Показано с 1 по 10 из 10.

"Outgoing mail" that I'm not sending

  1. #1
    Junior Member Репутация
    Регистрация
    28.05.2008
    Сообщений
    6
    Вес репутации
    58

    Thumbs up "Outgoing mail" that I'm not sending

    I'm not sure how this started - infected wireless network? - but the only indicator of a problem is my (nearly useless) PC-Cilin protection software notifying me that it is "scanning outgoing mail" without me actually sending anything. This has happened irregularly for a few months now. Repeated attempts to search/quarantine/fix the problem indicate that, first, it's a rootkit issue, and second, it's a royal bugger to kill off. Every scan with a new product seems to come up with a new virus, Trojan, or something.

    It's not hugely affecting my normal activities -yet - but it makes me wonder how much the guilty parties are able to read my typing or otherwise see everything I'm doing.

    Attached as requested are the two AVZ files and the HijackThis log. The cnvfatr.dll activity seems to be significant, as well as another .dll control that has a single letter appended to the normal name.

    Please advise if there's any other pertinent info for me to pass along, and thank you very much in advance for your gracious help.
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Switch your Antivirus and Firewall OFF!!!
    Switch the System Recovery off
    Run Hijackthis and Fix
    Код:
    O2 - BHO: (no name) - {164DBEE2-7074-4C63-B6AF-066852EDFB95} - c:\windows\system32\cnvfatr.dll
    O2 - BHO: (no name) - {2A722E69-CFE6-495F-8CE1-719F8F9383D1} - C:\WINDOWS\system32\dpnhpastw.dll
    O20 - Winlogon Notify: yznfncmh - C:\WINDOWS\SYSTEM32\cnvfatr.dll
    Run the script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteService('ouwwfedk');
     QuarantineFile('C:\WINDOWS\System32\bcmwlpkt.dll','');
     QuarantineFile('C:\WINDOWS\System32\bcm1xsup.dll','');
     QuarantineFile('C:\WINDOWS\system32\dpnhpastw.dll','');
     QuarantineFile('c:\windows\system32\cnvfatr.dll','');
     QuarantineFile('C:\WINDOWS\system32\Drivers\ouwwfedk.sys','');
     QuarantineFile('C:\WINDOWS\system32\dpnhpastw.dll','');
     QuarantineFile('C:\WINDOWS\system32\drivers\ouwwfedk.sys','');
     DelBHO('{2A722E69-CFE6-495F-8CE1-719F8F9383D1}');
     DelBHO('{164DBEE2-7074-4C63-B6AF-066852EDFB95}');
     DelBHO('ID');
     DelBHO('{2A722E69-CFE6-495F-8CE1-719F8F9383D1}');
     DeleteFile('C:\WINDOWS\system32\drivers\ouwwfedk.sys');
     DeleteFile('C:\WINDOWS\system32\dpnhpastw.dll');
     DeleteFile('C:\WINDOWS\system32\Drivers\ouwwfedk.sys');
     DeleteFile('c:\windows\system32\cnvfatr.dll');
     DeleteFile('C:\WINDOWS\system32\dpnhpastw.dll');
    BC_ImportDeletedList;
    ExecuteSysClean;
    BC_Activate;
    ExecuteRepair(1);
    ExecuteRepair(6);
    EcecuteRepair(7);
    RebootWindows(true);
    end.
    After re-boot upload a quarantine file following red the link on the top of the page and make/attach 3 new logfiles.

  3. #3
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для RiC
    Регистрация
    22.04.2005
    Сообщений
    1,988
    Вес репутации
    571

  4. #4
    Junior Member Репутация
    Регистрация
    28.05.2008
    Сообщений
    6
    Вес репутации
    58

    Ongoing....

    Okay, so I did the following:

    1. Shut off the firewall , System Restore, and the aforementioned feckless PC-Cilin.

    2. Opened up AVZ and loaded in the script, opened HijackThis and selected the indicated lines.

    3. Closed out of everything else.

    4. Ran HijackThis first and then AVZ in quick succession; system rebooted as expected.

    5. Figured out how to .zip the quarantine file, if not how to encrypt it, so hopefully it will just open up. I had to do this twice, so if you see a second one it's identical and unnecessary.

