Panic! Spoof was sent FROM MY domain!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
I am really upset. I just received a fraudulent e-mail, apparently sent by MY domain ([email protected]), and was "signed" by: Your .............com- support team!
It had a zip-file attached (-> to fill in personal information), which I couldn't open, but a message from my Anti-virus program popped up informing me that it found a trace of a worm in the attachment. The strangest thing though was, that I didn't have the option to remove it.
I am really concerned. I don't have a clue about computers, the internet, and all related areas - and am very afraid that these e-mails have been sent to many other people.
I have copied and pasted the e-mail:
----------------------------------------------------------------------------
Dear Eft-practice Member,

We have temporarily suspended your email account [email protected].

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your Eft-practice account.

Sincerely,The Eft-practice Support Team

+++ Attachment: No Virus (Clean)
+++ Eft-practice Antivirus - www.eft-practice.com
-----------------------------------------------------------------------------
Please, dear specialists, help me quickly! THANK YOU!!!!!!!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, We need to see a logfile from this small free program, please do this:

Please do the following: Without closing anything, use the link below, follow the downloading directions,
when it says you are to open a Reply, use the Post Reply at the top of the thread

Click here to download HJTsetup.exe
  • Save Hijackthis.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • At the top of the Notepad HJT log screen, hit EDIT then SELECT ALL then click EDIT and then click COPY, doing that copies the text to the clipboard, you won't see it yet....
  • Open a TechSupportGuy forum Reply window for this thread, to have ready to paste the Hijackthis log into. Click once to place the typing cursor in the reply window.
  • At the top of your TSG/browser window, hit EDIT then PASTE
  • You should see your copied Hijackthis log appear in the reply space....then, submit the reply
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Hijackthis will help us to see if anything is running that should not be. There may be some other work to do.
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
Thanks so much!
I already had Hijackthis installed. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:44 p.m., on 1/8/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\OEMCFOS2\CFOSOEMD.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\AVSCHED32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMME\WINAMP\WINAMPA.EXE
C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\OEMCFOS2\CFNDIS.EXE
C:\PROGRAMME\X-CABLE\X-CABLE.EXE
C:\PROGRAMME\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMME\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMME\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: run=C:\WINDOWS\OEMCFOS2\cfosoemd.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAMME\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Programme\ComcastToolbar\comcasttoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVSCHED32] C:\WINDOWS\TEMP\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: X-Cable.lnk = C:\Programme\X-Cable\X-Cable.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: SpywareGuard.lnk = C:\Programme\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAMME\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAMME\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAMME\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/dribnif/de/win/QuickTimeInstaller.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawings/download.cfm?Release=rel
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} (SdcNetCheckCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab

Hopefully, you will be able to find out what is wrong...
Sunny
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, It looks like you may be using two antivirus programs at once, AntiVir and AVG, if so, that is not good if both are active and monitoring in the background.

Post back and tell me if you see both of those programs in your Add/Remove Programs list please.

Also, AntiVir is loading from the Temp folder, which is not too good an idea.

O4 - HKLM\..\Run: [AVSCHED32] C:\WINDOWS\TEMP\AVSCHED32.EXE /min

If that is the legitimate AntiVir program it should not run from Temp folder.

NOTE: Since you have SpywareGuard installed, changes you need to make can be prevented by SWG, to you need to turn it off temporarily from time to time:

Here is a page that will show you how to do the above for many common protective and good programs:

http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

If you installed it, and AVG is your main antivirus program, uninstall Antivir. It may not want to uninstall since you may have accidentally deleted the files needed to do so which may have been in the Temp folder, we will see. If you are paying for updates or something and do not want to uninstall it, do you still have the download or file you used to install AntiVir, so you can remove it and reinstall?

