Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm sends emails in outlook express


  • Please log in to reply
2 replies to this topic

#1 iceman0x56

iceman0x56

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 12 June 2009 - 04:15 PM

Just a few days after running various programs to clean up a computer, I noticed 2 strange emails in the inbox. My ISP (comcast) appeared to block the two emails from being sent to 2 different addresses: both @163.com

The 2 emails contain info from comcast notifying me of those 2 emails being undeliverable, but there's not any record of the emails themselves in my sent/outbox (emails that I never sent anyway).

I've ran further scans, with no results, so I'm not sure if I'm still infected (if that was the cause anyway).

Any help would be greately appreciated. Thank you.




DDS (Ver_09-05-14.01) - NTFSx86
Run by Jason Lake at 16:51:26.59 on Fri 06/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.410 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Jason Lake\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.comcast.net/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /M "Stylus Photo R320" /EF "HKCU"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
mRun: [EPSON Stylus Photo R320 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.sparrow.org/dana-cached/setup/JuniperSetupSP1.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-28 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-28 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-28 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S3 asbp2poa;asbp2poa;\??\c:\docume~1\jasonl~1\locals~1\temp\asbp2poa.sys --> c:\docume~1\jasonl~1\locals~1\temp\asbp2poa.sys [?]

============== File Associations ===============

txtfile=NOTEPAD.EXE "%1"

=============== Created Last 30 ================

2009-06-12 16:08 <DIR> --d----- c:\program files\Trend Micro
2009-06-11 10:21 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 10:21 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-03 18:05 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-03 18:03 <DIR> --d----- c:\program files\iPod
2009-06-03 18:02 <DIR> --d----- c:\program files\iTunes
2009-05-28 18:26 196 a---h--- C:\aaw7boot.cmd
2009-05-28 15:48 <DIR> --d----- c:\docume~1\jasonl~1\applic~1\IObit
2009-05-28 15:47 <DIR> --d----- c:\program files\Lavasoft
2009-05-28 12:49 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-28 09:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-28 09:54 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-28 09:54 <DIR> --d----- c:\docume~1\jasonl~1\applic~1\SUPERAntiSpyware.com
2009-05-28 09:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-28 09:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-28 09:39 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-28 09:39 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-28 09:38 <DIR> --d----- c:\program files\AVG
2009-05-28 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-27 22:08 240 a------- C:\cc_20090527_220826.reg
2009-05-27 22:06 1,197,622 a------- C:\cc_20090527_220640.reg
2009-05-27 19:19 <DIR> --d----- c:\docume~1\jasonl~1\applic~1\Malwarebytes
2009-05-27 19:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-27 19:19 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-27 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-27 19:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 18:29 <DIR> --d----- c:\program files\CONEXANT
2009-05-27 18:27 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-27 17:10 <DIR> --d----- c:\windows\system32\XPSViewer
2009-05-27 17:05 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-27 17:05 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-27 17:05 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-27 17:05 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-27 17:05 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-27 17:05 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-27 17:05 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-27 17:05 <DIR> --d----- C:\7d85b46275cba0a9dd825b1b3cfa
2009-05-27 17:03 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-27 16:45 <DIR> --d----- C:\524515b745b8c165ce8378
2009-05-27 16:44 <DIR> --d----- C:\8b0e46fe4d221f7a970bfb04
2009-05-27 16:16 <DIR> -cd-h--- c:\windows\ie8
2009-05-27 14:55 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-05-27 14:55 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-27 14:53 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-05-27 14:53 21,504 a------- c:\windows\system32\hidserv.dll
2009-05-27 14:53 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-05-27 14:53 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-05-27 14:53 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-05-27 14:53 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-26 21:29 <DIR> --d----- c:\windows\3074EB891BCA4AEFAFF4EFB4634C1923.TMP
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-23 21:15 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-02 20:26 99,232 a------- c:\docume~1\jasonl~1\applic~1\GDIPFONTCACHEV1.DAT
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-12-25 17:01 22,328 ac------ c:\docume~1\jasonl~1\applic~1\PnkBstrK.sys
2006-06-11 01:10 774,144 ac------ c:\program files\RngInterstitial.dll
2008-09-03 15:57 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 16:52:18.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 iceman0x56

iceman0x56
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 15 June 2009 - 10:43 AM

I apologize for bumping, couldn't see how to edit my original post.

Update: I've received another 35 emails in the last 3 days about new emails that have been sent using my comcast account, however some of the emails notifying me of undelivered mail have been from other servers, not just comcast's. I have emails going to taiwan, china, list goes on.

Is there any chance that my account has been compromised and the emails are being sent using my account from another computer or location, not mine? Would changing the password stop this?

Thank you.

===========

Hello

Actually, changing the user name associated with your account is probably more effective.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 16 June 2009 - 12:35 PM.


#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:57 AM

Posted 21 June 2009 - 08:18 AM

hi iceman0x56,

sorry for delay, no shortage of posters. If you still need help you can do this:
to help show all files:

on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

Next boot into safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option from the list: safe mode.
Once at the safe mode desktop navigate to;

c:\docume~1\jasonl~1\locals~1\temp\

C:\Documents and Settings\ jason\Local Settings\Temp

Click Edit, click Select All, press the delete key, and then click yes to confirm sending items to the Recycle Bin.
You can do this for all users profiles.

still in safe mode:

Click Start>Run then type %temp%

Hit OK. Delete all the files you can.



click Start>Run then type %windir%\temp

hit ok. delete all the files you can



Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:



Temporary Files

Temporary Internet Files

Recycle Bin
------------------------------------------------------
Reboot normally. We will use combofix. there is a guide to read first. read the guide, download combofix to your desktop, disable your AV as explained in the guide, double click the combofix icon and follow the prompts. Post the combofix log in reply

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users