mysterious file in OE's Outbox

[Lost_Maple]

Hello:

This is my first post to the forum.  I'm glad I found my way here.  A few days ago I received an odd email
which appeared to be from someone I correspond with.  However, the name was mispelled, and the
message body was incoherent and obviously not written by my friend.  This of course was a signal that all was not well.  Using the Search and Recover utility I looked through Outlook Expressed for deleted email.
I found an odd "deleted" email in my Outbox.  It was addressed to someone in my address book, but it was "from" the mispelled name on the email I'd just received.  Obviously, I have some bad code on my computer.  This "deleted" file is active and is harvesting my email.  I have found no evidence that it is actually sending my harvested email out, although that doesn't mean it isn't. 

A thorough search with my regular anti-virus software (System Suite/Licensed Trend Micro) did not find anything.  I downloaded Avast and, while it found several trojans/vriuses that the Tend software didn't find, it  also didn't find the code relating to this mysterious file.  I have also downloaded and run several
anti-spyware programs (Ad_Aware, Spybot, Microsoft, Webroot, etc. and they have not found the source
of the spurious Outbox file.

How can I best go aboout removing this thing?  My first idea is to use a file shredder to overwrite the
Outbox space and then to replace the folder with a new Outbox folder.  That way if the code has been
disabled the spirious file shouldn't reappear in the Outbox folder.  On the other hand, if it does reappear, then I've got a big problem.

Any suggestions/ideas about how best to deal with this problem will be much appreciated.

Thanks.

[Lisandro]

First, avoid using Trend Micro and avast simultaneously: antivirus conflicts.
In fact, I'll scan with ewido and with a-squared antitrojans and antispywares. In fact, I was expecting that Webroot caught it.
Did you run a boot time scanning with avast?

If you just delete the outbox file it will be 'regenerated' by OE when you receive the next mail. Don't need to 'replace' the file.

[Lost_Maple]

Thanks for your reply.  I will run an Avast boot scan when I finish this post.  I'm also downloading
ewido now and will run it too.

I just mailed a couple of large text files to myself as a test: the Outbox hidden file immediately harvested
the emails as soon as they arrived on my system.  So, the pesky worm is still quite active. 

I'll write again as soon as I find out more information.

Thanks again for writing me.     

[Lost_Maple]

Hello:

I ran an Avst boot scan w/ today's update.  I also downloaded Ewido and ran a scan with it.  The boot
scan didn't find anything.  Ewido found some cookies, but nothing else.   Previous scans with Avast
found some bad code on my system, as did the several anti-spyware programs I now have.  I think most of the bad code was from attachments I have received but which were never opened.  There was some bad code, that was active, however.  My firewall is working and notifies of attempts to contact the internet.  As I mentioned the hidden file in my outbox is still active and is still harvesting my emails.  I have set OE to ask permission to send emails.

I have just found that the rund1132.exe shown in the enclosed HijackThis log is the Worm Dopbot.A.  Avast didn't find it, nor did any of the other scans by the other programs I am using.  I found instructions on manually removing this program.  I'll do that  tomorrow.  (Note:  I am running XP2 and IE with all updates so perhaps this worm is not active.  We'll see. . .)

I'd appreciate it if you would look at the enclosed log and tell me if you see anything suspicious.  I fear I'm quite the
amateur at this.   (Your software wouldn't allow me to post the entire log.  I hope this is enough to be useful.)


Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:50:38 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\program files\acdc_hp\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\VCOM\AutoSave\AutoSave.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iolo\Search and Recover\DiskImageService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\VCOM\SYSTEM~1\mxtask.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\SPYWARE_REMOVERS\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC07.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG07.EXE

[Lost_Maple]

Here is the other half of the HijackThis log.  Hope this will be helpful.

Again, thanks.



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [CXMon] "c:\program files\acdc_hp\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [AutoSave] "C:\Program Files\VCOM\AutoSave\AutoSave.exe" /Autorun
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [Search and Recover Disk Image Service] C:\Program Files\iolo\Search and Recover\DiskImageService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120098220968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {87759FF2-3129-4287-8EDD-3E0F3D875F12} (NVSupport.Computer) - http://support.nvidia.com/Content/NVSupport/Includes/NVSupport.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6C89A0-9A91-4C81-88C6-17DF329A0DFD}: NameServer = 207.69.188.187 207.69.188.186
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slmdmsr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SystemSuite Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\SYSTEM~1\MXTask.exe

[CharleyO]

***

Welcome to the forums, Lost_Maple.   