If you want to check to see if AVG is doing it's job, use an online scanner, one of these may tell you if things are OK or find something AVG does not or cannot detect"

http://www.kaspersky.com/virusscanner


http://www.pandasoftware.com/products/activescan.htm

When either scan finishes, you will see a View Report button, use that to see what it found ....Next, SAVE the Report, and copy and paste it to a reply here, if anything was found Infected and post a new Hijackthis log.
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
Hi!
Antivir is the only antivirus program I am running. The 04----- one is the scheduler for Antivir - it reminds me, if I didn't update the program for more than 10 days - maybe that's why it automatically is saved in the temp folder.
I am not sure if I should use the scanner, since I would have to download it. Would I have to deinstall antivir first?:confused:
Thanks for taking the time to answer - I appreciate it very much!
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Yes, I see that it is part of AntiVir.... a few sites that have startup file info still have avgctrl.exe as part of AVG antivirus, I apologize for alarming you needlessly.

The online scan installs only an ActiveX control that is perfectly safe, plus some latest update detection files, you can disable your installed antivirus program, usually though I don't but I am not sure when using AntiVir, you can try with it still running first to be safe.

It is not the same as installing a new antivirus program, it checks for viruses over the Internet by ActiveX control, all online scans do this.

Your HJT log looks fine but the online scan will help rule out anything that may have slipped by your installed A/V program.
You can also try Stinger by McAfee, it's a very small tool that checks for about 49 new worms, etc. It's a simple stand alone .exe file, not an installation, so when finished, if you wish, you can simply right click it and the companion stinger.opt file and delete both, or, keep a copy of Stinger handy for emergencies...you do need to get a new one occaisionally, when they make a new build that includes the very latest email type worm detections. Fits on a floppy disk. Free also.

STINGER-free worm, trojan, virus removal tool
 

Noyb

Jay
Trusted Advisor
Spam Fighter
Joined
May 25, 2005
Messages
21,222
Since you look clean ... I'll take Byteman's word for this - - May I add ..
A few months ago - I started getting emails like this - but I was not infected.
They should go away after awhile.

Most likely - someone you know, who has your address in their address book is infected.
Their Virus is sending out emails using your address (at random) - as a fake sender, so you are getting the email warning notices.

Be carefull - Their computer may try to send the virus to you - apparently from anyone else in their address book.
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
How can I find out? It really gets annoying - I received 12 spoofs/spams, yesterday. What really bothers me is, that they use my business name. I don't even understand how it is possible for them to send e-mails with [email protected] - since it is MY domain?
These internet/ computer things are really confusing to me....
Thanks for your input!
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
Hey- I am glad you advised me to scan my system!
Since I had to choose "where" to scan , I don't know if I missed something. So I will try out the other choices, too.
Please advise me what to do now?

This is what the scanner found so far:

------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 11, 2006 10:18:20
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/01/2006
Kaspersky Anti-Virus database records: 170581
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
c:\windows\TEMP\

Scan Statistics:
Total number of scanned objects: 55553
Number of viruses found: 2
Number of infected objects: 25
Number of suspicious objects: 6
Duration of the scan process: 2481 sec

Infected Object Name - Virus Name
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html/email-details.zip/email-details.doc .scr Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html/email-details.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-info.zip/account-info.txt .pif Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-info.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html/accepted-password.zip/accepted-password.doc .pif Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html/accepted-password.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html/npgsxdf.zip/npgsxdf.htm .pif Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html/npgsxdf.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html/important-details.zip/important-details.htm .exe Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html/important-details.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html/readme.zip/readme.htm .exe Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html/readme.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/email-details.zip/email-details.txt .exe Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/email-details.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-report.zip/account-report.doc .exe Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-report.zip Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx Infected: Net-Worm.Win32.Mytob.bi
C:\WINDOWS\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
C:\WINDOWS\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE
C:\WINDOWS\Profiles\Sunny\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
C:\WINDOWS\Profiles\Sunny\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE
C:\WINDOWS\Profiles\Sunny1\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
C:\WINDOWS\Profiles\Sunny1\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE

Scan process completed.
 

Noyb

Jay
Trusted Advisor
Spam Fighter
Joined
May 25, 2005
Messages
21,222
sunny66 said:
How can I find out? It really gets annoying -
From the conditions you described … I don’t know how to find out where they are being sent from… could be anywhere.
Yes on the annoying – Most of my spam comes from a misconfigured sender and the IP address usually traces back to the other side of the Atlantic.

