going on behind the scenes. I will even be nice and tell you how to filter out passwords so you can feel safe sending the log files over for analyzing. Let me know if you want to proceed with advanced diagnostics Quote
ThumpAZ Posted February 10, 2004 Posted February 10, 2004 just a quick adder... whatever it is, it has its own SMTP engine. I can say this because the "helo" name is the computer name. This will not happen in a standard email that is going through a remotely hosted email server (yours would be a FQDN like this example of an email to me "from 'username' by server54.totalchoicehosting.com with local-bsmtp (Exim 4.24) id 1Aq68w-0004nA-Jp"). So whatever it is, it is on that machine for sure. I tried pinging and a short scan of the IP listed in your header for typical bad guy ports and nothing odd came up (your firewall is working well against amateurs, didn't really hit it hard). Quote
ajm200 Posted February 15, 2004 Posted February 15, 2004 I've been having what seems like exactly the same problem for the past week or two - I receive a few bounced emails a day, which all appear to have been sent from this computer (the IPs match to whether I have been at home or using a dialup in the Netherlands). Nothing from Norton AV, but I will try the suggestions above. Andrew P.S. Example mail: Return-Path: <Andrew@AJMurray.freeserve.co.uk> Received: from unknown (HELO LONJJZX70J) (amurray?owc@195.240.28.83 with login) by smtp105.mail.sc5.yahoo.com with SMTP; 10 Feb 2004 10:02:06 -0000 Reply-To: <Andrew@AJMurray.freeserve.co.uk> From: "Andrew Murray" <Andrew@AJMurray.freeserve.co.uk> To: <nfuizlzwrfpuo@aaronkwok.net> Subject: Not read: Read: What's up, then? Date: Tue, 10 Feb 2004 11:01:58 +0100 Message-ID: <00a301c3efbc$ed69cd50$531cf0c3@LONJJZX70J> MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="winmail.dat" X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-MS-TNEF-Correlator: 000000000045864123B0504BB412FEBD513BC520A4E33F00 eJ8+IgEKAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAFwAAAFJFUE9S Quote
ajm200 Posted February 16, 2004 Posted February 16, 2004 The other things didn't find anything, but the Hijack log is as below: Can't see anything overtly evil, though I must admit I am not familiar with some of the running processes, particularly the ones within the system32 folder... Andrew Logfile of HijackThis v1.97.7 Scan saved at 13:55:17, on 16/02/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\nslsvice.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\cusrvc.exe C:\Program Files\NavNT\defwatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Lotus\Notes\ntmulti.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\Program Files\NavNT\rtvscan.exe C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\Program Files\NetDrive\wdService.exe C:\WINNT\system32\svchost.exe C:\Program Files\Novell\ZENworks\wm.exe C:\Program Files\Iomega\AutoDisk\ADService.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\Explorer.EXE C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\NavNT\vptray.exe C:\WINNT\system32\Atiptaxx.exe C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe C:\Program Files\Iomega\AutoDisk\ADUserMon.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\WINNT\system32\PRPCUI.exe C:\WINNT\system32\dpmw32.exe C:\WINNT\system32\NWTRAY.EXE C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\ERICSSON\COMMUN~1\MOBILE~1\EPMWOR~1.EXE C:\Lotus\Notes\NLNOTES.EXE C:\Lotus\Notes\ntaskldr.EXE C:\WINNT\SYSTEM32\VpnStats.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\AMurray\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm O1 - Hosts: 172.22.2.41 denotes1.mymow.com O1 - Hosts: 172.22.2.241 franotes1.mymow.com O1 - Hosts: 172.22.2.151 frasvr01.mymow.com O1 - Hosts: 172.22.2.155 frasvr02.mymow.com O1 - Hosts: 172.22.2.165 frasvr03.mymow.com O1 - Hosts: 172.20.2.79 fraunity1.mymow.com O1 - Hosts: 172.21.2.241 lonnotes1.mymow.com O1 - Hosts: 172.21.2.151 lonsvr01.mymow.com O1 - Hosts: 172.21.2.155 lonsvr02.mymow.com O1 - Hosts: 172.21.2.165 lonsvr03.mymow.com O1 - Hosts: 172.20.2.77 lonunity1.mymow.com O1 - Hosts: 172.23.2.151 madsvr01.mymow.com O1 - Hosts: 172.26.2.151 milsvr01.mymow.com O1 - Hosts: 172.20.2.42 mowchat01.mymow.com O1 - Hosts: 172.20.2.43 mowbes1.mymow.com O1 - Hosts: 172.20.2.72 mowgoback.mymow.com O1 - Hosts: 172.20.2.51 mowupdates.mymow.com O1 - Hosts: 172.20.2.241 nycnotes1.mymow.com O1 - Hosts: 172.20.2.151 nycsvr01.mymow.com O1 - Hosts: 172.20.2.155 nycsvr02.mymow.com O1 - Hosts: 172.20.2.165 nycsvr03.mymow.com O1 - Hosts: 172.20.2.75 nycunity1.mymow.com O1 - Hosts: 172.25.2.151 sinsvr01.mymow.com O1 - Hosts: 172.21.2.41 uknotes1.mymow.com O1 - Hosts: 172.20.2.41 usnotes1.mymow.com O1 - Hosts: 172.21.2.160 zenwsimport.mymow.com O1 - Hosts: 63.111.194.182 vpn1.mymow.com O1 - Hosts: 63.111.193.175 vpn2.mymow.com O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.107-big.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.107-big.dll O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html O9 - Extra button: Novell delivered applications (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {8699D723-6DC6-47D3-B55C-489BA006B917} (WebInstall) - http://www.lucius2003.biz/uk/webinstall.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{7985C439-23C4-4765-A8C0-21C0F5FB1874}: NameServer = 195.241.49.33 195.241.48.33 Quote
Madmanmcp Posted February 16, 2004 Posted February 16, 2004 ajm200, from a quick look I see two things I would question. zentray.exe is a Remote Control program, do you remotely control your laptop? Did you install this program? Next I believe you are infected with the "WinMuschi" virus...this line O4 - HKCU\..\Run: [CFDStart] C:\WINNT\WinMuschi.exe -m see http://securityresponse.symantec.com/avcen....winmuschi.html from the other lines I am looking at is this a work laptop? There are thing running that suggest this is connected to a company network. If it is a company laptop are you allowed to go changing things on it? The Remote Control Program may be there for a reason. Quote
