Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email Spamming Hidden Malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 philips303

philips303

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 07 March 2008 - 10:21 AM

Seems my computer is sending massive amounts of spam, so Ive disconnected it from the internet and tried many things. Last thing I tried is setting up the Comodo firewall and set to paranoid mode, and there was no process connected to the smtp port... so when I connected it again, it still kept on going. is it possible that the malware is resting outside the firewall ?

Im running the stinger app now and have run a few of the virus scan programs and rootkit detections, but no luck.

What Im also having problems with is to find out weather the problem is fixed or not, how can I know Im not sending out spam ? The way it goes now is that I get a phone call from my ISP to let me know...
We have a mail server in the domain so we cant block the whole company...

Are there any programs that allow you to log cpu activity, so I can see which processes are actively using the cpu, and find the process that way ?

Well here is my hijack log.
All help appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:14:39, on 7.3.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\COMODO\Firewall\cmdagent.exe
F:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
F:\WINDOWS\system32\inetsrv\inetinfo.exe
F:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\COMODO\Firewall\cfp.exe
D:\stuff\SlickRun\sr.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\WINDOWS\system32\taskmgr.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
F:\WINDOWS\system32\ctfmon.exe
f:\Program Files\UltraEdit\UEDIT32.EXE
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\BabasChess\BabasChess.exe
f:\totalcmd\TOTALCMD.EXE
F:\Program Files\VideoLAN\VLC\vlc.exe
F:\WINDOWS\regedit.exe
F:\Program Files\Winamp\winamp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/home/Home.htm
O1 - Hosts: 193.4.198.232 skyhqamx06.klasi.is
O1 - Hosts: 74.52.45.242 internalnordic.com
O1 - Hosts: 74.52.45.242 www.internalnordic.com
O1 - Hosts: 193.4.198.27 ftp.skyggnir.is
O1 - Hosts: 213.213.141.116 daelnet
O1 - Hosts: 216.247.254.34 nordicland
O1 - Hosts: 172.30.2.30 mbs_ossur
O1 - Hosts: 12.28.140.8 ossurna02
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SlickRun] "D:\stuff\SlickRun\sr.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FE56C2A-0266-4C7D-9891-D79CC7D15B11}: NameServer = 193.4.194.2,213.176.128.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{3FE56C2A-0266-4C7D-9891-D79CC7D15B11}: NameServer = 193.4.194.2,213.176.128.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{3FE56C2A-0266-4C7D-9891-D79CC7D15B11}: NameServer = 193.4.194.2,213.176.128.51
O20 - AppInit_DLLs: F:\WINDOWS\system32\guard32.dll
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - F:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - F:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3777 bytes

BC AdBot (Login to Remove)

 


m

#2 philips303

philips303
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 07 March 2008 - 11:35 AM

