Phantom Virus? Worm? NAV Says all clear?

[Jman13]

I noticed yesterday that Norton Antivirus was scanning out going e-mail However, I had no e-mail client open, and I certainly hadn't sent anything recently. It was rejecting e-mails with addresses I'd never heard of. (I would get errors saying 'the mail server rejected your e-mail message to : blahblah because it detected it as SPAM) So, I think, I've got a worm of some sort.

I think this is odd, since I update my virus definitions about once or twice a week and do a weekly full system scan. So, I download the very latest definitions (Friday's), boot to safe mode, do a full system scan, and: Nada...nothing. 425,000 files scanned, 0 infected.

What's the deal? I'm very confused. I haven't downloaded any suspicious e-mail (and certainly haven't executed attachments), antivirus is clean, there are no suspect programs running under 'services.'

Any idea what is going on here? Note that I'd never seen any of the e-mail addresses coming up. What could be the problem?

 

[DetroitSportsFan]

So, Norton doesn't find anything. Back in 2002, Norton was considered "king of the hill" in AV software. Since then, they've lost their foothold a bit. Several of the other major players in AV software are catching things that Norton will miss. First off, is it a virus or a trojan? Unfortunately, many AV software programs miss trojans completely. Add on top of that, some of the more serious threats in spyware/malware will mimick worm activity but go undetected by your virus scan. For the time being, firewall your email application while we try to sort this all out.

First off, lets get a second opinion on your system. Go to HouseCall and do their online virus scan. Be sure to place a check in the box to automatically clean any infections, then give their scan a run. TrendMicro, right now is catching many things that other virus scanners are missing. If HouseCall finds things but can't remove them, please jot the file names down along with their locations. We may have to clean them out manually later on.

Secondly, download spybot s&d and update to its latest definitions. You'll need to wait until HouseCall has finished it's scan since you'll have to close out all your browser windows so spybot can remove any problems. If Spybot asks to run on next reboot, give it permission. Some things cannot be removed if it currently in use.

Ok, so far we've looked for viruses/worms that Norton may have missed. We've checked the system for spyware and removed it (hopefully) if there was any present. Next thing on our list will be a trojan scan. TDS3 by Diamond Computer Systems is probably one of the best trojan scanners in the industry. Its technically advanced but it has a help forum to get even a beginner through the scan. Furthermore, it also has a 30 day trial which makes it nice for a situation like the one you have. Be sure to update its definitions before you begin. With the trialware, you'll have to update manually but thats no big deal. You can find TDS3 HERE.

Let us know what you find after you've followed all these steps. Its quite possible that we may be looking at manual removal using HijackThis. However, lets do the easy stuff first and see if we can take care of your problem. Please post back with as much detail after you've taken these steps

 

[mechBgon]

Also, what version of Norton is it (2003, 2004, 2005)? What OS and Service Pack? Do you have a firewall? Do your Administrator-class accounts have strong passwords? System fully patched up, both Windows and Office (if you have Office)?

You might try a Microsoft Baseline Security Analyzer checkup to see if you have some Microsoft security oversights to fix: MBSA

 

[DetroitSportsFan]

You might try a Microsoft Baseline Security Analyzer checkup to see if you have some Microsoft security oversights to fix: MBSA

Thanks for mentioning MBSA! I forget to mention it because for me its relatively new. However, its great for finding patches that windows update doesn't detect. As usual, mechBgon advice is very very good! I'd certainly follow what he's said too.

 

[Jman13]

I'm running Norton 2004. I downloaded Spybot and it took out several things (mostly cookies) and I had BDE Projector (12 instances), and 5 DSO exploits, that were all repaired. I haven't seen a rehash of the e-mail sending since I ran the spyware, but I'll run the other things in the meantime to make sure everything is clear. FWIW, I'm using XP SP1. I also have ZoneAlarm (the latest version) as my firewall.

Thanks for the great advice, everyone, I really appreciate it.

 

[DetroitSportsFan]

While you're running the recommended tasks mentioned above, here's some extra reading. It may help clarify a few things about how systems get infected. Click here for extra curricular reading.

Also, mechBgon comes back on this thread, he'll probably have some recommended reading of his own. He's prepared some excellent material tightening up your system.

Once you've completed all the scans mentioned above, please take the time to download HijackThis and we'll check for any leftovers. You can get HijackThis from HERE.

Edit: Please post your HJT log.

 

[Schadenfroh]

see also my guides to spyware/virus removal and prevetion, located here.


direct link to prevention

 

[Jman13]

Well, I've run everything, and absolutely nothing comes up. I Got 0 viruses on both NAV and HouseCall scans, no trojans on a full system scan, and while Spybot found some things and corrected them, I still have seen the e-mails being sent (but disabling communications between NAV and the internet stop them, since they won't get sent out once they start being scanned by Norton. ) I went to Windows Update and got all security patches, so hopefully that will stop it, as I haven't seen the e-mails since, but it seems to be the only thing: someone found I was vulnerable and used my machine when I was online as a spam center.

BTW, my Hijack This log is as follows:

Logfile of HijackThis v1.98.2
Scan saved at 1:32:38 PM, on 11/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Network Associates\PGP for Windows 2000\PGPservice.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system\lsvchost.exe
D:\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\SetiCmd\SETI Driver.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.co.../ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.co.../ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.co.../ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.co.../ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.espn.com"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rmlkq410.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rmlkq410.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Microsoft Configuration - {40205287-E793-41AC-B95C-D8D064BA33CA} - C:\WINDOWS\system32\mscfg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AudioHQU] C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Shortcut to SETI Driver.lnk = C:\SetiCmd\SETI Driver.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.co...es/clients/y/it0_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.co...es/clients/y/et0_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1096552328817
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/downloa...lls/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{74513C73-C876-4B45-BFDB-57FA3AF91EB7}: NameServer = 195.178.15.5 195.178.0.24