Andrew Posted February 22, 2004 Author Posted February 22, 2004 Glenn -- you said that (assuming it exists) whatever is on my machine has its own SMTP engine. Any way to search for that? My wife believes it only happens when we're running Outlook. She's been using Web-based mail for the past week and there are no bounces. Andrew Quote
mratch Posted November 25, 2004 Posted November 25, 2004 Hi everyone, Did anyone ever find out what was causing these emails to be sent? I just started experiencing the exact same problem. My friends/family are getting emails from my account with the subject "Not read: [various text]". Each one contains a winmail.dat attachment. I use outlook to send all my email and i use hotmail from within outlook. the emails are coming from my hotmail account. i'm in the process of performing all the tests and scans suggested in this thread, but no one ever posted if they solved the problem. or maybe i missed it? any suggestions would be appreciated. mike Quote
Tuizner Posted January 25, 2006 Posted January 25, 2006 Hi I have the same problem. Did anyone resolve this? I have an email worm on Outlook that is sending out mails to my contacts with the sudject: Not Read: followed by the title of a previous mail. I have read on totalchoicehosting about the same issue but there was no resolution: http://www.totalchoicehosting.com/fo...0&?do=findComment&comment=100528 I have McAfee Security Centre with current Virus DAT version 4679 (20th Jan 06). On running, this picked up two versions of W32/Bagel.dldr and deleted them - but this did not resolve the worm. I have also tried Stinger (did not find anything), Panda online (did not find anything) and am currently running TrendMicro's Sysclean. I have disable system restore. Quote
TCH-Rob Posted January 25, 2006 Posted January 25, 2006 Hi Tuizner, welcome to the forums. I have not seen anything but hang tight and we will see if anyone has any sugestions. Quote
TCH-Andy Posted January 25, 2006 Posted January 25, 2006 welcome to the forums Tuizner Are you booting in safe mode when scanning ? The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues. Quote
Tuizner Posted January 25, 2006 Posted January 25, 2006 welcome to the forums Tuizner Are you booting in safe mode when scanning ? The link you gave isn't working, so I'm not sure which page you are referring to. I assume it's sending email from your account, in which case, I'd check the headers for a few clues. Sorry The link is to this page actually, so don't worry. Yes I am booting in safe mode. Emails are being sent from one (my default POP3) of my accounts. All are entitiled Not Read: followed by the subject of an old email and the content is garbage. Just for info, my Hijack file follows (sorry, it's big): Logfile of HijackThis v1.99.1 Scan saved at 20:06:16, on 25/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\progra~1\mcafee\MCAFEE~1\masalert.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe C:\PROGRA~1\mcafee.com\mps\mscifapp.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Eraser\eraser.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe C:\Program Files\Nikon\PictureProject\NkbMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\FolderSize\FolderSizeSvc.exe c:\progra~1\mcafee\mcafee antispyware\massrv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\Docs\My Documents\My Downloads\HiJackThis\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: 1-Click Answers - {7754C418-F62E-44aa-B169-E719E718BCFD} - C:\PROGRA~1\1-CLIC~1\IEToolbar\AnswersToolbarU.dll O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\sndoctor.exe" /Q O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Startup: RpSync.exe.lnk = ? O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE O4 - Global Startup: 1-Click Answers.lnk = C:\Program Files\1-Click Answers\answers.exe O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Answers... - file:C:\Program Files\1-Click Answers\Html\atiemenu.htm O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download1.answers.com/pub/AnswersSetup.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety.live.com/resource/downl...lscbase1524.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...677/mcfscan.cab O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote
TCH-Rob Posted January 25, 2006 Posted January 25, 2006 You might want to look at this thread. THere is a log analyzer that may be of assistance. http://www.totalchoicehosting.com/forums/i...showtopic=24345 Quote
Tuizner Posted January 30, 2006 Posted January 30, 2006 You might want to look at this thread. THere is a log analyzer that may be of assistance. http://www.totalchoicehosting.com/forums/i...showtopic=24345 Thanks for the info. I think I have sorted the issue now. It seems (fingers crossed) as though it was in fact not a virus, but something to do with McAfee AntiSpam getting it's knickers in a twist. I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails. Eventually I hit the "stop emails" button 407 times. This has, so far, cured the problem which hasn't recurred. I can only assume that the issue started due to McAfee AntiSpam because it's always been a bit temperamental on my Outlook 2003. I wonder if others who had the same issue were running McAfee at the time? Quote
Madmanmcp Posted January 30, 2006 Posted January 30, 2006 I dont know why it happened, but when McAfee Antivirus noticed I was trying to send 407 emails out it displayed a message saying so and asked if I wanted to carry on or stop the mails. McAfee was doing the job it was designed to do. It first detected a virus/worm and deleted it, as you mentioned in a previous post. BUT not before the virus spit out 407 emails. McAfee also caught these and asked you what you wanted to do with them, either mail them or delete them (just in case they were good emails). Deleting them was the correct action since they were not valid emails sent by you. Once you had finished deleting those emails, that should be the end of your infection. Do you have any more symptoms? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.