PDA

View Full Version : spam email sent from account - infected or other



aeneas3
2010-05-03, 18:07
hi all
Thank you for prior help on a prior problem. It resolved things and I actually later had an HD failure so I am wondering if the problems I was having were due to the HD starting to go.

anyway, onto the current topic. woke up this morning and opened thunderbird. Then I was surfing while thunderbird DL'd everything and I switched back and found tons of emails stating that delivery of my message failed. Evidently a spam message was sent. now, it bounced back to me. I *think* this is a common case of someone putting my email as the respond to email for spam. But I want to make sure I am not infected.
Running windows xp latest updates
browsers - IE/firefox but mostly chrome.
any help would be great and please let me know if I can give you any other information.
Oh one more thing, what makes me think that I am NOT infected is that there are emails that I do not recognize. Of course anything is possible.
thanks for reading :)

here is the email: (changed the hotmail emails except for the reply to email for the spam)

Edit Removed email info, not needed.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:53:25.27 on Mon 05/03/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3838.2935 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CBTWlanSrv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269132055430
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnyo~1\applic~1\mozilla\firefox\profiles\5czxd6jd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - plugin: c:\documents and settings\Owner\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-20 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-20 60936]
R2 CBTWlanSrv;CBT Wlan Service;c:\windows\CBTWlanSrv.exe [2010-3-20 106496]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2010-3-20 27072]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-24 38224]
R3 WEC600N;Linksys Dual-Band Wireless-N ExpressCard WEC600N Driver;c:\windows\system32\drivers\WEC600N.SYS [2010-3-20 1265536]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-22 136176]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-3-20 42000]

=============== Created Last 30 ================

2010-05-02 15:33:01 3519 ----a-w- c:\documents and settings\Owner\.recently-used.xbel
2010-04-29 23:22:27 0 d-----w- c:\program files\Zynga
2010-04-27 22:35:22 0 d-----w- c:\program files\iPod
2010-04-27 22:35:05 0 d-----w- c:\program files\iTunes
2010-04-27 22:21:24 0 d-----w- c:\program files\Bonjour
2010-04-24 17:18:07 0 d-----w- c:\docume~1\johnyo~1\applic~1\Malwarebytes
2010-04-24 17:17:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 17:17:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-24 17:17:29 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 17:17:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-18 17:52:30 0 d-----w- c:\windows\pss
2010-04-14 23:06:17 0 d-----w- c:\documents and settings\Owner\.thumbnails
2010-04-14 07:18:02 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-04-13 10:29:27 0 d-----w- c:\docume~1\johnyo~1\applic~1\Lexmark Productivity Studio
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 19:39:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-07 19:39:47 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-04-07 19:37:04 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 19:25:16 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-04-07 19:13:46 216800 ----a-w- c:\windows\system32\drivers\SynTP.sys
2010-04-07 19:13:46 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2010-04-07 19:13:46 163840 ----a-w- c:\windows\system32\SynCOM.dll
2010-04-07 19:13:46 147456 ----a-w- c:\windows\system32\SynTPAPI.dll
2010-04-07 19:13:46 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-04-07 19:13:45 0 d-----w- c:\program files\Synaptics
2010-04-04 21:28:54 0 d-----w- c:\documents and settings\Owner\.gimp-2.6
2010-04-04 18:41:07 215920 ----a-w- c:\windows\system32\muweb.dll
2010-04-04 18:41:04 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-04-04 18:41:00 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-04-04 17:52:03 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-04 04:08:26 0 d-----w- c:\documents and settings\Owner\Tracing
2010-04-04 03:16:18 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-04-04 03:12:48 0 d-----w- c:\program files\Microsoft
2010-04-04 03:12:16 0 d-----w- c:\program files\Windows Live SkyDrive
2010-04-04 03:03:45 0 d-----w- c:\program files\common files\Windows Live

==================== Find3M ====================

2010-04-04 17:50:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-21 01:25:23 20480 ----a-w- c:\windows\RegActiveX.exe
2010-03-21 01:25:23 1700352 ----a-w- c:\windows\GdiPlus.dll
2010-03-21 00:27:07 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-04 14:01:14 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 14:01:14 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 14:01:14 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 14:01:14 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll

============= FINISH: 10:54:55.65 ===============

Blade81
2010-05-06, 20:17
Hi,

You should go and change your webmail account password(s) if not done so yet. Also, run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.

aeneas3
2010-05-06, 21:39
Hi,

You should go and change your webmail account password(s) if not done so yet. Also, run Secunia vulnerability check here (http://secunia.com/vulnerability_scanning/online/) and fix its findings.

thanks I changed the pw. I will run that scan now.

aeneas3
2010-05-06, 22:46
Detection Statistics:
16 Applications Detected in Total
3 Insecure Versions Detected
13 Patched Versions Detected

Running For:
29 Minutes, 24 Seconds

Errors with the scan:
0 Errors Detected, scan result should be correct

Scan Options:

Enable thorough system inspection
Display only insecure programs
Status / Currently Processing:
Detection completed successfully


it did not list the programs, though. it may be because I ran it in chrome. going to rerun it in IE.

Blade81
2010-05-07, 07:49
Yes, I think Chrome is not supported (scan should alert about outdated Java at least).

Blade81
2010-05-14, 12:54
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.