Decided to run the combobox

ComboFix 08-03-07.1 - Administrator 2008-03-07 16:13:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1358 [GMT 0:00]
Running from: F:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
F:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 15:48 . 2008-03-07 15:48 <DIR> d-------- F:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-07 15:42 . 2008-03-07 15:48 <DIR> d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-03-07 15:42 . 2008-03-07 15:42 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-07 14:17 . 2008-03-07 14:17 <DIR> d-------- F:\Program Files\Bazooka Spyware Scanner
2008-03-06 17:30 . 2008-03-06 17:30 <DIR> d-------- F:\Program Files\Spybot - Search & Destroy
2008-03-06 17:30 . 2008-03-07 13:31 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-06 10:38 . 2008-03-06 10:38 6,912,054 --a------ F:\WINDOWS\ACD Wallpaper.bmp
2008-03-05 15:03 . 2008-03-05 15:03 <DIR> d-------- F:\Documents and Settings\Administrator\Application Data\Comodo
2008-03-05 15:02 . 2008-03-05 15:02 <DIR> d-------- F:\Program Files\COMODO
2008-03-05 15:02 . 2008-03-05 15:08 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\comodo
2008-03-05 15:02 . 2008-03-05 15:02 139,008 --a------ F:\WINDOWS\system32\guard32.dll.vir
2008-03-05 15:02 . 2008-03-05 15:02 84,856 --a------ F:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-05 15:02 . 2008-03-05 15:02 23,800 --a------ F:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-05 11:13 . 2008-03-05 11:13 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 10:38 . 2008-03-05 10:38 <DIR> d-------- F:\Program Files\Trend Micro
2008-03-04 06:45 . 2008-03-04 06:45 <DIR> d-------- F:\Program Files\Mp3Splitter
2008-03-04 06:45 . 2008-03-04 06:45 286,720 --------- F:\WINDOWS\Setup1.exe
2008-03-04 06:45 . 2008-03-04 06:45 73,216 --a------ F:\WINDOWS\ST6UNST.EXE
2008-03-04 05:47 . 2008-03-04 05:47 <DIR> d-------- F:\Program Files\Subliminal Blaster 2.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 17:20 --------- d-----w F:\Documents and Settings\Administrator\Application Data\Skype
2008-03-05 11:13 --------- d-----w F:\Program Files\Lavasoft
2008-03-05 11:13 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-03-05 10:40 --------- d-----w F:\Program Files\Soulseek
2008-03-04 05:50 --------- d-----w F:\Program Files\FlashFXP
2008-03-03 11:56 --------- d-----w F:\Program Files\Common Files\Adobe
2008-03-02 21:26 --------- d-----w F:\Program Files\Winamp
2008-02-04 17:49 --------- d-----w F:\Documents and Settings\Administrator\Application Data\uTorrent
2008-01-28 13:24 --------- d-----w F:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-28 13:17 --------- d-----w F:\Program Files\Microsoft Visual Studio 8
2008-01-28 13:17 --------- d-----w F:\Program Files\Common Files\Merge Modules
2008-01-28 12:50 --------- d-----w F:\Program Files\Hugmt
2008-01-21 11:33 --------- d-----w F:\Program Files\Midi Monitor
2008-01-21 11:30 233,472 ----a-w F:\WINDOWS\system32\REX Shared Library.dll
2008-01-21 11:30 --------- d-----w F:\Documents and Settings\Administrator\Application Data\Propellerhead Software
2008-01-21 11:29 --------- d-----w F:\Documents and Settings\All Users\Application Data\Propellerhead Software
2008-01-21 11:27 --------- d-----w F:\Program Files\Propellerhead
2008-01-19 16:28 --------- d-----w F:\Program Files\Google
2008-01-17 07:30 --------- d-----w F:\Program Files\eMusic Remote
2007-12-14 11:32 12,632 ----a-w F:\WINDOWS\system32\lsdelete.exe
2007-12-07 00:44 666,112 ----a-w F:\WINDOWS\system32\wininet.dll
2005-06-12 12:59 17,773 ----a-w F:\WINDOWS\inf\hxdll.dll
2005-05-23 09:34 27,836 ----a-w F:\WINDOWS\inf\mdusb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SlickRun"="D:\stuff\SlickRun\sr.exe" [2005-01-26 20:35 174080]
"msnmsgr"="F:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO Firewall Pro"="F:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-05 15:02 1502976]
"MSConfig"="F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 12:00 158208]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="F:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= F:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 12:00 15360 F:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-01-03 04:33 29744 F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 F:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"idsvc"=3 (0x3)
"GoogleDesktopManager-121807-210419"=3 (0x3)
"FileZilla Server"=2 (0x2)
"Brother XP spl Service"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirScheduler"=2 (0x2)
"aawservice"=2 (0x2)
"Spooler"=2 (0x2)
"mnmsrvc"=3 (0x3)
"Irmon"=2 (0x2)
"CiSvc"=3 (0x3)
"BITS"=2 (0x2)
"ALG"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"F:\\Program Files\\Microsoft Visual Studio .NET 2003\\Common7\\IDE\\devenv.exe"=
"F:\\totalcmd\\TOTALCMD.EXE"=
"F:\Documents and Settings\Administrator\Application Data\Facebook\facebook.exe"= F:\Documents and Settings\Administrator\Application Data\Facebook\facebook.exe:127.0.0.1/255.255.255.255:Disabled:Facebook
"F:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"f:\\Program Files\\Skype\\Phone\\Skype.exe"=
"F:\\Program Files\\Ableton\\Live 6.0.10\\Program\\Live 6.0.10.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"4500:UDP"= 4500:UDP:*:Disabled:IPsec (IKE NAT-T)
"500:UDP"= 500:UDP:*:Disabled:IPsec (IKE)
"135:TCP"= 135:TCP:*:Disabled:RPC Endpoint Mapper and DCOM infrastructure

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;F:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-05 15:02]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;F:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-05 15:02]
R2 MSSQL$HR4XPRESS;SQL Server (HR4XPRESS);"F:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sHR4XPRESS []
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);F:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 07:56]
R3 USBMIDI;UF USB MIDI Driver;F:\WINDOWS\system32\Drivers\Mdusb.sys [2005-05-23 09:34]
S2 MSSQL$TESTSQL;MSSQL$TESTSQL;F:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlservr.exe [2000-08-06 01:50]
S2 SQLWriter;SQL Server VSS Writer;"F:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S3 cglptnt;cglptnt;f:\totalcmd\cglptnt.sys [2006-02-16 05:54]
S3 SQLAgent$TESTSQL;SQLAgent$TESTSQL;F:\PROGRA~1\MI6841~1\MSSQL$~1\binn\sqlagent.exe [2000-08-06 01:50]
S4 FAH@F:+Downloads+FAH504-Console.exe;FAH@F:+Downloads+FAH504-Console.exe;F:\Downloads\FAH504-Console.exe []
S4 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;"F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-03 04:33]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"F:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []
S4 OracleOraHome92ClientCache;OracleOraHome92ClientCache;F:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c0030ad-c68d-11dc-ae18-00059a3c7800}]
\Shell\AutoRun\command - O:\wd_windows_tools\setup.exe

*Newly Created Service* - RKREVEAL150
.
Contents of the 'Scheduled Tasks' folder
"2008-03-07 03:20:19 F:\WINDOWS\Tasks\backup.job"
- F:\WINDOWS\system32\ntbackup.exebackup
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 16:15:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ServiceDll"="F:\WINDOWS\system32\es.dll"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@F:+Downloads+FAH504-Console.exe]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: F:\WINDOWS\system32\winlogon.exe
-> F:\WINDOWS\system32\guard32.dll

PROCESS: F:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> F:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-03-07 16:17:48
.
2008-02-13 16:04:54 --- E O F ---

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 26 March 2008 - 06:02 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:08 AM

Posted 08 April 2008 - 06:19 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users