    6. Re-ran the AVZ and HijackThis searches as indicated. The first AVZ scan found something it identified as "Rootkit.Win32.Podnuha.ay", which makes me edgy. Didn't see anything worrisome on the other two, but didn't look too closely.

    7. Attached the appropriate log files.

    So how are we doing, guys?
    Вложения Вложения

  5. #5
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для AndreyKa
    Регистрация
    08.01.2005
    Адрес
    Россия
    Сообщений
    13,632
    Вес репутации
    1315
    So we have
    C:\WINDOWS\system32\dpnhpastw.dll - damaged (it was Rootkit.Win32.Podnuha.cb)
    C:\WINDOWS\System32\bcmwlpkt.dll,
    C:\WINDOWS\System32\bcm1xsup.dll - clean
    C:\WINDOWS\system32\Drivers\ouwwfedk.sys - VirTool:WinNT/Boaxxe.E (detected by Microsoft antivirus)
    c:\windows\system32\cnvfatr.dll - Trojan.Win32.Obfuscated.avw (a new threat)

    Run Hijackthis and Fix
    Код:
    O2 - BHO: (no name) - {164DBEE2-7074-4C63-B6AF-066852EDFB95} - c:\windows\system32\cnvfatr.dll
    O20 - Winlogon Notify: yznfncmh - C:\WINDOWS\SYSTEM32\cnvfatr.dll
    After re-boot make and attach a new Hijackthis logfile.
    Is unnecessary outgoing mail disappear?

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от Fast Panda Посмотреть сообщение
    aforementioned feckless PC-Cilin
    You shouldn't move the responsibility towards any security software. It's only a program due to recognize any other program as malicious, any malicious program try to dupe a security program... The responsibility lies in each case upon the person using the system

  7. #7
    Junior Member Репутация
    Регистрация
    28.05.2008
    Сообщений
    6
    Вес репутации
    58
    Okay, so I tagged those two on HijackThis (which each had [file missing] at the end of the string - definitely a Good Sign!), rebooted, and rescanned. See attached file.

    No "scanned outgoing mail" yet since last night's procedures; it's looking hopeful, but occasionally the messages would skip a day. I'm still sort of holding my breath. And dear God, what's up with the shopping list of infections?

    Rene: Yeah, I know; I'm not blaming my antivirus software as much as I am the amoral sadistic cretins who came up with these ingenious violations of my privacy. I'm just disappointed that what was once a top-rated product didn't do what I thought it was supposed to do.

    Speaking of which, am I supposed to turn the antivirus and my firewall back on yet?

    Thanks too much again, guys. Will keep you posted.
    Вложения Вложения

  8. #8
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для AndreyKa
    Регистрация
    08.01.2005
    Адрес
    Россия
    Сообщений
    13,632
    Вес репутации
    1315
    The log is clean. Viruses have removed.
    You have to turn the antivirus, System Restore and firewall on.

  9. #9
    Junior Member Репутация
    Регистрация
    28.05.2008
    Сообщений
    6
    Вес репутации
    58
    Hi, folks:

    A quick two-part follow-up: First, the offending behavior has now stopped, and I'm starting to feel safe about doing normal semi-secure things again. Thank you tremendously for your enlightened guidance.

    Second, sort of a leftover concern from the exorcism process: Should I delete the quarantine file folder that AVZ generated? Is there any other housecleaning I should perform to really scrub everything out thoroughly?

    Thanks much again; will be around.

  10. #10
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,164
    Вес репутации
    994
    You welcome
    Yes, you can delete a "quarantine file folder that AVZ generated". Moreover, you can send it your antivirus company, if you want to check time response of the trendmicro virlab In my opinion it is very poor
    In order to not to get in such troubles in the future, you should use an limited user account in windows, and browser i suggest : firefox+noscript.
    Good luck
    Последний раз редактировалось drongo; 05.06.2008 в 10:27.

Похожие темы

  1. Ответов: 7
    Последнее сообщение: 26.04.2012, 16:16
  2. Нет доступа к google, youtube, "ответы" mail.ru
    От ska4atfilm в разделе Помогите!
    Ответов: 21
    Последнее сообщение: 17.04.2011, 15:05
  3. Спам (Outlook express). "От кого" - мой e-mail..?
    От Oleg O. в разделе Помогите!
    Ответов: 2
    Последнее сообщение: 29.12.2008, 02:12

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00031 seconds with 20 queries