email making spam- what causes that

[tearose49]

A co-worker's computer is trying to create and send spam to a non-existant email address. The address is her home email before the @ sign, but gmail.com after it, and she doesn't use gmail. Our email program is Outlook Express. Symantec prevents it from being sent, but didn't find a virus when I ran a scan. I cleaned up her machine using Ad-aware, Spy-bot, and spyware doctor, Registry Mechanic and Hijack This (and Disk Clean-up and defragmented). The only really suspicious thing I found was that SweetIM had gotten on her computer, and I removed it with Add/Remove programs and HJT. I also got rid of some Yahoo stuff. When I restarted her machine, it started trying to send spam again. What could I have missed, and where would it be hiding? I've used HJT a lot, and don't think there was anything left that I didn't recognize as safe.

[jholland1964]

Run a new HJT and post the log here...this is a scanner program NOT a fixer program. SweetIM usually doesn't install itself, it must be downloaded and installed by the user and often times a simple uninstall is not enough as there are other programs that may be installed at the same time.

[tearose49]

Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 3:16:07 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\WebCam\M1000\M1000Mnt.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\TripleSync\TSync.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [M1000Mnt] M1000Rmv.exe /StartStillMnt
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: TSync.lnk = C:\Program Files\TripleSync\TSync.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1155762465763
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1155763241560
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CCCIL
O17 - HKLM\Software\..\Telephony: DomainName = CCCIL
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BE7146-DC73-4406-A3B9-1517E5E191EF}: NameServer = 192.168.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CCCIL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CCCIL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

[jholland1964]

I see at least one backdoor trojan. Are the O17 entries placed there by your friend?
Please do an online Kaspersky scan of My Computer and post the log here. It will NOT fix anything found but give us a clearer picture of what else we may be dealing with.

[tearose49]

017 is legit- that's our server/domain. I'll look into Kaspersky tomorrow.

[tearose49]

Kaspersky didn't find anything either, but I realized what probably happened. My cleanup did remove whatever caused the problem initially. But it had entered a message rule in OE to forward all incoming mail to this non-existant address. I hadn't checked the message rules till I started her computer today and opened her email. As messages filled her inbox, I saw messages were also filling her outbox. So the problem is fixed now, but I still wonder what had caused that to happen to begin with. The user is not very computer savvy, and I know that a lot of our staff will claim cluelessness to cover their **** when they accidentally download something (like SweetIM) that turns out to be malware. But she certainly wouldn't have made a message rule to forward her spam to her home address, and also write that address with the wrong mail program.

[jholland1964]

This sounds to me as if the user actually tried to set up a filter of some kind in order to try to correct or stop spam OR send personal mail received at work to her home computer and just botched the job. Now of course this is just my opinion. Others may disagree.

Generally an infection isn't going to forward your mail someplace nonexistent but is going to "hack" your address book, so to speak, and send ITSELF to all persons in your address book in the form of a brand new mail that DOES NOT usually even show in the Outbox or in the Sent box.

You know this user somehow installed SweetIM without realizing it and you say she is not computer savy.
I did note in my first post what I thought was a Trojan in the log, but have since decided I was in error since I realized the file I saw is connected to the Webcam on the computer.
Since you found nothing, except the SweetIM (which would not have installed itself) and Norton found nothing and the same holds true for all the other scans done I just don't feel this computer was infected with anything.

[tearose49]

Your scenario is certainly within the realm of possibility, but then, you didn't see all the stuff I removed with anti spyware programs, Add/Remove programs and HJT before I restarted the computer. I have no doubt she clicked on something that put the SweetIM installer on her desktop, and may have clicked that to see what it was, which then installed the programs. She really could be unaware that she had done anything. But I doubt she even knows about the Message Rules, or how to set one up (but I'll ask when she's in again next week), so I'm still pretty sure something was there.

[jholland1964]

Since we saw no logs, other than the one HJT, there is no way of knowing what was on the computer. We make no judgements or "diagnosis" of anything here without seeing all of the logs requested in the sticky. Even if the poster says, nothing was found, or all was removed, we just cannot accept that and say ok. All of us who help here have seen any number of logs where we have been told originally that nothing was found, when upon finally being able to review the logs we DO see something. This is for this forum's protection as well as the poster to request the posting of these logs. Depends on what was removed and how it was removed to say the computer is actually clean. Just because the HJT log "looks" clean does not mean the computer is clean. Especially when HJT was used as a cleanup tool, which it is not. Clean up with HJT is last step and basically to remove items remaining on the list after necessary clean up tools have been used. Fixing with HJT generally does not fix a problem.

I have searched for well over an hour to find "something" which would create a message rule in Outlook Explorer on it's own to forward mail to a non-exsistent mail box and found absolutely nothing. There would be no point to doing this anyway...forwarding mail doesn't remove the mail it just sends a copy on to someplace else and leaves the original in the Inbox. This wouldn't be considered sending spam since it is going nowhere and what was being sent were mails from her own Inbox, not spam in the first place.

The only other explanation I can think of is that somebody did this, HANDS ON, to her computer as a joke OR since she somehow downloaded SweetIM without knowing she downloaded some sort of strange email filter that can do this without her knowing, but haven't found one yet. Sorry, but I just don't believe this was caused by malware, spyware or a virus, I can't because I haven't seen logs or seen the names of items removed.