Help Please, I have a virus that keeps sending out emails

Can someone please help me. I have a virus. I opened an email last night and now even when I shut my email I keep getting a pop up in the bottom right that is Symantic and it says scanning messege. Sometimes it is doing four or five at a time. Then I'll get something that pops up and says it can't messege can't be delivered, 550 virus's found in email. It is just a continuous cycle. I had something about a year ago that got into my computer and mailed out virus's under my email address, I hope that isn't going on now but I have a feeling it is.

Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:39 AM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wfdmgr.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [LSA] wfdmgr.exe
O4 - HKLM\..\RunServices: [LSA] wfdmgr.exe
O4 - HKCU\..\Run: [LSA] wfdmgr.exe
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29183e8ada6e78d0df22/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please help me on this, I'm desperate, I am going to shut my home computer off and check this from work until I get it fixed, I don't want to mess other's computers up!

Thank you very much!

Sincerely,

Grant

 

Info on the virus.
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=42026

Fix these with HijackThis.

O4 - HKLM\..\Run: [LSA] wfdmgr.exe
O4 - HKLM\..\RunServices: [LSA] wfdmgr.exe
O4 - HKCU\..\Run: [LSA] wfdmgr.exe

Reboot to safe mode and delete the wfdmgr.exe file in C:\WINDOWS\system32
Empty ALL temp folders and C:\Windows\Prefetch
Empty the recycle bin.

If you're comfortable with regedit, delete the LSA key from these two;

HKCU\Software\Microsoft\OLE\LSA = "wfdmgr.exe "
HKLM\Software\Microsoft\OLE\LSA = "wfdmgr.exe "


and the LSA subkey under the LSA key in these two;

HKCU\System\CurrentControlSet\Control\Lsa\LSA = "wfdmgr.exe "
HKLM\System\CurrentControlSet\Control\Lsa\LSA = "wfdmgr.exe "

Recommend exporting the keys first.

Reboot and scan with an online virus scanner, such as eTrust in my signature and/or RAV.

 

Noah,

Again, thanks for your help and quick response.....

I am going home over my lunch hour to try and clean this up. I don't know what regedit is....so obviously I'm not comfortable with it Is it hard to delete the LSA codes? Is that a difficult process?

Also, how do I reboot in safe mode? When I'm done, do I need to do anything to make sure my computer doesn't always reboot into safe mode?

Thanks again,

Grant

 

Start run regedit. use find and F3 to find next. use only the edit menu to delete the value.

 

My computer has some hardware issues I think. Whenever I try to reboot or when I first boot up a message appears that says "imminent hard drive crash ", or something like that, it says to hit F1 to boot or F8 or something for help. Then it says it has to do a scan check FAT31 or something like that and it gives you ten seconds to hit any key to cancel. If you don't cancel then the computer eventually freezes up during the scan so I always cancel.

Anyway, I could not reboot in safe mode, it kept freezing up, so I fixed all those things you said to fix in HIJACKTHIS and then I deleted wfdmgr.exe but I was not in safe mode when I deleted it. Is that ok? The scans have stopped and it seems as of right now the problem is fixed. I'm still not real sure what do do with the regedit, I tried to search for those keys but I couldn't find them.....

Anyway, I'm heading back to work, I'll try to finish later, anything else as of right now?

Thanks for your help again Noah.

Sincerely,

Grant

 

Download the LSA.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to LSA.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens and uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the LSA.bat file to your desktop. Double click it to run. It will remove the registry entries and create a backup LSA.reg in Local Disk C: If you experience any problems after running the bat file, double click the reg file and allow it to merge with the registry.

That error message is scary. Suggest you invest in a new hard drive and get any data you want to keep off of that drive.

Upon powering up, repeatedly tap F8. You should then get a boot menu where you can choose safe mode. If you succeed in booting to safe mode, open My Computer and right click C:, then choose properties. Click the tools tab and then click Check now. Check both boxes of the popup and click start. Wait for the disk check to complete before doing anything else, even moving the mouse. It may take a while, so go drink a beer or two.

Post a new HijackThis log when done.

 

Here is my latest scan log

Logfile of HijackThis v1.99.1
Scan saved at 11:01:56 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\CheckIt\86\CheckIt86.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
O9 - Extra button: (no name) - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O9 - Extra 'Tools' menuitem: CheckIt &86 - {2887F316-8C6C-47ae-A462-D2C9739D2C3D} - C:\PROGRA~1\CHECKIT\86\CheckIt86.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29183e8ada6e78d0df22/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Couple things, I tried to do the system file scan where I go to my computer, right click C, go to properties, click on tools tab, check now, then check both box's but when I click start is says that it can't do it because some files need to be accessed and they can only be accessed when I start the computer next time, then it asks if I'd like to do a scan next time I start my computer. I tried it in safe mode and regular. I did get it to scan just on my own though when trying to reboot, it took a good hour. It said that it fixed a file and then it scaned for file size and space or something like that.

Anyway, I also tried to do a system scan with the RAV that you were talking about Noah, but it says I can't, that my security settings need to be on medium and that Active XBox (or something like that), couldn't load. I also tried to use the one in your signature and it said that the load failed and it asked if I was using internet explorer 4.o or higher.

That main virus seems to be gone now though, is there anything else you recommend doing at this point?

Thanks,

Grant

 

Use this online scanner from Trend Micro. No ActiveX required. Let us know the results.

Had forgotten that check disk had to run at startup. Did you get the same hard-disk failure message after running it?

Your HJT log looks clean.

 

Hey Noah, I ran the Trend Micro...it found four things, it started with worm. However, I didn't clean any of it up yet, it gave me two options. Should I just have it fix those problems, or should I have it fix it, repair damage (I think), and then do a rescan?

Also, I still get the "hard drive imminent danger" warning...but the scan doesn't come up anymore!

Thanks,

Grant

 

Fix and repair would probably be my choice.

Have you backed up important data yet?

 

Ok, here is the lastest, after running House Call (Trend Micro) again, I tried to fix and repair, it said that it could not fix the problems that were on my computer. The problems are listed below.....

WORM.MYTOB (1) C:\Documents and Settings\Grant\Local Settings\Temp then I can't see the rest
WORM.MYTOB (2) C:\Documents and Settings\Grant\Local Settings\Temp
WORM.MYTOB (3) C:\Documents and Settings\Grant\Local Settings\Temp
WORM.MYTOB (4) C:\System Volume Information\_restore{5ACF38D-0CA then it cuts off and I can't see the rest.


Any suggestions?

Thanks again, in advance....

Grant

 

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Reboot to safemode. Click start>run and type %temp%, then hit enter. Select all and delete.
Empty the recycle bin and reboot back into Windows.

Re-enable system restore.
You should be clean.