1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My Hotmail is emailing viruses or spam, stop it??

Discussion in 'Windows - Virus and spyware problems' started by tdurham, May 24, 2006.

  1. tdurham

    tdurham Member

    Joined:
    May 24, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    My hotmail is sending a virus or spam email to everyone on my messenger list. It has done so twice. I need to stop this any help would be great

    Here is the message it is mailing,

    Date: Wed, 17 May 2006 11:37:29 -0300

    Hi! How are you?
    You know I've created my own website!
    Can you check how it works?
    It's http://www.kisenfad.com/test
    Can you see video?
    Bye!
     
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
  3. tdurham

    tdurham Member

    Joined:
    May 24, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Thanks for the help my email list will appreciate it


    here is the log,

    Logfile of HijackThis v1.99.1
    Scan saved at 6:02:21 PM, on 5/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Connected\AgentSrv.EXE
    C:\WINDOWS\etlisrv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\mcshield.exe
    C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Oracle\Ora817\BIN\TNSLSNR.exe
    C:\Program Files\Novadigm\radexecd.exe
    C:\Program Files\Novadigm\radsched.exe
    C:\Program Files\Novadigm\Radstgms.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\Program Files\Timbuktu Pro\tb2launch.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Timbuktu Pro\Tb2Logon.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\PROGRA~1\Novadigm\radtray.exe
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Connected\CBSysTray.exe
    C:\WINDOWS\system32\etlitr50.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    c:\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hub.slb.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hub.slb.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [Sun ONE Synchronization - iPlanet] C:\Program Files\Common Files\XCPCSync\Translators\iPlanet\iPlanetTray.exe
    O4 - HKLM\..\Run: [Password Reminder] remind.vbs
    O4 - HKLM\..\Run: [RUNRADTRAY] C:\PROGRA~1\Novadigm\radtray.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [GetInfo] C:\Program Files\Network Associates\Common Framework\GetInfo.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
    O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
    O4 - Global Startup: Entrust.lnk = C:\WINDOWS\system32\etlitr50.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136561317500
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nam.slb.com
    O17 - HKLM\Software\..\Telephony: DomainName = nam.slb.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nam.slb.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)
    O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
    O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
    O23 - Service: Entrust/TrueDelete(TM) (ETDSVC) - Entrust Technologies Ltd. - C:\WINDOWS\system32\etdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
    O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: OracleOraHome817Agent - Oracle Corporation - C:\Oracle\Ora817\bin\dbsnmp.exe
    O23 - Service: OracleOraHome817ClientCache - Unknown owner - C:\Oracle\Ora817\BIN\ONRSD.EXE
    O23 - Service: OracleOraHome817DataGatherer - Oracle Corporation - C:\Oracle\Ora817\bin\vppdc.exe
    O23 - Service: OracleOraHome817HTTPServer - Unknown owner - C:\Oracle\Ora817\Apache\Apache\Apache.exe
    O23 - Service: OracleOraHome817PagingServer - Unknown owner - C:\Oracle\Ora817/bin/pagntsrv.exe
    O23 - Service: OracleOraHome817TNSListener - Unknown owner - C:\Oracle\Ora817\BIN\TNSLSNR.exe
    O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Novadigm\radexecd.exe
    O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Novadigm\radsched.exe
    O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Novadigm\Radstgms.exe
    O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

     
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi again.

    You don't have a firewall on your computer. Download and install one firewall.

    These are good (free) firewalls:
    ZoneAlarm --> http://www.zonelabs.com
    Kerio--> http://www.sunbelt-software.com/Kerio.cfm
    Outpost-> http://www.agnitum.com

    Do you know anything about this entry?

    O4 - HKLM\..\Run: [Password Reminder] remind.vbs

    Then you could run th following virus scan:

    Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
    Run the file mwav.exe and unzip it to its default location, C:\Kaspersky

    1. Updating the scanner (close the eScan window if open)
    -> Go to My Computer
    -> C:\
    -> Kaspersky
    -> Run the file kavupd.exe, it starts downloading updates
    -> When downloading is finished, go to C:\Downloads
    -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C
    -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V
    -> Answer Yes to all when it asks about replacing files
    -> Now the scanner has been updated

    2. Scanner settings
    -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe)
    -> The scanner window opens
    -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg
    -> When ready, press the Scan Clean button
    -> Scanning for infections begins

    3. Posting the results
    -> When the scan has finished (scan may take a quite long time), you'll need to post the findings
    -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg
    -> Click the field, press CTRL+A, CTRL+C
    -> Then open Notepad and paste the findings into a new document by pressing CTRL+V
    -> Save the document to your desktop
    -> Post the contents of that textfile to here
     
  5. tdurham

    tdurham Member

    Joined:
    May 24, 2006
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    I don't know anything about that particular entry?


    I went through all the directions you posted (thanks again) and yet there was nothing in the field you specified. THis is a bran new computer the problem began on an old computer that is not connected. Hotmail has sent one mass email since through my account though.

    Am I stuck having to delete the account I've had for almost 10 years now? This would be a real pain....
     
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok it is possible that your email adress has been added to some spamming list...

    Cleaning instructions:

    Move HijackThis into its own folder C:\HJT

    Download and install Ewido anti-malware -> http://www.ewido.net/en/download
    Update it, but do NOT run a scan yet. We'll use it later.

    Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked

    O4 - HKLM\..\Run: [Password Reminder] remind.vbs
    O20 - Winlogon Notify: slbScCertProp - %windir%\system32\ScCertProp.dll (file missing)

    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Use the Windows "search" function
    -> Start
    -> Search
    -> All files and folders
    -> More advanced options

    Checkmark these options:
    - "Search system folders"
    - "Search hidden files and folders"
    - "Search subfolders"

    ->Search for this and delete if found: remind.vbs

    Scan and clean your computer with Ewido and save the report.

    Clean the Recycle bin and make your hidden files visible again.

    Restart your computer normally.

    Post the following logs to here:
    -> a fresh HijackThis log
    -> Ewido's log
     

Share This Page