Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Also Having "scanning Message 1 Of 1" Email Spam Problem


  • Please log in to reply
1 reply to this topic

#1 pjeide

pjeide

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 04 September 2007 - 01:56 PM

Greetings, I really need some pro-help..

I am having a problem on my Boss' machine with outgoing spam email.
I am repeatedly having Symantec pop up with a "Scanning message 1 of 1" dialog.

These messages flood in.. the email addresses that the worm is attempting to send to seem arbitrary and seem to have no correlation to the Outlook address book.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:54:40 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adp\HandPunch Manager\Apps\ADPHPIScheduler.exe
C:\DOCUME~1\Mark\LOCALS~1\Temp\svchost.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Mark\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bankofamerica.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [wmupdate] C:\WINNT\wmupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-18 Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - .DEFAULT User Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe (User 'Default user')
O4 - Startup: ADP HandPunch Scheduler.lnk = C:\Program Files\Adp\HandPunch Manager\Apps\ADPHPIScheduler.exe
O4 - Startup: Shortcut to adminlogin.bat.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F89380D-98FE-4003-A039-CD743123AE59}: NameServer = 209.150.200.10,66.213.224.2
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINNT\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6620 bytes


I've found another post on the forum that describes a like problem, however, I've had no luck in getting this to stop.
The similar post is http://www.bleepingcomputer.com/forums/t/105023/scanning-message-1-of-1-problem/

I've run HijackThis & ADS Spy, and based on the advise at the end of the previously mentioned post, I've run SDFix in safe mode (then rebooted into Fixtool), and it removed one suspected trojan (attached to svchost.exe..?)

I've got log files! These are taken POST 'removal' of the "Trojan" by SDFix (after the problem returned). SDFix Run #1 was the first removal I did, prior to redoing my HijackThis, Bootlog, and SIC.

\BOOTLOG: http://www.petereide.name/ntbtlog.txt
Trend Micro SIC: http://www.petereide.name/SICLOG00001.TXT
SDFix (run #2): http://www.petereide.name/report.txt
SDFix (run #1): http://www.petereide.name/reportold.txt
ADS Spy returned no results.

Your help would be so greatly appreciated,

Thank you,

Peter Eide




copy of latest SDFix:

SDFix: Version 1.101

Run by amos17 on Tue 09/04/2007 at 12:32 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Mark\LOCALS~1\Temp\svchost.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\ADP\\PCPW\\PAY4WIN.exe"="C:\\ADP\\PCPW\\PAY4WIN.exe:*:Enabled:ADP PC Payroll for Windows"
"C:\\ADP\\PCAny\\PCAny_Host_Only.EXE"="C:\\ADP\\PCAny\\PCAny_Host_Only.EXE:*:Enabled:ADP Remote Support"
"C:\\etime\\Etbackup.exe"="C:\\etime\\Etbackup.exe:*:Enabled:e-TIME Backup Utility"
"C:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"="C:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe:*:Enabled:GoToMyPC"
"C:\\WINNT\\system32\\odbcad32.exe"="C:\\WINNT\\system32\\odbcad32.exe:*:Enabled:ODBC Administrator"
"C:\\Program Files\\Peachtree\\peachw.exe"="C:\\Program Files\\Peachtree\\peachw.exe:*:Enabled:Peachtree Complete Accounting 2006"
"C:\\Program Files\\Common Files\\Pervasive Software Shared\\PSA\\psawizrd.exe"="C:\\Program Files\\Common Files\\Pervasive Software Shared\\PSA\\psawizrd.exe:*:Enabled:Pervasive System Analyzer"
"C:\\Program Files\\Symantec AntiVirus\\VPC32.exe"="C:\\Program Files\\Symantec AntiVirus\\VPC32.exe:*:Enabled:Symantec AntiVirus"
"C:\\Program Files\\Support Tools\\ldp.exe"="C:\\Program Files\\Support Tools\\ldp.exe:*:Enabled:Active Directory Administration Tool"
"C:\\DOCUME~1\\Mark\\LOCALS~1\\Temp\\svchost.exe"="C:\\DOCUME~1\\Mark\\LOCALS~1\\Temp\\svchost.exe:*:Enabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Mark\NetHood\amos.orderprinting.com\Desktop.ini
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mark\Application Data\Microsoft\Word\~WRL3978.tmp

Finished

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:26 AM

Posted 14 September 2007 - 01:07 AM

Hello pjeide and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Could you please supply me with a fresh HijackThis log before we start?

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users