I'm continually getting failed mail delivery messages on OE - saying that messages haven't been delivered to me.
The mail delivery source is different most times.
I posted a HJ log last week but there was nothing out of ordinary on that ( apart from old java version which i've now updated).
Anybody any ideas how to get rid of them?
Thanks
Boueur:confused:

Like I said before, it looks like it may be a result of a previous infection. The samples you put in your previous post look like standard bounce messages. You could post one of the error messages and we can see if there is anything else we can get from it...

I don't remember what scans you said you did in the other topic... Here are a couple you can run to see if anything is lurking...

* Click here (http://support.f-secure.com/enu/home/ols3.shtml) to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
Then click the F-Secure Online Scanner Next Generation Beta link.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Thanks again for suggestions Budfred and mjc ..I've attached logs from F secure and Dr web.
Scanning Report
Monday, October 09, 2006 07:55:35 - 09:58:25
Computer name: SN043633120185
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

Result: 13 malware found
Tracking Cookie (spyware)
• System (Disinfected)
• System
• System (Submitted)
• System
• System
• System
• System
• System
• System
• System
• System
Trojan.Win32.LipGame.ai (virus)
• C:\WINDOWS\INTERNT.EXE (Renamed & Submitted)
W32/Startpage.CPE (virus)
• C:\APPS\CLICKME\CLICKME.EXE (Submitted)

Statistics
Scanned:
• Files: 18655
• System: 4711
• Not scanned: 3
Actions:
• Disinfected: 1
• Renamed: 1
• Deleted: 0
• None: 11
• Submitted: 3
Files not scanned:
• C:\HIBERFIL.SYS
• C:\PAGEFILE.SYS
• C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:
• F-Secure AVP: 6.0.171, 2006-10-06
• F-Secure Libra: 2.4.1, 2006-10-06
• F-Secure Blacklight: 1.0.31, 0000-00-00
• F-Secure Orion: 1.2.37, 2006-10-08
• F-Secure Draco: 1.0.35, 0259-24-212
• F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
• Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
• Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may

I tried to put in copy of the Dr Web report but it says unable to read file from my saved version.

The gist of this report was that it found some Trojan files (which it deleted) linked to a restore - I can only assume when i had to restore my Pc a few months ago!
I'll et you know how I et on now.

Cheers

boueur

I'll et you know

Which restore point did you use? Once you get this system clean it would be a good idea to delete all the infected restore points and start again with a clean slate.

Fruss Tray Ted is correct... If the scan said something about System Restore, it is likely that it found malware in the Restore Points and you need to clean it out... Working on the assumption that your computer is now clean, go to Control Panel, System and the System Restore tab... Check the option to Turn Off System Restore and then click Ok... Open that tab again and uncheck the Turn Off System Restore option and click Ok... That should reset it...

I tried the F secure on-line scanner and dr web...both came up with some items which I deleted and also as you suggested (restore point) and I thought it had got better but when i returned from hols I found a lot of undelivered mail again.
I've attached HJ log from this morning and a couple of the emails I'm getting.
Logfile of HijackThis v1.99.1
Scan saved at 09:01:32, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - [url]http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/url]
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - [url]http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab[/url]
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157482732984[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Typical emails :
1.
Your message to: [email]hickman AT jepson.gonzaga.edu[/email]
was blocked by Gonzaga's Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED:

Subject: convoluted





--------------------------------------------------------------------------------


Received: from 201-67-12-211.bsace704.dsl.brasiltelecom.net.br (unknown [201.67.12.211])
by bn1.gonzaga.edu (Spam Firewall) with SMTP id 684B32AE346
for <hickman AT jepson.gonzaga.edu>; Sat, 21 Oct 2006 12:34:06 -0700 (PDT)
Received: from 201.67.89.200 ([201.67.89.200]) by 201-67-12-211.bsace704.dsl.brasiltelecom.net.br with Microsoft SMTPSVC(6.0.3790.1830); Sat, 21 Oct 2006 17:41:10 -0200
Message-ID: <453A7622.9050804 AT wrighti.fsnet.co.uk>
Date: Sat, 21 Oct 2006 17:33:54 -0200
From: Evelina Fischer <ssc AT wrighti.fsnet.co.uk>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: [email]hickman AT jepson.gonzaga.edu[/email]
Subject: convoluted
Content-Type: multipart/related;
boundary="------------050800060408050500050600

2.
This is the Postfix program at host despina.seeyou.de.

I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<gabbere AT der-norden.de>: host mail.seeyou.de[195.90.8.1] said: 550
<gabbere AT der-norden.de>: Recipient address rejected: User unknown in
virtual alias table (in reply to RCPT TO command)

I just haven't got a clue how to ged rid of them

Boueur

Please don't post active email addresses, you are inviting SPAMbots to collect them and SPAM those people even more...

You are probably experiencing residual effects of earlier infections... Essentially, someone stole your email address and is using it to SPAM other people... You can wait it out and it will eventually stop or you can change your email address... I would probably opt for the latter... I doubt your computer is being used as a server unless it is a very deeply buried rootkit... If it is, the best solution is to wipe the hard drive and reinstall the system from scratch... If you continue with the same email address, you will probably still get those notices...

Unless you moved to Brazil lately, the messages are NOT being sent from your machine...but they are being sent with your email addie as the sender!

That is a very typical behavior for malware. It does not mean you currently are infected. It means at one time, one of the infections 'stole' your address and gave it to the spammers...

Thanks to both of you. I think i'll just sit it out as there would be too much hassle now to change email address
Hopefully thet'll get less and less and eventually die out.
At least it looks like I haven't got anything lurking in the PC!
Cheers
Boueur