daemon mailers return mail HJT attached

Hi good people, I need your help.

At the office I am getting a lot ( 20 a day ) daemon mailers return mail. Our ISP suggested to run HJT and see if it will fix the problem. I did ran it, but have no idea what I am looking at.

Can some one please take a look at the log ant tell me what to do?
Thanks very much
Sven


Logfile of HijackThis v1.99.1
Scan saved at 3:55:04 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\windows\system32\hkcmd.exe
C:\windows\system32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Microsoft Office\Office10\MSOFFICE.EXE
C:\windows\system32\fxssvc.exe
C:\Documents and Settings\Sven Albrecht\My Documents\Downloads\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [igfxtray] C:\windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Shortcut Bar.lnk = C:\Microsoft Office\Office10\MSOFFICE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1091044601515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137428743093
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D34151C8-0C6C-4A7D-B677-4FCC9552E957} - http://www.bcnx.com/SunInfoConnect_www.bcnx.com_medium.cab
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

 

Hi, Sven.

Those HJT entries look suspicious to my untrained eye. This might be a thread for our malware removal experts to look at. (I suspect this thread will be moved to the "Removing Spyware & Viruses" forum shortly.)

 

Hi Mailman,

Party Poker is an online gaming site and when I have some downtime I will play a hand or two, don’t think they would send any e-mail to anyone.
Thanks for looking, I wait for more answers.

Sven

 

Hi, Sven.

I did a little research about Party Poker and found a few links you may be interested in reading.

• Wikipedia: Safe Port Act
• MSNBC: Online gambling firms sell U.S. units for $1
• L.A. Times/L.A. Pilot: Woman Billionaire Made Fortune Selling Vice on the Internet
• Wikipedia: PartyGaming/PartyPoker.com

Given the timing of your sudden increase in "mailer daemon" messages, the U.S. Internet gambling ban that apparently became law this month, and other information in the links I provided; I'm guessing your office e-mail address may have been "used" by spammers/scammers/etc. as a result.

 

As far as it goes your log is clean.

There are three possibilities:

1. The most likely: A virus/worm such as Klez. You can either be getting a real undelivered or a fabricated undelivered. You probably do not have the virus but someone who has your email address in their address book does have the virus. That is exactly how it propogates. It takes an Outlook or Outlook Express address book and emails to every entry. It also can spoof the 'From:' address by picking a randome email address from the address book.

2. You have an email worm such as Klez.

3. Your e-mail address fell into the hands of a spammer, who has forged the headers of the e-mail they are sending out to make it look like it came from your address

Unfortunately, you can only directly address issue #2.

How current are your virus definitions?

I would do two on-line Antivirus scans; my preference for this would be Trend Micro and Kaspersky: http://www.mvps.org/sramesh2k/Scanners.htm

Remember that your email program likely has the ability to set filtering rules. In your case you would filter on the DAEMON portion of the From: entry.

As misery sometimes wants company, see this exchange of yesterday in a different fora: http://www.xpforum.co.uk/forums/windows-xp-firewalls-antivirus-antitrojan/9280-mailer-daemon.html

 

Bill Castner,

Thanks for your reply. Sorry for my late answer.

I have scanned with spybot and Ad- Aware, they found some things and I have them removed. All where negligible. I also had Housecall scan my computer and I am running AVG. None of these helped. I also have windows defender and Spyware blaster installed.
How can I find out if I have an email worm such as Klez? Won’t houscall or 1 of the other programs detect it?
I will run Kaspersky as soon as I can. Sometime this week.

I will post back after the scan
Sven

 

Hi all,

I have done the whole thing 1 more time.
Spybot, Ad-aware, House Call. AVG, and I went to Kaspersky and have them check all, but I still get daemon mailers return Mail.
Anything else I can do?
Thanks
Sven

 

Most of these viruses named in this thread do not hide very well and are relatively easy to spot. Especially when you consider that the definitions for these are so old. Not likely there is an av app on the planet that wouldn't pick them up.

My best guess would be Bills' first option, someone you know has been infected.

Goodness knows you have done more than enough to find any such worm as these mentioned.

If you like, we can also run some rootkit tools to see if this is something new.

Let us know.

 

TeMerc,

"If you like, we can also run some rootkit tools to see if this is something new. "

O.K., how do I do that, and what do I need?

Help!

Thanks
Sven

 

Here are a couple we can run:

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

Reboot, unless nothing is found.

Download and run F-Secure Blacklight
Double-click on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run Blacklight click > scan then > next, next again then exit
there will be a new text file near Blacklight.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

Post logs, both at same time if anything is found.

 

TeMerc,

Thanks for posting the instructions for the root kit.
I don't know if I can get to it this week, but as soon as I can I will run the programs and post back.
Monday or Tuesday latest.
Thanks again
Sven

 

TeMerc,

I downloaded Root Kit revealer and run it, and it tells me
"Scan complete no discrepancies found. "

I tried to download the other program from f-secure, but when I click on the link it tells me error 404 page not found. It just get to a page of f-secure but don't know where to go from there.
Can you check the link?
Thanks for your help
Sven

 

Sorry about that, guess I need to update my canned reply for that one. Here is the proper link:
http://www.f-secure.com/blacklight/try_blacklight.html

 

TeMerc,

Thanks for the updated link.
I downloaded and run it. It tells me "No hidden items found "
Looks like my system is clean.
Bill Castners Answer #1 and #3 seem to be the problem.
Is there anything I can do to stop this, or do I have to change the domain name at the web hosting place?
Thanks
Sven

 

For one you'll have to do some sleuthing, and I'm not versed in what needs to be done. First thing is to email all your friends, currently in your address book, explaining one of them may be infected with the worm and not know it.

Beyond that, I'm at a loss.

For the second thing, you could get your ISP to change your email, tho whether or not they will depends, most of those rules vary from ISP to ISP.

Wish I could be of more help.

 

Thanks for trying.
I will give that a try
Sven