Jump to content


Photo

lots of MAILER-DAEMON emails


  • This topic is locked This topic is locked
10 replies to this topic

#1 emailisfun

emailisfun

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 22 December 2007 - 05:41 PM

I have Win XP. I use Yahoo for email.

Lately I have been getting lots of email from MAILER-DAEMON saying 'delivery failure'. When I open the email, it says the email I tried to send was undeliverable. The emails are spam---things like canadian pharmacy or playing casinos. I didn't send these emails. Did someone hijack my email account?

Help.
I ran Ad-aware and Spybot. My hijack log is below.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:59 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\Program Files\InterVideo\WinDVR\WinRemote.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Ruti"
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167269922872
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6533 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 25 December 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 26 December 2007 - 09:56 PM

emailisfun,

Thanks for your patience. Our volunteers are very busy. Your log indicates that you have Malware on your system. Let's get started.

Please download Combofix by sUBs. Or, you may download it from here. Place it on your Desktop.

Perform the Combofix scan, as follows:
  • Open notepad and copy/paste the text in the box below into it (all except the word CODE):

    http://forums.spywareinfo.com/index.php?s=&showtopic=110469&view=findpost&p=604421
    FileLook::
    C:\WINDOWS\system32\SysTray.Exe
    
    Suspect::
    C:\WINDOWS\system32\SysTray.Exe
  • Save this as CFScript
  • Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

    Posted Image
  • ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

Please post the Combofix log and a new HijackThis log in your next reply. Please also say how your computer is running now. :)

Edited by shaferintl, 26 December 2007 - 10:03 PM.

shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 emailisfun

emailisfun

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 27 December 2007 - 10:29 PM

Thank you for writing! I have followed your instructions.

My 2 logs are below:

My ComboFix.txt log file is:
ComboFix 07-12-28.1 - Ruti 2007-12-27 22:03:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.610 [GMT -5:00]
Running from: C:\Documents and Settings\Ruti\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruti\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\sfsync02.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-26 17:17 . 2007-12-27 09:50 <DIR> d-------- C:\Program Files\Google
2007-12-25 21:53 . 2007-12-25 21:53 <DIR> d-------- C:\Program Files\DVDFab HD Decrypter 4
2007-12-25 19:42 . 2007-12-25 19:42 <DIR> d-------- C:\Program Files\MSBuild
2007-12-25 19:38 . 2007-12-25 19:38 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-25 19:37 . 2007-12-25 19:37 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-25 19:36 . 2007-12-25 19:36 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-25 19:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-25 19:26 . 2006-11-13 01:02 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-12-25 19:26 . 2006-11-13 01:02 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-12-25 19:26 . 2006-11-13 01:02 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-12-25 19:15 . 2007-12-25 19:15 <DIR> d-------- C:\Program Files\Netflix
2007-12-22 17:34 . 2007-12-22 17:46 <DIR> d-------- C:\downloads
2007-12-22 00:24 . 2007-12-22 00:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 10:04 . 2007-12-07 10:04 2,611,451 --a------ C:\MOV04605.MPG
2007-12-07 09:21 . 2007-12-07 09:21 832,347 --a------ C:\moseley.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 00:35 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-20 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-19 02:35 --------- d-----w C:\Program Files\McAfee
2007-11-28 01:45 --------- d-----w C:\Documents and Settings\Hans\Application Data\Roxio
2007-11-24 04:11 --------- d-----w C:\Documents and Settings\Ruti\Application Data\RipIt4Me
2007-11-16 13:21 --------- d-----w C:\Program Files\Common Files\McAfee
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 01:46 --------- d-----w C:\Program Files\XviD
2007-11-11 01:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 01:35 --------- d-----w C:\Program Files\Ubisoft
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-08-27 19:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\system32\SysTray.Exe ----

