Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Sending Out Constant Spam - Hard To Detect


  • Please log in to reply
8 replies to this topic

#1 fotty

fotty

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 September 2008 - 08:58 AM

System is Windows XP SP3, with latest updates and all that fun stuff. System had SP2 at time of infection.

I have fixed a lot of computer virus issues. Several hundred probably. So I have had some easy ones, and some nasty ones.

This one falls under the nasty category, and I am still having trouble tracking it down.


So here is what happens:

Computer acts 100% normal, however as soon as you enable ethernet or plug in an ethernet cable to get it connected to the internet, it starts sending out spam via the POP3 mail account hooked up in outlook express. Outlook express doesn't need to be open, so the virus probably stole the credentials or something.

I can't find a single dll or exe that is running or hooked into at this point that would pinpoint the problem.

I have tried the following things to remedy this:

Removed hard drive from computer, hooked it up as slave in other computer

1) Ran full scan of drive with Norton 360, Windows OneCare, AVG 8

Hooked HD back up in original computer

2) Ran full scan of drive with Windows Defender, Ad Aware, AVG 8, SDFix, VundoFix, ComboFix, Stinger, maybe 1 or 2 more I can't think of right now.

3) Ran HijackThis and removed a few suspect lines, but nothing that pointed at the actual issue, and removing the lines did not stop the virus.

4) Ran SFC /Scannow to scan the system files and make sure none were comprimised, while it did ask for the CD to copy files over, it didn't give any details of active files it replaced, which makes me think it just copied files to a local cache and didn't replace any active ones.

5) I installed WireShark to try to sniff out the SMTP packets, and I am able to see some connections being made (albeit not SMTP ones) but connections to remote IPs on port 25 which is very suspect, however as far as I can tell so far, WireShark can not tell me where the packets are originating from on the sytem. So I am also thinking maybe the computer is not directly sending out spam via SMTP, but connecting to another zombie or something to do it.

I also noticed in the Windows XP Firewall keeps magically getting an entry in its exceptions list that is just titled "ENABLE" and if you go to details, it is c:\windows\explorer.EXE which of course is also suspect, however explorer.exe itself at that directory looks to be fine. I know other processes can be parented by explorer, but using sys internals process explorer turned up nothing there either.

The other problem is that I really want to figure this issue out. Yes I know I could backup the data, reformat and reinstall, and just be done with it, but what fun is that? You don't learn anything by reformatting a computer, so I would really like to figure out how this thing works since I have never seen something this bad before. So because I really want to figure it out, but I also don't want to get my ports blocked by my ISP for spamming, I can only plug in the enternet for like a minute at a time, and make the virus start, and try to track it down real quick before it sends out too much spam. As a side note, this is not my computer, just one I am fixing for someone.


I have some other ideas that I have not yet tried, like running regmon to try to see what process keeps modifying the windows firewall which is likely happening via the registry where those exceptions are stored. I also installed a better 3rd party comodo firewall to try to get better control since the XP firewall is next to useless, but again it makes it very hard to track anything down, as all the processes do seem legit that are going through the TCP/UDP protocol, but I know one of them is not, or at least has something piggybacking off of it that is not legit.

So basically while I continue to work, I am just wondering if anyone has any suggestions as far as finding this thing, or suggestions for other utilities that may help me.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 24 September 2008 - 11:51 AM

Spambots, Botnets and Email relays typically come packaged with rootkits so a rootkit check should be performed. I recommend performing a scan with Sophos Anti-rootkit, Panda AntiRootkit or AVG Anti-Rootkit.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

If the ARK scan does not find anything, then considering all you have done, the next step would be to post a hijackthis log for further investigation. If that is the case, post back here for further directions on what to do.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 fotty

fotty
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 September 2008 - 12:38 PM

Thanks,

I did run RootKitRevealer from SysInternals, and it did find some entries, but I already knew, as you mentioned, that just because it gets flagged, doesn't mean it is bad.

I have removed all AV products from the machine for now (since they obviously were doing no good anyway) so there is nothing on it except a 3rd party firewall which is easy to disable.

I will try those other rootkit scanners to see if they give me any more info on the suspected areas of the drive.


Something is also running the command upon system boot:

netsh firewall set allowedprogram "C:\WINDOWS\Explorer.EXE" ENABLE

If I delete the exception and reboot, it gets generated again. I am thinking this is related to the virus problem, so I have been chasing it with regmon, filemon, and procmon for a bit, and I am getting closer to finding out what is launching it, but it takes some time.

I am not a guru of hijackthis logs, but I know enough to see what something is shady in there and have a pretty good knowledge of windows and this stuff works because I am actually software developer for the windows platform in my real job (MSMVP like you are, but for programming). This is just a side thing I am working on for someone.

If needed, I will post the log for others to take a look.

Thanks.

Edited by fotty, 24 September 2008 - 12:39 PM.


#4 fotty

fotty
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 24 September 2008 - 02:04 PM

None of those rootkit scanners found anything, so should I post the hijack this log?

At this point I am starting to think it is some sort of rouge .sys file that is installed as a driver, but I am still not 100% sure. I am still doing various things to try to track it down.

Even in safemode the firewall exception entry gets written.. its very strange.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 24 September 2008 - 02:08 PM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location. If you already have this version installed, then skip this part.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 fotty

fotty
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 25 September 2008 - 03:24 PM

I hear ya, but honestly this was a situation where HijackThis was of no use.

I ended up resolving the issue by a painful manual process of catch and mouse with the virus and using several system monitoring tools to track down the chain of events.

Very, Very long story short:
I was able to eventually track back the XP Firewall exception that keps repopulating itself to a driver file ndisio.sys. If you google that file name, you will see results of others with virus issues and that file.

So I went into device manager and clicked to show hidden devices, and it had many of the network adapters listed twice (like the WAN Miniport, etc..) when the system only has 1 onboard NIC.

So when reviewing the drivers for each device, half looked legit, and the others all had the same ndisio.sys driver listed as their driver. This sys file has no publisher, version, or other info associated with it.

Trying to uninstall the driver results in the device manager telling you it can't because the device may be needed to boot the PC. This driver got installed as a kernel mode driver, which may be why.

The solution to that was to clear out some reg entries. Info on that here:
http://fastest963windows.blogspot.com/2008...-failed-to.html

After clearing out the registry entries, I was able to reboot, and then the devices were gone. I was then able to remove the ndisio.sys file from the %systemdir%\drivers\ folder, and then rebooted.

After this, no more automatic firewall exception being created, no more shady connections to IPs in amsterdam, no more 1000s of spam emails being sent out behind the scenes.

Definitely one of the nastier virus/worm/whatever you want to call it that I have dealt with. So hopefully if anyone else has this issue, they might find this and it will save them the few days it took me.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 25 September 2008 - 05:26 PM

but honestly this was a situation where HijackThis was of no use

Probably not but that's the forum where we use more powerful and advanced tools which would have made the task of disinfection easier.

In any event, I'm glad to hear you have sorted it out.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then use Disk Cleanup to remove all but the most recently created Restore Point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 fotty

fotty
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 26 September 2008 - 08:41 AM

Turning off system restore also deletes all restore points. I turn it off and turn it back on, and then create a new single restore point before giving the PC back to my customer.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:54 AM

Posted 26 September 2008 - 09:13 AM

Yes but turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. I generally do not encourage people to do this unless there is a clear reason to do so. Instead, I prefer using a safer alternative by creating a new Restore Point and using Cleanmgr to remove all previous restore points.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users