Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Notebook Transfered Itselfs In Some Kind Of Spam Machine.


  • This topic is locked This topic is locked
2 replies to this topic

#1 gratum

gratum

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 19 April 2008 - 06:19 AM

No idea how it happend, buy my notebook seems to send thousands of

emails from the background every minute, which results my ADSL line to

block, and a router restart is required.

I am not using any email programs on this PC, it's exclusive used for

browsing and design work.

I did several Trojan Scans, Malware, Antivirus, Adware, etc etc, but no

results.

I discoverd the problem with some simple packet sniffer, which send all the

time background packages, each time with a new local port.

I wanted to check which application is using this PORT, with "Active Ports"

from www.ntutility.com, but this let's me know,
PROCESS = UNKNOW
PID = 0

Each packet sniffer used port 53 as remote port and used each time a new

local port. As example

Local Port 1436 > Remote Port 53
Local Port 1438 > Remote Port 53
Local Port 1440 > Remote Port 53
Local Port 1442 > Remote Port 53
Local Port 1444 > Remote Port 53
Local Port 1446 > Remote Port 53

The same happends with 25
Local Port 1302 > Remote Port 25
Local Port 1304 > Remote Port 25
Local Port 1306 > Remote Port 25
Local Port 1308 > Remote Port 25
Local Port 1310 > Remote Port 25

Each time it attemps to connect to some new IP

I tried to block the remote port 25 and port 53, which has no success.
I tried to close all services running, no success.

Ok, i do realize reinstalling my xp would be faster, but, hey, i want to find out

what is the problem.

Some example of some port 53 package
----
00000000 8E 83 01 00 00 01 00 00 00 00 00 00 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 .com.... .

00000000 8E 83 81 80 00 01 00 03 00 00 00 04 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 C0 0C 00 0F 00 01 00 .com.... ........
00000020 00 1F D5 00 0A 00 14 05 6D 61 69 6C 32 C0 0C C0 ........ mail2...
00000030 0C 00 0F 00 01 00 00 1F D5 00 0A 00 1E 05 6D 61 ........ ......ma
00000040 69 6C 33 C0 0C C0 0C 00 0F 00 01 00 00 1F D5 00 il3..... ........
00000050 09 00 0A 04 6D 61 69 6C C0 0C C0 27 00 01 00 01 ....mail ...'....
00000060 00 00 1F D5 00 04 C0 4D 8B 02 C0 3D 00 01 00 01 .......M ...=....
00000070 00 00 49 83 00 04 C0 4D 8B 08 C0 53 00 01 00 01 ..I....M ...S....
00000080 00 00 53 4B 00 04 C0 4D 8B 02 C0 53 00 01 00 01 ..SK...M ...S....
00000090 00 00 53 4B 00 04 C0 4D 8B 08 ..SK...M ..


Some example of some port 25 Package
----
Date: Sat, 19 Apr 2008 09:41:15 +0000
From: "Pont Strauf" <blackhead@motohaus.lu>
X-Mailer: The Bat! (3.51.9) Professional
Reply-To: Pont Strauf <blackhead@motohaus.lu>
X-Priority: 3 (Normal)
Message-ID: <1481138195.20080419093817@motohaus.lu>
To: <landis29@hanmail.net>
Subject: cytologist
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CA6F92D8DC4368"

------------CA6F92D8DC4368
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello,=09
=20
Increaase Sexual EEnergy and Pleasuure!
http://q4ri5z8og58qd.blogspot.com



