I may be botneted

Outlook 10 Uses 25% of dual CPU's (W7 64 bit), sometimes all of one processor. One email address stays on send, even though no activity appears in the application. When I terminate Outlook, it stays resident and continues to use 25% of CPU and up to 48% of RAM (8 gigs). Scans reveal no viruses.

I am using Comcast's supplied version of N360.

Hi, behsci,

 

Welcome to our community. You might want to try downloading and running the free version of malwarebytes. It only does on-demand scanning, so it will not conflict with your Norton and makes a good crosscheck when you think there may be something odd afoot that Norton isn't catching, especially for things that are not technically malware, like adware and PUPs (Potentially Unwanted Programs, like add-ons and toolbars you may not have knowingly asked for).

 

Let us know what--if anything--it finds, and we'll take it from there!

MalwareBytes found two instances of Broken.OpenCommand and deleted them.

WinPatrol then popped up and tells me that userinit.exe wants to be installed into windows. It also says that userinit.exe can be the W32/Tilebot-EV virus.

I find no current instance of userinit.exe on this computer.

Is this safe to allow? Or is this a sneaky way for the virus to reinstall?

MalwareBytes wants me to reboot.

Any advice on this?

I will wait before I take any action.

I'm sorry, I do find userinit.exe at C:\Windows\System32 dating from Nov 2010 and last accessed on 3/16/2011. 

Is this an attempt to replace that file with a bot that will boot and install before explorer boots, or is it safe to install as a result of malwarebytes actions?

Hi behsci,

 

Just a quick question, is this thread a result of receiving a Bot Notice from Constant Guard via either phone call or email from Comcast?  It really doesn't matter, but I was just curious.

 

I have seen some references to the  " Broken.OpenCommand" being fixed using MalwareBytes. 

 

Specifically, the following are provided by quietman7 over on Bleeping Computer ( a well respsected Security Expert/ $soft MVP )

He asks:  "Do you have a program installed that prevents registry changes from taking place or have used a tool to fix associations?"

 

Then replies:

 

Quote

"Malwarebytes sees and reports that the association for these files are not the default ones as set by Windows (since malware  may alter these associations as well). When you select to remove in mbam, mbam restores it to the default associations again (as set by Windows). So you have 2 choices here... Or you ignore the detection in mbam, or you don't let System mechanic modify the default associations"

explanation by miekiemoes, Administrators at Malwarebytes

 

Quote

"It simply means that one of the file associations are no longer using the default Windows setting. This could be on purpose by you or software that you use but it is also a method used by Malware so we flag it. If you're telling MBAM to change it and it comes back then some program you're using is either blocking the change in the Registry or maybe a program you use is reverting it back."

 

Quote

"If you chose it and want it to remain that way then you can ignore it. If you did not chose that then have MBAM fix it and if you have software that blocks Registry changes then you need to tell the program to allow MBAM to make the change".

 

Quote

"There is at least one tool that disables these as a "security fix" . MBAM cant tell why a modification has happened , only that it has."

explanation by Malwarebytes Staff

 

That said, since the userinit.exe is located in the normal default location of C:/Windows/System 32 and MBAM has already deleted the keys, I belive the reinstallation is acceptable and is merely placing the default  association back.  As I see it, if you run MBAM again and the Broken, Open Commmand appears and is deleted again, then there is something on your system changing the default association under one of the conditions listed above.

 

I am not an Outlook user, however I remember from Outlook Express (that seems so long ago) that from time to time a message would get hung up and needed to be deleted in order to restore peace to the client.  I can not rememebr what I had to do to locate and delete the one message that kept trying to be sent, but once I did it - all was good.

 

So bottom line, I think your OPutlook problem may be caused by one corrupted email trying to be sent.

 

I am sure others may have other ideas.  Keep us posted! 

Well, Yank, I think you nailed it! I allowed any changes that WinPatrol notified me of after the malwarebytes reboot. One particular email address in Outlook was hanging on send and using the system resources. I tried deleting all sent msg's. NG. I tried repairing the account. NG. I deleted the account. Rebooted. System resources at normal. Upon terminating Outlook, it no longer stays resident.

I was botted once before and it took about 6 hrs to clear it from my system with Microsoft techs, so I was a bit paranoid.

Before coming here I phoned Microsoft. They were useless. They were more interested in inspecting my software for legitimacy than solving the problem.

Thank you everyone for your great help.

 

Thanks for the feedback behsci, hopefully the solution may help others.