You have a sign of Symantec products in your HJT log.

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Do you have or have you had Symantec programs on this computer? Depending on what program, this could cause a conflict.

You also have Windows Messenger running. This is not good. Please do not confuse this with MSN Messenger as it is not the same program.

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Please read my post at the link below to learn more about this and a solution to close this "backdoor" into your computer.

http://forum.avast.com/index.php?topic=18803.msg159132#msg159132

I am no expert on reading HJT logs so there may be something I missed.

I hope this helps you.   


***

[Lost_Maple]

Tech: I d/loaded ewido---good software, thanks for the recommendation.   

Charlie:  I have Windows Messinger blocked with my firewall.  It's by Symantic.  I haven't noticed any running problems with Avast.  When I ran Avast it found some bad code that the Trend implimentation
in System Suite didn't find.  Do you know of any problems with Avast and the Symantic firewall?

There's been a change which I want to report.  Yesterday, I couldn't find the "deleted" Outbox file I've written.  This file is apparently written by a worm/virus and harvest email.  Yesterday when I checked, the hidden file was not present in the outbox.  I found no joy in this: I think it just means that the worm/virus is still active despite everything.  I think it mailed itself, bypassing OE.  Not good.

Yesterday afternoon, I ran a full Avast boot scan---nothing.   Last night I booted into safe mode and first ran a full scan with Avast.  Again, it completed without finding anything.  I then followed with Microsoft's Defender beta, Spycatcher,  Ewido, Spybot, (and a rootkit finder whose name I can't recall). . .  All they turned up were a few tracking cookies.

Today I checked to see if the hidden file would again appear in my outbox.  I emailed a couple of large files to myself.  Immediately on receiving them back, the spurious file appeared in my outbox.  It was appearing to be an email and had my name as being TO and FROM.  It had harvested both recent emails.

So, the worm/virus is still resident on my system.  Despite numerours determined efforts, it's still active.

What is disturbing is that this worm/virus is defying some of the best software designed to erradicate it.

This causes me to wonder what manner of worm/virus I have that is so persistently defying some pretty sophisticated software's efforts to destroy it?   

Tech, Charlie and anybody:  Do you guys have any suggestions about what I can do to get rid of this problem?  I can't believe that there are woms/viruses that can't be removed, but this one is certainly
giving every indication of that possibility.

Any ideas, guys??

Thanks,

Jim

[CharleyO]

***

Ok, Jim ... I did not know you had the Symantec firewall. I just wanted to be sure there was no conflict there. As far as I know, there should be no problem with that firewall.

The only removal I have found so far for this is by manual means but you mentioned finding that. Also, the link below provides some more info and it "suggests" that if the OS is above SP1 this backdoor bot is less of a threat.

http://msmvps.com/blogs/harrywaldron/archive/2005/2/13.aspx

Sorry, I have looked high and low but find nothing more than manual removal. Where did you find those at? I found 3 listings for manual removal.


***

[Lost_Maple]

Charlie. . .

It turns out I don't have the DOPBOT.A worm.  The bad code uses a slight font difference (l vrs. 1) to confuse people.   When I checked regestry keys for things to remove, DOPBOT.A specifric ones were
not present. 

I found the manual remove instructions at the Trend Micro site. BTW. . .

I ran Rootkit Revealer and found the following things (see below).  Note the remote access data mismatch.

HKLM\S-1-5-21-1275210071-1767777339-682003330-1003\RemoteAccess\InternetProfile   8/22/2004 5:21 PM   9 bytes   Data mismatch between Windows API and raw hive data.

This is something new I haven't found before.  Forgive my ignorance. but is this significant?

I find it interesting and very frustrating that this email virus/worm is successfully hiding from some of the world's best software.  Today ran another safe mode scan with several of the spyware utilities I've d/loaded and, while, some turned up the odd cookie, nothing else was found.  I also ran Avast with the
latest pattern file.  Nothing there, either.   (I'm not complaining about the software, by the way).

I'm about at the point where a reformat may be the only way to kill this problem.

Jim