Worm.SomeFool.p

Discussion in 'adware, spyware & hijack cleaning' started by H. Stoellinger, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. H. Stoellinger

    H. Stoellinger Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    1
    Location:
    Austria
    I keep getting e-mail with "Mail Delivery error" or the like in the subject line from people I never intentionally sent messages to. Today I got a message where apparently virus checking software maintains that e-mail from my PC contains the above worm. I am including the hijackThis log and wonder whether anybody could help. I already have run Symantec's Netsky removal tool because somebody indicated that SomeFool.p might be a Netsky variant. The tool did not find anything.
    Regards
    H. Stoellinger
    Here comes the log
    Logfile of HijackThis v1.97.7
    Scan saved at 09:42:30, on 07.06.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    F:\Apache\Apache2\bin\Apache.exe
    F:\AVG\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programme\Kerio\Personal Firewall 4\kpf4ss.exe
    F:\Apache\Apache2\bin\Apache.exe
    F:\mysql\bin\mysqld.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Programme\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\PROMon.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    F:\AVG\avgcc32.exe
    C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\internat.exe
    C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
    F:\Webroot\Washer\wwDisp.exe
    F:\security\A2\a2guard.exe
    F:\lotus\smartctr\suitest.exe
    F:\Apache\Apache2\bin\ApacheMonitor.exe
    F:\StarOffice7\program\soffice.exe
    F:\Opera\opera.exe
    F:\lotus\approach\approach.exe
    F:\Tmp\Downloads\HighJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\GEMEIN~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\GEMEIN~1\Real\Toolbar\realbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG_CC] F:\AVG\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [AutoStart-Manager] REM F:\Tuning\AutostartMgr\AutoStart-Manager.exe /AUTOSTART
    O4 - HKCU\..\Run: [Window Washer] F:\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [a²] "F:\security\A2\a2guard.exe"
    O4 - Startup: Monitor Apache Servers.lnk = F:\Apache\Apache2\bin\ApacheMonitor.exe
    O4 - Startup: StarOffice 7.lnk = F:\StarOffice7\program\quickstart.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Lotus Organizer EasyClip.lnk = F:\lotus\organize\easyclip.exe
    O4 - Global Startup: Lotus QuickStart.lnk = F:\lotus\wordpro\ltsstart.exe
    O4 - Global Startup: Lotus SmartCenter.lnk = F:\lotus\smartctr\smartctr.exe
    O4 - Global Startup: Lotus SuiteStart.lnk = F:\lotus\smartctr\suitest.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = F:\Tools\Archiving\WinZip\WZQKPICK.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi H. Stoellinger,

    Nothing wrong with your log.

    Those emails you are receiving saying that you have a virus may be spoofed, meaning that someone, who has your email address in their address book, has this virus. What happens in these cases is that the virus replicates itself by emailing itself to everyone in this persons address book and spoofs the name of the sender (again taking the name from the address book). So when some of these infected mailings are rejected by the recipients anti-virus screening, the emails are bounced back not to the real sender, but to the one whose address was spoofed in the 'from' field.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.