I have problems with "Worm.SomeFool.P"

Discussion in 'adware, spyware & hijack cleaning' started by ToftXXX, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. ToftXXX

    ToftXXX Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    3
    Hi all,

    My wife frequently receives warnings from mailservers, notifying her that mails send from her mail address has been blocked due to "Worm.SomeFool.P". I do not ahve the same problem, allthough we are using the same PC and hotmail accounts.

    I run Spybot version 1.2, AVG Antivirus 6.0, Cygate personal firewall vers. 5.5 + there is a firewall in my ADSL router. The settings of this firewall I do not have access to...

    Below you will find the HijackThis report performed after running Spybot. I hope you will be able to help me.

    One more question: Do my wife and I have to change all passwords after cleaning the PC? How dangerous is Worm.SomeFool.P actully?

    I hope someone will be able help me on the subject.

    Regards
    ToftXXX

    Logfile of HijackThis v1.97.7
    Scan saved at 23:43:44, on 25/06/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\USB Disk Tool\USNDISKT.EXE
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINNT\System32\hphmon05.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINNT\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\System32\HPZipm12.exe
    C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Plaxo\2.0.1.13\InstallStub.exe
    C:\Program Files\WinTV\Ir.exe
    C:\Program Files\Office Suite3.0\program\soffice.exe
    C:\WINNT\system32\LVComS.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a-c.dk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Fichiers communs\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [USB Disk Tool] C:\Program Files\USB Disk Tool\USNDISKT.EXE
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [PowerDVD] C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe /autostart
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.0.1.13\InstallStub.exe -a
    O4 - Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
    O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8018.0746990741
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/ge...ash/swflash.cab
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/tr...oaderSigned.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
  3. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    I agree with IMM. these are probaby spoofed Emails.
    Are they messages that were actually sent?
     
  4. ToftXXX

    ToftXXX Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    3
    Hi IMM and Dave 38

    Thanks for your reply. I should probably have forwarded the below mail along when I submitted the first mail. I suppose this changes things slightly, although. Should I take the below message serious or disregard it?

    Regards
    Toftxxx
    --------
    Mail from: System Anti-Virus Administrator <antivirus.net@hrnoc.net>

    DO NOT REPLY TO THIS MESSAGE:
    As your reply will go nowhere.

    Attention: xxxxxxx@hotmail.com


    A virus was found in an Email message you sent.
    This Email scanner intercepted it and stopped the entire message
    reaching its destination.

    The virus was reported to be:

    Worm.SomeFool.P


    Please update your virus scanner/signatures or contact your local
    IT support personnel as soon as possible. As you may have a virus
    or a Trojan program installed on your system. For any questions
    regarding the virus policies of this network, please contact
    HostRocket.com Support Personnel. Support may be contacted via
    Email at 'support.com' or through the support website
    located at http://www.rocketsupport.com.


    DO NOT REPLY TO THIS MESSAGE:
    As your reply will go nowhere.


    Your message was sent with the following envelope:

    MAIL FROM: xxxxxxx@hotmail.com
    RCPT TO: erik@xxxxxx.com

    ... and with the following headers:

    ---
    MAILFROM: xxxxxxx@hotmail.com
    Received: from p431-017.ppp.get2net.dk (HELO xxxxxx.com) (195.47.143.145)
    by mx3.hrnoc.net with SMTP; 25 Jun 2004 08:53:03 -0000
    From: xxxxxxx@hotmail.com
    To: erik@xxxxxx.com
    Subject: Re: Request
    Date: Fri, 25 Jun 2004 01:53:03 -0700
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
    X-Priority: 3
    X-MSMail-Priority: Normal
     
  5. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    If you've updated your AV definitions recently - scanned - and you are clean - then disregard.
    That's very likely a piece of software which knows no better, passing as intelligent. It fails the turing test -- very artificial :)
     
  6. ToftXXX

    ToftXXX Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    3
    Hi IMM

    Thanks a lot...

    ToftXXX
     
Thread Status:
Not open for further replies.