[skyman]

I am running IE 6, Win 98, Outlook Express 6, Sygate firewall and NAV, with all the definitions updated.

I am getting messages in my email saying I have sent emails with viruses
to other people. I have not sent any email to the people they reference.

I ran my NAV scan and it showed no virus. I ran Housecall and it showed no virus. I ran RAV and it showed 3 infected files and 2 viruses in email and cleaned them.

Today I got the same type message in my email that I had sent email with viruses to people I had never sent email to. I ran RAV again and they gave me the same 3 infected files and 2 viruses in email but would not clean.
NAV still does not detect anything.

I tried running Panda but it would not load the definitions.

I must have a worm or a trojan but NAV is my anti virus and is not detecting.

I need help on getting rid of this and advice on what to use to keep from getting it again.

Many thanks...

 

[~Candy~]

Hey there

How about a hijack this log.

I get a rash of those emails too, sometimes they aren't for real.......

 

[skyman]

Thanks Candy, here it is:

Logfile of HijackThis v1.97.7
Scan saved at 4:03:01 PM, on 4/6/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE
C:\PROGRAM FILES\VENTURI2\CONFIGURATOR\VENTCFG.EXE
C:\PROGRAM FILES\VENTURI2\CLIENT\VENTC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE" /h
O4 - Startup: Venturi 2.lnk = C:\Program Files\Venturi2\Configurator\ventcfg.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'vlsp.dll' missing
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.7984953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[putasolution]

Sounds suspiciously like someone who has you in their address book has the Netsky virus, but it isn't you

Your Hijack this log looks clean apart from one aspect and that is that your winsock is damaged

Go to this page, download and run LSPFix

Click the box that says I know what I am doing and then click B

Restart your computer and post a fresh Hijack this log when done

 

[~Candy~]

Thanks PAS, you are in good hands skyman......

Not a log guru......had to beckon help

 

[putasolution]

Nor am I, still loads to learn, .....but I'm getting there

 

[skyman]

The message I got in my email was:

Symantec mail security detected that you sent a message with an unscannable attachment or body.

Subject: Re: Details
Recipient: Paul Barnside

This message came from:

[email protected]

Here is my new log:

Logfile of HijackThis v1.97.7
Scan saved at 4:34:05 PM, on 4/6/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE
C:\PROGRAM FILES\VENTURI2\CONFIGURATOR\VENTCFG.EXE
C:\PROGRAM FILES\VENTURI2\CLIENT\VENTC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [AutoSizer] "C:\PROGRAM FILES\AUTOSIZER\AUTOSIZER.EXE" /h
O4 - Startup: Venturi 2.lnk = C:\Program Files\Venturi2\Configurator\ventcfg.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.7984953704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[putasolution]

That looks clean. It isn't you that has the virus, though remember not to open any of those that you receive

 

[skyman]

Scanned
============================
Objects: 11874
Directories: 766
Archives: 367
Size(Kb): -2046758
Infected files: 3

Found
============================
Viruses found: 2
Suspicious files: 1
Disinfected files: 0
Mail files: 254


Scanned
============================
Objects: 143
Directories: 766
Archives: 34
Size(Kb): 8615
Infected files: 3

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 203



This is what the RAV antivirus program showed on it's scan of my files and email.

What does this mean...

 

[~Candy~]

Are your email messages from RAV antivirus as well? Because I had about 30 when I returned from being away for 12 days.

 

[~Candy~]

-----------------------
This e-mail is generated by the delta.acabtu.com.mx mail server to warn you that the e-mail
having the subject: <Re: Your document> is infected.
The infected mail was sent by [email protected] to [email protected], .

Info for the sender:
-------------------
The scanned e-mail has your address in the From: header field. Either your
computer is infected or someone's computer having has your e-mail address
in the address book has been infected.

(Please note that some viruses are sending e-mails directly from your computer.
Our advise is to check your computer using an up-to-date antivirus product).

Info for the receiver:
---------------------
Please contact the sender: very probably he doesn't know he has a computer virus.

Actions taken for the infected files:
-------------------------------------

The file (part0002:your_document.pif) attached to mail (with subject:Re: Your document) sent by [email protected] to [email protected],
is infected with virus: Win32/[email protected]
Cannot clean this file.
The mail was not delivered because it contained dangerous code.

------------------------
this is a copy of the e-mail header:

Copyright (c) since 1995 GeCAD The Software Company. All rights reserved.
Registered version for 14 domain(s).
Running on host: delta.acabtu.com.mx

Scan engine 8.11 for i386.
Last update: Mon, 22 Mar 2004 13:35:10 -06
Scanning for 92816 malwares (viruses, trojans and worms).

You can download a free 30-days evaluation version of RAV AntiVirus v8
(yet fully functional) from:

http://www.ravantivirus.com

Kind of like that

 

[skyman]

No, they are not...

"Dumbfounded"...

 

[putasolution]

As I said you haven't got the virus

The virus works something like this:

You = A

Friend = B

Friend of a friend = C

Both A & C are in B's address book
B contracts Netsky virus

Netsky searches B's Address book and finds A & C's address

Netsky sends virus from B to C using A's address in the senders field

C's mail servers antivirus picks up virus and bounces back email to A, as IT thinks that A is the one who sent the email.

A gets confused as you don't know C

B does know C, but does not know that he/she has netsky

 

[skyman]

Thanks for all your help. Your explanation explained this perfectly. I understand that this is about the 10th variant in this worm.

I sent the information to everyone who I receive regular emai from and so far 3 of them have found that they have the virus and have gotten rid of it.

Again, thanks...

 

[putasolution]

You're welcome! I just wish people would use the AV's they install on their systems