=09And owen, watching, took her pallor for the ashy of gold
thread on stiff ultramarine tissue, which carry us three
men and our when the raft was finished most of them carrying
hand bags. During rehearsals want yes, said ellie, i know
what you mean. But about arthur because he thought hetty
would be whiskers, dark eyes, husky voice, tooth missing
preposterous for words. They had quite an excited gordon.
they think he stabbed his cousin. My sakes! With a bump.
then again, the mischievous ants one jump in her nightgown,
just before going to want me, he said, and he offered no
humorous remarks, a living brain. You will be annihilated
in the ob serve the round hole through the chainmail said
emily. Don't be indelicate. And anyway, she.
ishbnhiieaaaakbmfi.
------------CA6F92D8DC4368
Content-Type: text/html; chars. #Host Name Server
nicname 43/tcp whois
domain 53/tcp #Domain Name Server
domain 53/udp #Domain Name Server
bootps 67/udp dhcps #Bootstrap Protocol Server
bootpc 68/udp dhcpc #Bootstrap Protocol Client
tftp 69/udp #Trivial File Transfer
gopher 70/tcp
finger 79/tcp
http 80/tcp www www-http #World Wide Web
kerberos 88/tcp g></p><st=
rong> </strong>
<p>And owen, watching, took her pallor for the ashy of gold<br> thread

on=
stiff ultramarine tissue, which carry us three<br> men and our when the =
raft was finished most of them carrying<br> hand bags. During rehearsals =
want yes, said ellie, i know<br> what you mean. But about arthur because

=
he thought hetty<br> would be whiskers, dark eyes, husky voice, tooth

mis=
sing<br> preposterous for words. They had quite an excited gordon.<br>

=
they think he stabbed his cousin. My sakes! With a bump.<br> then again, =
the mischievous ants one jump in her nightgown,<br> just before going to =
want me, he said, and he offered no<br> humorous remarks, a living brain.=
You will be annihilated<br> in the ob serve the round hole through the c=
hainmail said<br> emily. Don't be indelicate. And anyway, she.<br>
ishbnhiieaaaakbmfi.</p>
</body></html>
------------CA6F92D8DC4368--
.

454 5.7.1 DXNS3 83.34.2.243: Message refused. Your host name dosen't

match with your IP address: ilpo.rima-tde.net

QUIT

221 2.0.0 rmail-142.hanmail.net closing connection



========================
Finaly some HIJACK OUTPUT
========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:20, on 19/04/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SmartSniff\smsniff.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLLoginProxy.exe
C:\WINDOWS\system32\telnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper -

{31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program

Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper -

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} -

C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program

Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32

Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Advanced Email Extractor -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html
O8 - Extra context menu item: Download with GetRight - C:\Program

Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program

Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scan link with AEE -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} -

(no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor -

{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor -

{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine

Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) -

http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecal...ve/x86/win32/ac

tivex/hcImpl.cab
O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin

Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin

Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{FAA969F8-2960-4B55-8A6D-0CE7D04C0

456}: NameServer = 80.58.61.250,195.235.113.3
O18 - Protocol: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program

Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET

NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7200 bytes



Hopefully you guys know what happened.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:59 AM

Posted 19 April 2008 - 07:50 AM

Hi,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap


Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:59 AM

Posted 21 April 2008 - 01:37 AM

Hi,

This tread is closed since you already posted your logs here as well:

http://www.freedomlist.com/forum/viewtopic.php?t=31574
http://www.landzdown.com/index.php?topic=24332.0
http://forums.spywareinfo.com/index.php?showtopic=116012
http://forums.spybot.info/showthread.php?t=27039
http://boards.cexx.org/index.php?topic=17365.msg72863
http://www.webuser.co.uk/forums/showflat.php?Cat=0&Boar d=hijackthis&Number=392056&Searchpage=1&Main=392056&Wor ds=&topic=1&Search=true#UNREAD://http://www.webuser.co.uk/forums/sho...rch=true#UNREAD
http://www.cybertechhelp.com/forums/showthread.php?p=992848
http://www.cybertechhelp.com/forums/showthread.php?t=179979
http://forums.majorgeeks.com/showthread.php?t=157537
http://gladiator-antivirus.com/forum/index.php?showtopi c=71650://http://gladiator-antivirus.com/foru...howtopi c=71650
http://www.castlecops.com/t219924-Notebook_transform_to _some_kind_of_SPAM_machine_XP_SP3.html://http://www.castlecops.com/t219924-N...ine_XP_SP3.html
http://www.help2go.com/component/option,co...wtopic/t,27662/
http://www.nutnworks.com/forums/showthread.php?t=13762

It would have been nice if let the people know that you are already receiving help somewhere else, so we can help someone else instead.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users