Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 18 of 18 Posts

·
Registered
Joined
·
312 Posts
Discussion Starter · #1 ·
A couple of days ago, i started receiving hundreds, then thousands of emails that were primarily indications of failed outbound emails. When i dug into some of the copy it appears that someone is either using my computer to send spam, or is sending spam...and making it appear as it is coming from me. These emails do not appear in my sent folder of Outlook. Road Runner technical believes it to be a virus or spyware, but neither EZ armour nor spybot search/destroy or adaware seem to be helping.

Below is a hijack this log. Any help would be appreciated

Logfile of HijackThis v1.99.1
Scan saved at 7:57:45 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\lxbycoms.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MI1933~1\Office\OUTLOOK.EXE
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

and as HJT is running from a temp directory it needs changing

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis
 

·
Registered
Joined
·
312 Posts
Discussion Starter · #4 ·
I have followed the directions. Here are the log files

SDFix: Version 1.57

Thu 01/11/2007 - 17:47:42.20

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode

Service Check:

Service Name:

File Path:

Starting Registry Repairs

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking Files:
--------------

C:\WINDOWS\SYSTEM32\LXBYCFG.EXE
C:\WINDOWS\SYSTEM32\LXBYCOMS.EXE
C:\WINDOWS\SYSTEM32\LXBYIH.EXE

Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1143657207\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1143657207\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1143657207\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1143657207\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\lxbycoms.exe"="C:\\WINDOWS\\system32\\lxbycoms.exe:*:Disabled:p910 Series Server"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%ProgramFiles%\\iTunes\\iTunes.exe"="%ProgramFiles%\\iTunes\\iTunes.exe:*:enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Remaining files with hidden attributes:

C:\NTDETECT.COM
C:\Documents and Settings\HP_Owner\My Documents\My Music\www.mp3sfinder.com\PPThumbs.ptn
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\SMINST\HPCD.SYS
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL1116.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL1449.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2194.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2227.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2326.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL2782.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3044.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3063.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3196.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3390.tmp
C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Word\~WRL3570.tmp
C:\Documents and Settings\HP_Owner\Local Settings\Temp\[email protected]
C:\Documents and Settings\HP_Owner\Local Settings\Temp\[email protected]
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\~WRL2027.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\~WRL2034.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\~WRL3102.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL0003.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL0004.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL0199.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL1575.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL1980.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL2046.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL2266.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL3098.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL3893.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL4030.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\~WRL4072.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0003.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0004.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0005.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0042.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0088.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0199.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0372.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0373.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0458.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0547.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0630.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0694.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0869.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0896.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0902.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0934.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0972.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL0998.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1083.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1201.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1260.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1277.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1348.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1612.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1654.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL1991.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2003.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2063.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2118.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2187.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2224.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2247.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2279.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2309.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2404.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2425.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2649.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2712.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL2909.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3001.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3069.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3266.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3268.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3300.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3421.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3476.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3627.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3671.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3785.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL3940.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL4053.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\letters\~WRL4099.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\Resumes\~WRL0094.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\Resumes\~WRL1854.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\Resumes\~WRL2232.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\BILL\jobstuff\Resumes\~WRL3245.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\cassandra\11th\~WRL1904.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\cassandra\11th\~WRL2032.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\ebay\~WRL2569.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\ebay\~WRL3145.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\ebay\~WRL3425.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0005.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0006.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0073.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0107.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0197.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0346.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0368.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0470.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0501.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0540.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0611.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0657.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0785.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL0902.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL1114.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL1540.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL1582.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL1601.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL1996.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2042.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2069.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2076.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2143.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2177.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2204.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2415.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2431.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2594.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2602.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2648.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL2682.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3023.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3168.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3456.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3472.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3794.tmp
C:\Documents and Settings\HP_Owner\My Documents\Family\Ilene\~WRL3906.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 6:01:16 PM, on 1/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IexploreOmea - {09628AAA-66AD-4FA2-82E2-698185B66463} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LXBYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBYtime.dll,[email protected]
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxby_device - Unknown owner - C:\WINDOWS\system32\lxbycoms.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
these shouldn't have been deleted by sdfix as they are lexmark printer files
C:\WINDOWS\SYSTEM32\LXBYCFG.EXE
C:\WINDOWS\SYSTEM32\LXBYCOMS.EXE
C:\WINDOWS\SYSTEM32\LXBYIH.EXE

open the sdfix folder & find the backup zip

unzip it & copy those files

then open the C:\WINDOWS\system32 folder & paste teh files you copied back into it

let us know how you get on
 

·
Registered
Joined
·
312 Posts
Discussion Starter · #6 ·
Okay, I have copied the lexmark folders back. Since running the utilities, I have received about 250 returned email indications. This is less than before, but still more than usual. Not sure the problem is fixed. I plan to shut down this computer while at work today and check my email account by the web, to see if my machine is actually sending out these emails. Does that make sense? Any other next steps...and by the way...thank you for your continued help.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I am not sure it is your machine sending and more likely to be someone spoofing your email address but it would be irresponsible of us not to check thoroughly

  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click " Configure Scan Options"
  • Select " Run Add ONs" and then select ALL the options in the box below it, Press Apply
  • Now Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
    • Reboot back to Normal Mode!
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!. It will be too big to post so you will need to attach it to your reply
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
nothing showing there so I'm pretty sure it is nothing on your computer but someone spoofing your address so you get the bounces
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
just sit it out

it happens to all of us from time to time

I was getting 2000 or so bounces a day for about a week then it all stopped
 

·
Registered
Joined
·
312 Posts
Discussion Starter · #12 ·
Thanks. I am also currently running a program called The Cleaner, which has identified and removed a trojan named Keenval. When reading about it....it doesnt sound like the type of trojan that would cause this problem.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

and
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: " Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Hi Billy

can you do this for us please

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

sdfix\backups\backups.zip
 

·
Registered
Joined
·
312 Posts
Discussion Starter · #18 ·
Just to close this thread....I finally figured out the problem. Someone had accessed my email via the web based access and was sending out spam. My guess is that they got the password from me in a hot spot. I happened to check my sent mail from the web based client and found all the crap. Changed the password.....problem solved.
 
1 - 18 of 18 Posts
Status
Not open for further replies.
Top