Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Sending Blank Emails


  • Please log in to reply
5 replies to this topic

#1 reynald

reynald

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 02 November 2007 - 11:47 AM

I think I may be infected. My PC has taken to sending occasional blank emails to people I know. Typical scenario: I'll receive an email from someone and read it. Often, I'll have begun to compose a reply to them and then delete it without sending. They then receive an email from me replying to theirs, but the contents are blank. I didn't send this email, nor does it appear in Outlook's Sent folder.

I scanned my PC with my AV (Trend Micro) but it found nothing. However, I ran Kaspersky's online scan and it reported finding virus packed.win32.tibs.a in a file in my SYSTEM32 directory. I can't clean it; can't even delete it because it doesn't show up when I list the files (even though I have it set to show hidden files).

I'd welcome any advice for how to proceed. Some of these blank replies are going to business contacts and I'd really like to correct the problem.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 02 November 2007 - 12:56 PM

What is the name of the file associated with virus packed.win32.tibs.a in your system32 folder?

Are you following the directions provided in Reconfigure Windows XP to show hidden files, folders?

If you can find that file submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 reynald

reynald
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 02 November 2007 - 04:35 PM

What is the name of the file associated with virus packed.win32.tibs.a in your system32 folder?

wcqmndgb.exe

Are you following the directions provided in Reconfigure Windows XP to show hidden files, folders?

Yes.

If you can find that file submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

I can't find the file. Kaspersky said it's in Windows\SYSTEM32 but I don't see it when I do a file list, nor does a Search turn it up. Anything else I can do?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 02 November 2007 - 08:16 PM

Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
    • C:\Windows\system32\wcqmndgb.exe

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.
Note: A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could prevent your system from ever starting again.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 reynald

reynald
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 03 November 2007 - 12:53 AM

Thanks very much for your help, quietman7.

[*]Click the red MoveIt! button.

Following your instructions, I get the following error message at this point:

Cannot create file C:\_OTMoveIt\MovedFiles\11022007_224309.log

...and the Results windows says:

File/Folder C:\Windows\system32\wcqmndgb.exe not found

I should also add that since my last post, I ran an online scan using Eset's NOD32, and it found and deleted (because it couldn't clean) 6 files containing 3 Java trojans:

Exploit.Bytverify (2 instances)
TrojanDownloader.OpenConnection.Y (2 instances)
ClassLoader (2 instances)

Natch, I'm hoping that solves my problem, but I won't know for a while. And I welcome any addtional suggestions to ensure that I'm clean.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,485 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:35 AM

Posted 03 November 2007 - 05:52 AM

You received the error message from OTMoveIt because it appears that file has already been removed, thus it could not be found. They may explain why you could not find it when looking.

Java.ByteVerify is actually a method to exploit a security vulnerability in the Microsoft Virtual Machine that is stored in the java cache as a java-applet. The vulnerability arises as the ByteCode verifier in the Microsoft VM does not correctly check for the presence of certain malformed code when a java-applet is loaded. Attackers can exploit the vulnerability by creating malicious Java applets and inserting them into web pages that could be hosted on a web site or sent to users as an attachment. Trojan Exploit ByteVerify indicates that a Java applet - a malicious Java archive file (JAR) - was found on your system containing the exploit code.

When a browser runs an applet, the Java Runtime Environment (JRE) stores all the downloaded files into its cache directory for better performance. Microsoft stores the applets in the Temporary Internet Files. The Java.ByteVerify will typically arrive as a component of other malicious content. An attacker could use the compiled Java class file to execute other code...Notification of infection does not always indicate that a machine has been infected; it only indicates that a program included the viral class file. This does not mean that it used the malicious functionality.

These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer. See: here.

AVG, eTrust EZ Antivirus, Pest Patrol and others will find Java/ByteVerify but cannot get rid of them. If you have the Java-Plugin installed, then deleting them from the Java cache should eliminate the problem. The Java Plug-In in the Control Panel is only present if you are using Sun's Java. If you don't have the Java-Plugin installed then just delete the files manually. The Microsoft Virtual machine stores the applets in the Temporary Internet Files.

Recommended Solution:
If your using Sun Java, follow the instructions for Clearing the Java Runtime Environment (JRE) Cache.
If your using IE, Netscape, Mozilla, Opera, or AOL, follow the instructions for Clearing your Web Browser Cache.

To read more about this vulnerability issue please see Microsoft Security Bulletin MS03-011 and MS Article ID: 816093.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users