Company: Microsoft Corporation
File Description: Systray .exe stub
File Version: 5.1.2600.0 (xpclient.010817-1148)
Product Name: Microsoftr Windowsr Operating System
Copyright: c Microsoft Corporation. All rights reserved.
Original file name: systray.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Automatic Backup Pro"="C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" [2004-12-03 11:10]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 17:33 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 07:22 C:\WINDOWS\soundman.exe]
"SystemTray"="SysTray.Exe" [2006-02-28 07:00 C:\WINDOWS\system32\systray.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-08-20 08:47 C:\WINDOWS\system32\fmctrl.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01]
"Profiler"="C:\Program Files\Saitek\Software\Profiler.exe" [2005-06-14 15:23]
"SaiMfd"="C:\Program Files\Saitek\Software\SaiMfd.exe" [2005-06-17 19:02]
"WINSCHEDULER"="C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE" [2003-09-03 18:49]
"WinRemote"="C:\Program Files\InterVideo\WinDVR\WinRemote.exe" [2003-09-03 18:57]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-03-08 21:13]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20]
"CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 13:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-04 11:59]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"washindex"="C:\Program Files\Washer\washidx.exe" [2001-04-02 18:32]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-12-04 18:55:06]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 IABFilt;Iomega Snapshot Volume Filter;C:\WINDOWS\system32\DRIVERS\IABFilt.sys [2004-11-04 16:11]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-22 22:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-22 22:39]
R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 01:23]
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys [2003-12-19 02:00]
R1 UDFReadr;UDFReadr;C:\WINDOWS\system32\drivers\UDFReadr.sys [2005-03-08 20:54]
R2 Cap7134;TV Capture Card WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2004-11-19 03:57]
R3 PhTVTune;TV Capture Card WDM TV Tuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2004-11-19 03:57]
S3 gameport;FM801 PCI Joystick;C:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-11-01 21:49]
S3 iteio;iteio;C:\WINDOWS\system32\drivers\iteio.sys [1999-08-30 19:49]
S3 wdm_fm801;FM801 PCI Audio (WDM);C:\WINDOWS\system32\drivers\fm801.sys [2001-11-02 01:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa30769c-cf50-11db-a5a8-0019212b9111}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-01 06:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 22:09:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Iomega Automatic Backup Pro = "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s?????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 22:10:41 - machine was rebooted
.
2007-12-27 03:21:54 --- E O F ---



My new Hijack this log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:53 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\Program Files\InterVideo\WinDVR\WinRemote.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\downloads\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Ruti"
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167269922872
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6251 bytes

I don't know how the computer is running yet--I just followed the instrutions a few minutes ago. I'll have to wait a few days and see if I get any more Undeliverable emails to my Yahoo account.

Thanks!!

Edited by emailisfun, 27 December 2007 - 10:30 PM.


#5 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 28 December 2007 - 08:53 AM

emailisfun,

Thanks for the logs and information. Looking very good! :thumbsup:

Please download OTMoveIt
  • Double click OTMoveIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Download Dr.Web CureIt to the desktop. Do not execute it.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode at the top, on the screen that appears. Sign in with your normal user account.

Run Dr.Web CureIt as follows:
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Please run an online scan to be sure we've left nothing behind!

Run a BitDefender Online scan Here and post the results.

Please post the DrWeb.csv report, the BitDefender Scan Report, and a new HijackThis log in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#6 emailisfun

emailisfun

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 29 December 2007 - 12:06 AM

Thank you once again for writing! I have followed your instructions and my 3 logs are below:

DrWeb.csv log:
A0030474.exe;C:\System Volume Information\_restore{A9734579-C031-4A04-917A-4FBBAA1DD174}\RP251;Probably BACKDOOR.Trojan;Incurable.Moved.;


BitDefender report
BitDefender Online Scanner
Scan report generated at: Fri, Dec 28, 2007 - 23:58:05
Scan path: A:\;C:\;D:\;E:\;
Statistics
Time
01:02:47
Files
215507
Folders
6253
Boot Sectors
2
Archives
1479
Packed Files
25108
Results
Identified Viruses
0
Infected Files
0
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
0
Engines Info
Virus Definitions
884650
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
14
Archive plugins
38
Unpack plugins
7
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
No virus found.


HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:20 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Fmctrl.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\Program Files\InterVideo\WinDVR\WinRemote.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\downloads\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\Software\SaiMfd.exe
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [WinRemote] "C:\Program Files\InterVideo\WinDVR\WinRemote.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Ruti"
O4 - HKCU\..\Run: [Iomega Automatic Backup Pro] "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1167269922872
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 6629 bytes


I checked my emails today and had 8 Undeliverable emails, which is still kind of alot...

Edited by emailisfun, 29 December 2007 - 12:20 AM.


#7 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 29 December 2007 - 08:59 AM

emailisfun,

Thanks for the post. Your system appears to be clean!! :thumbsup: :thumbsup:

I checked my emails today and had 8 Undeliverable emails, which is still kind of alot...

OK, let's dig a little deeper into this...

First of all, make sure that McAfee is scanning your outgoing email. Do this:
  • Right click on "M" icon.
  • Select VirusScan>Options.
  • Click on the Advanced button & go to the Email Scan tab.
  • Check the option to "Outbound email Scan" & click on Ok.
  • Close the VirusScan Options windows by clicking Ok on that.
If not identical to this it should at least be vaguely similar...

Are you using Outlook Express? Or Outlook?