The only way I can think of to prevent this, in the future, is to have several email addresses.
I have two extra anonymous address that I use when I email somewhere that may pickup the address.
When one of them starts collecting trash – I delete it and take out a new anonymous address.
So far – I have very little trouble with friends and family who have my main address.
Using a specific (temporary) address for a purpose, such as genealogy, you can tell where the bad guys got the address.
Genealogy purposes is a bad one …You’ll start getting spam almost immediately.

If my computer ever sends out email from my address book – I will know.
I have planted several bad address in my address book – If my computer ever emails these addresses I will get an email message that the address was invalid and will know that something is wrong.

Sorry I didn't have a good answer for you - Hope the tips help a little.
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
Thank you! I will put some "bad" addresses in my addressbook, too.
Unfortunately I can't change my business e-mail addresses, since I have printed materials with the addresses on them. It would be a big fuzz to change them again, and again....
I hope, I will find a solution to that problem one day...
Now I just have to get rid of the worms that were found!
Thanks again,
Sunny
 

Noyb

Jay
Trusted Advisor
Spam Fighter
Joined
May 25, 2005
Messages
21,222
You are in the hands of excellent De-wormers .... wish I knew how to do this.
Using alphabetical names – cover, at least, both ends and the middle of your address book using invalid domains …
Like .... [email protected] or [email protected]
 

Byteman

Gone but Never Forgotten
Joined
Jan 24, 2002
Messages
17,742
Hi, Can you tell me if the scan you did cleaned, or deleted those .zip attachments (Mytob worm)?

You apparently only scanned Critical areas> you should do a full scan of the computer. There may be options to pick from as to what the scanner does with infected objects found> set it to disinfect first, then to delete. Scan again at Kaspersky.

You can also try Panda.

The other items at the end of the scan results are found in SpyBot's Recovery, you can open SpyBot and hit the Recovery button, you will see various scan results you did, they can be deleted from the Recovery area so they are not detected again.
 

sunny66

Thread Starter
Joined
Oct 20, 2005
Messages
28
Yes, it took forever, but I did several scans. Nothing was deleted though - I couldn't even find that option. Please let me know what to do, since it really doesn't feel good to know that I have 2 viruses on my computer! I believe they are in the attachments (that I did not even open) of the spam e-mails I have been bombarded with. Unfortunately, they keep coming in. Would that effect the accuracy of the scan I previously made?

Here is the "my computer" -scan:
------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 11, 2006 12:49:29
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/01/2006
Kaspersky Anti-Virus database records: 170581
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 78008
Number of viruses found: 2
Number of infected objects: 25
Number of suspicious objects: 6
Duration of the scan process: 7107 sec

Infected Object Name - Virus Name
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html/email-details.zip/email-details.doc .scr Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html/email-details.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Sun, 8 Jan 2006 09:47:16 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-info.zip/account-info.txt .pif Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-info.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html/accepted-password.zip/accepted-password.doc .pif Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html/accepted-password.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 16:01:33 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html/npgsxdf.zip/npgsxdf.htm .pif Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html/npgsxdf.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 17:46:45 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html/important-details.zip/important-details.htm .exe Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html/important-details.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Mon, 9 Jan 2006 19:47:49 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html/readme.zip/readme.htm .exe Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html/readme.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date Tue, 10 Jan 2006 02:11:11 -0500]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/email-details.zip/email-details.txt .exe Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/email-details.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-report.zip/account-report.doc .exe Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html/account-report.zip Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx/[From NO_REAL_NAME (0.8 points) From: does not include a real name][Date that your Eft-practice User Profile ( x ) records are out of date. For]/html Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Identities\{D9D04000-7844-11D4-899A-C0A649C1CA01}\Microsoft\Outlook Express\Posteingang.dbx Infected: Net-Worm.Win32.Mytob.bi
c:\WINDOWS\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Profiles\Sunny\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Profiles\Sunny\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Profiles\Sunny1\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip/MCC_Install.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Profiles\Sunny1\Anwendungsdaten\Spybot - Search & Destroy\Recovery\CometCursors.zip Suspicious: Password-protected-EXE

Scan process completed.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top