Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Email Errors


  • Please log in to reply
38 replies to this topic

#1 kturner821

kturner821

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 01:42 PM

I am getting multiple pop ups from Norton saying I have email errors.  They are clearly spam meesages that somehow come back as being sent from my IP address.  We checked all our email accounts, and there are no sent messages from those accounts,  I ran Norton, and they found one Trojan, but I was still getting messages.  Ran Malware Bytes - so far no new messages, but I want to make sure I am clean.

 



BC AdBot (Login to Remove)

 


#2 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 02:12 PM

To update - The pop-ups started again.  We are running Windows XP.   The errors are different.  Some state that the message could not be sent because the internet connection was interrupted.  The most resent one says 554 Sender-Verify detected from your I.P. (Address) Please visit http//postmaster.free.fr.

 

Others say 55005.7.1 The IP your y=using is not authorized to..

 

A lot of the messages appear to be from Club Casino sent to a bunch of different people - none from our address lists.  Others are spam for viagra etc.

 

This is crazy and I need to get this cleaned up.  I am fraid to visit my bank account or order and Christmas gifts in case I am compromised.



#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 03:17 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 03:43 PM

I need to do ALL of these?  BTW - ran updated Malwarebytes already - do you just want to see the log?



#5 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 03:47 PM

 Results of screen317's Security Check version 0.99.77  
 Windows XP Service Pack 3 x86 (UAC is disabled!)  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
Norton AntiVirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 45  
 Adobe Flash Player     11.9.900.170  
 Adobe Reader 7 Adobe Reader out of Date!
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Norton AntiVirus Engine 21.1.0.18 NAV.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 7%
````````````````````End of Log``````````````````````
 

 

 

Farbar Service Scanner Version: 05-12-2013
Ran by Turner Family (administrator) on 14-12-2013 at 15:49:02
Running from "C:\Documents and Settings\Turner Family\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Checking LEGACY_sharedaccess: ATTENTION!=====> Unable to open LEGACY_sharedaccess\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) SYMTDI(11) Tcpip(3)
0x0B000000040000000100000002000000030000000B0000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.14.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Turner Family :: YOUR-8B29F33809 [administrator]

12/14/2013 9:16:47 AM
mbam-log-2013-12-14 (09-16-47).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 440684
Time elapsed: 3 hour(s), 52 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Documents and Settings\Turner Family\Desktop\Ken\Downloads\avi.codec.pack.pro.v2.4.0.setup.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Documents and Settings\Turner Family\Desktop\Ken\Downloads\ezguitartabs_1336.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Turner Family\Desktop\Ken\Downloads\winzip155.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Turner Family\Desktop\Ken\Downloads\videora-ipod-600-setup.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Turner Family\Local Settings\temp\Doma\DownQuick_165\OfferBrokerage_14003.exe (PUP.Optional.InstallIQ) -> Quarantined and deleted successfully.
C:\Documents and Settings\Turner Family\Local Settings\temp\Doma\DownQuick_165\software\OptimizerPro.exe (PUP.Optional.OptimizePro.A) -> Quarantined and deleted successfully.

(end)
 


Edited by kturner821, 14 December 2013 - 03:55 PM.


#6 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 05:34 PM

Ran mbar - 1st time totally froze for over an hour.  Restarted computer - re-ran it.  Caused more problems.  Couldn't get on internet.  Ran chkdsk and fixed that.  Now Norton will not start at all, but am assuming once we fix all this, it will work again. 

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1008
www.malwarebytes.org

Database version: v2013.12.14.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Turner Family :: YOUR-8B29F33809 [administrator]

12/14/2013 4:56:11 PM
mbar-log-2013-12-14 (16-56-11).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 234868
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|46912 (Trojan.Inject.RRE) -> Data: c:\docume~1\alluse~1\msuyrfoj.exe -> No action taken.

Registry Data Items Detected: 6
HKCR\exefile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> No action taken.
HKCR\batfile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> No action taken.
HKCR\comfile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> No action taken.
HKCR\piffile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: ("%1" %*) -> No action taken.
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: ("%1" /S) -> No action taken.
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: () Good: (regedit.exe "%1") -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\All Users\msuyrfoj.exe (Trojan.Inject.RRE) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

And the last one...

Rkill 2.6.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/14/2013 05:31:52 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]

Checking Windows Service Integrity:

 * wscsvc (wscsvc) is not Running.
   Startup Type set to: Disabled

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 12/14/2013 05:33:14 PM
Execution time: 0 hours(s), 1 minute(s), and 21 seconds(s)
 

Note - It never told me to reboot....

 

 

Thank you, my friend.  Anxiously waiting your guidance! :-)


Edited by kturner821, 14 December 2013 - 05:37 PM.


#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 05:36 PM

Download Autoruns for Windows: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

p4436801.gif

Upload the file(s) here: http://www.sendspace.com/
Click on Browse button and navigate to the file you want to upload.
Click on Upload button.
Click on FIRST Copy Link button and paste the link in your next reply.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 06:12 PM

http://www.sendspace.com/file/3vm7al

 

Norton working - Had no pop ups for awhile - but the're back...


Edited by kturner821, 14 December 2013 - 06:29 PM.


#9 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 06:40 PM

You're still infected.

 

Re-run Autoruns, click on "Logon" tab.

 

Uncheck following entry:

 

+ "46912"

 

Restart computer.

Re-run Autoruns, right click on "46912" entry, click "Delete".

 

Open Windows Explorer and delete following file:

 

c:\documents and settings\all users\msuyrfoj.exe

 

Restart computer, re-run Autoruns and upload fresh log for my review.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#10 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 07:51 PM

Cannot find the file in explorer.  Ran a search and found it in C:\Windows\Prefetch and the program is called this:

 

MSUYRFOJ.EXE-29978500.pf

 

is that what I should delete?



#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 07:53 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:

:filefind
msuyrfoj.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#12 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 08:49 PM

Systemlook won't run.  I get a script required error message. 



#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 08:50 PM

You're not reading my instructions carefully.

You didn't paste my script into the textfield.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#14 kturner821

kturner821
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:44 AM

Posted 14 December 2013 - 08:56 PM

Sorry.  So tired I'm losing it!

 

SystemLook 30.07.11 by jpshortstuff
Log created at 20:52 on 14/12/2013 by Turner Family
Administrator - Elevation successful

========== filefind ==========

Searching for "msuyrfoj.exe"
C:\Documents and Settings\All Users\msuyrfoj.exe    --ahs-- 98304 bytes    [09:23 17/06/2006]    [00:12 14/04/2008] 65AA62047A29B4DB82AB9F71BF9FD9D1

-= EOF =-

 

 

Looks like it's there but I couldn't find it...



#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:44 PM

Posted 14 December 2013 - 08:59 PM

That's because Documents and Settings is a hidden system folder.

 

Open Windows Explorer. Go Tools>Folder Options>View tab (Windows 8 users. Open File Manager. Go View>Options>Change folder and search options>View tab), put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
NOTE. Make sure to reverse the above changes, when done with this step.
 

Now you should see it.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users