Sometimes, spammers will disguise their spam as returned emails to get you to open them and click on a link. Do not click on any links embedded in these emails.

If your Outlook has been Hijacked, there should be evidence of the outgoing emails. To determine if the emails are originating from your system, do the following:
  • Open Outlook Express.
  • Click on the Sent Items folder.
  • Visually scan the list and try to locate a sent email for each undeliverable. The date and time stamp should match. Also, the subject of the underliverable.
Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.

Let me know what you find about the sent emails by posting here. Please post the Kaspersky scan results in your next reply. Please also say how your computer is running now. :)
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 emailisfun

emailisfun

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 30 December 2007 - 12:43 PM

thanks again for taking the time to help me. i really appreciate it.

For McAfee, under Email and IM configuration, it says:
E-mail protection is enabled.
On: E-mail messages and attachments are scanned.
But isn't email protection ony for Outlook, not for Yahoo? Does Mcafee scan my Yahoo emails?

I have Mcafee Security Center with Virus and Firewall protection.


I don't use Outook or Outlook Express on this computer.


My Kaspersky log is below:-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 30, 2007 12:34:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 81682
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:32:36

Infected Object Name / Virus Name / Last Action
C:50b5110d516f0397\%temp%dd_msxml_retMSI.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{7F9A8787-B90B-4C2D-924D-D22782121A1D}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys669b246a19163192219d37cdbaee7fa_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3149342fc534209e967870196e8b0a42_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3531a740e249ba58cbfba7af4c630e80_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\53fa8cc55d3138f8c8f51823e7624204_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6f8515f8c119eace30aed50267f71213_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\712c6cf1b22e86dc1e2d4a7460753a86_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\73c9423ed45937ebbee45649b4036052_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7987f38c53707b74b49f651459df14fa_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8a0323d2568e6cea56441e99ed6d882c_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f70630924f0c7cb1367806c065a8255_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\911212d9f20e6c0dd1896924570ab9f0_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a2704ac8b0907ac7fd6401cc8ae32204_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ae9f8bfc43b09ae3c9566318481d9828_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b320ca0e82e2c910419c957659d98a99_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c60c81c2d4b6bb7f53300ad4a5c21758_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d26d6d9eff08c5fed9980c9dbca8e7a2_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fe5d337d1bda13a482a1d20a4b394c5e_27cf24b1-ab2a-4b05-b0b7-cebcdfe76379 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Hans\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hans\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hans\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hans\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hans\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hans\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hans\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A9734579-C031-4A04-917A-4FBBAA1DD174}\RP324\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4A9A1C16-FC73-44BB-9899-8B4B37470AF5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_b6YjfdDKFJARSza Object is locked skipped
C:\WINDOWS\Temp\mcmsc_EJOX7ca86bRkVTe Object is locked skipped
C:\WINDOWS\Temp\mcmsc_obiku3ulMzSugeE Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Today I only had one undeliverable email, so things are getting better.
Thanks again!

#9 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 30 December 2007 - 07:24 PM

emailisfun,

Thanks for the post. Your system appears to be clean!! :thumbsup: :thumbsup:

But isn't email protection ony for Outlook, not for Yahoo? Does Mcafee scan my Yahoo emails?

I missed the fact that your problem was with Yahoo mail. Sorry :whistle:

Today I only had one undeliverable email, so things are getting better.

Great news! :thumbsup:

OK, so you are using Yahoo mail. That is a web-based email engine. You have to logon to the Yahoo email site to use it... correct? That being the case, there is nothing about your computer that could affect the undeliverable emails. It is something you would need to address with Yahoo.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we at SWI are to help you, for your sake we would rather not have repeat customers. :p

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

1) First and foremost, you should maintain your firewall. It is the primary way to keep out malware. A tutorial on understanding and using firewalls may be found here.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware
I see you use Ad-aware. A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

4) Also make sure to run your antivirus software, perform scans regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! If I've missed something on your email problem, let me know. I'll leave this open a few days. Good luck. :D
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 emailisfun

emailisfun

    Member

  • Full Member
  • Pip
  • 38 posts

Posted 31 December 2007 - 02:34 PM

thank you once again for all your help. i really appreciate it. and thanks for the helpful links. i will read them and make sure my computer is protected.

today i got zero undeliverable emails!

you're the best.

Happy new year!

#11 shaferintl

shaferintl

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,445 posts

Posted 31 December 2007 - 02:54 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Happy new year!
shaferintl

Links to Free Tools I Use:
AVG Antivirus ... Adaware ... Spybot S&D ...
Spyware Blaster ... Zone Alarm Firewall ...
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button