Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mass Mail from MSN Account


  • This topic is locked This topic is locked
4 replies to this topic

#1 Josh00Si

Josh00Si

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 06 January 2009 - 07:55 PM

Not sure whats going on. About 10:00 a.m. or so this morning I started getting pumped full of UDP packets hitting my firewall. I wasn't to concerned with it so I spoofed my MAC on my router to get a new IP from my ISP. Worked like a charm. Got home from work and noticed that somehow my MSN account sent out a mass spam message to my whole address book. Normally I can remove spyware/viruses without much trouble but so far everything I have tried doesn't come up with anything, including ESET NOD32 and McAfee Stinger. Strange this is I am not getting any errors, slow downs, or any other noticeable activity that is normally associated with a virus, trojan, or spyware. Had a big outbreak at my work over the last week with Conflicker but it never touched my work laptop which was connected to my home network over the weekend.

Here is my log file. Also attached combofix log as I had already run that as well. Thought I might have Vundo again so I ran that fix and it found nothing. Have not had the chance to run the safe mode version.


DDS (Version 1.1.0) - NTFSx86
Run by Josh at 19:45:07.45 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.437 [GMT -5:00]

AV: *On-access scanning disabled* (Updated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
FW: *disabled*
FW: ZoneAlarm Security Suite Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Josh\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SearchPerks! Perk Counter: {2787ea8e-8d87-48af-88ad-b30246c917ab} - c:\program files\searchperks! perk counter\Bmbho.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: SearchPerks! Perk Counter: {2787ea8e-8d87-48af-88ad-b30246c917ab} - c:\program files\searchperks! perk counter\Bmbho.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\josh\applic~1\mozilla\firefox\profiles\p92g1o42.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.dirtyoldbastards.us/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\documents and settings\josh\application data\mozilla\firefox\profiles\p92g1o42.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\josh\application data\mozilla\firefox\profiles\p92g1o42.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

ATTENTION: FIREFOX POLICIES ARE IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-8-18 34312]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-1 148496]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-1 353680]
R4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-01-06 18:56 <DIR> --d----- C:\VundoFix Backups
2009-01-06 18:52 <DIR> a-dshr-- C:\cmdcons
2009-01-06 18:51 161,792 a------- c:\windows\SWREG.exe
2009-01-06 18:51 98,816 a------- c:\windows\sed.exe
2009-01-06 18:31 <DIR> --d-h--- c:\windows\PIF
2009-01-03 17:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\rionix
2009-01-03 17:44 <DIR> --d----- c:\windows\Action Ball 2
2009-01-02 20:34 11,501,028 a------- C:\dob.sql
2009-01-02 20:22 <DIR> --d----- C:\wamp
2009-01-01 18:26 <DIR> --d----- c:\docume~1\josh\applic~1\MailFrontier
2009-01-01 18:10 382,353,440 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-01 18:10 1,029,164 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-01 18:01 <DIR> --d----- c:\program files\Zone Labs
2009-01-01 17:58 <DIR> --d----- c:\windows\Internet Logs
2009-01-01 12:52 <DIR> --d----- c:\docume~1\josh\applic~1\Radmin
2009-01-01 12:52 <DIR> --d----- c:\program files\Radmin Viewer 3
2008-12-31 21:30 <DIR> --d----- c:\docume~1\josh\applic~1\Malwarebytes
2008-12-31 21:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-31 21:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-31 21:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-31 21:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-31 17:47 603,904 a------- c:\windows\system32\TUProgSt.exe
2008-12-31 16:41 1,024 a------- C:\.rnd
2008-12-30 22:07 <DIR> --dsh--- C:\Diskeeper
2008-12-30 18:12 <DIR> --d----- c:\program files\common files\Diskeeper Corporation
2008-12-30 18:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2008-12-30 18:12 <DIR> --d----- c:\program files\Diskeeper Corporation
2008-12-30 16:48 <DIR> --d----- c:\docume~1\josh\applic~1\Alawar
2008-12-30 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AlawarWrapper
2008-12-30 16:47 <DIR> --d----- c:\program files\Alawar
2008-12-27 23:29 36 a------- c:\windows\ndet2000.INI
2008-12-27 23:28 69 a------- c:\windows\cdsutil.INI
2008-12-27 23:26 299,520 a------- c:\windows\uninst.exe
2008-12-27 23:26 <DIR> --d----- c:\documents and settings\josh\WINDOWS
2008-12-27 23:19 <DIR> --d----- c:\program files\ESET
2008-12-27 22:06 <DIR> --d----- c:\documents and settings\josh\LocalLow
2008-12-27 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TVU Networks
2008-12-26 23:45 <DIR> --d----- c:\documents and settings\josh\Library
2008-12-26 23:45 <DIR> --d----- c:\docume~1\josh\applic~1\com.adobe.ExMan
2008-12-26 21:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2008-12-26 20:35 45,392 a----r-- c:\windows\system32\AdobePDF.dll
2008-12-26 20:35 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2008-12-26 20:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GlobalSCAPE
2008-12-26 20:15 <DIR> --d----- c:\program files\GlobalSCAPE
2008-12-26 20:10 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-24 16:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2008-12-24 16:30 <DIR> --d----- c:\program files\DAEMON Tools Lite
2008-12-23 00:05 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-12-23 00:04 <DIR> --d----- c:\docume~1\josh\applic~1\DAEMON Tools Lite
2008-12-14 09:36 509,448 a------- c:\windows\system32\XAudio2_2.dll
2008-12-14 09:36 68,616 a------- c:\windows\system32\XAPOFX1_1.dll
2008-12-14 09:36 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2008-12-14 09:36 1,493,528 a------- c:\windows\system32\D3DCompiler_39.dll
2008-12-14 09:36 467,984 a------- c:\windows\system32\d3dx10_39.dll
2008-12-14 09:36 238,088 a------- c:\windows\system32\xactengine3_2.dll
2008-12-14 09:34 <DIR> --d----- c:\windows\Logs
2008-12-13 22:40 <DIR> --d----- c:\program files\FlashGet
2008-12-13 15:20 26,368 a------- c:\windows\system32\dllcache\usbstor.sys
2008-12-13 13:40 4,757 a------- c:\windows\imsins.BAK
2008-12-13 13:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2008-12-13 13:37 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2008-12-13 13:12 <DIR> --d----- c:\windows\Google Earth Pro 4.2
2008-12-13 13:12 20,942,005 a------- c:\windows\system32\xa122517625.exe
2008-12-13 13:12 20,942,005 a------- c:\windows\system32\xa122516250.exe
2008-12-10 18:27 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

==================== Find3M ====================

2009-01-01 18:19 4,212 a---hr-- c:\windows\system32\zllictbl.dat
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-06 16:58 4,096 a------- c:\windows\d3dx.dat
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-26 20:46 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-09 14:25 73,104 a------- c:\windows\zllsputility.exe
2008-10-09 14:25 1,221,008 a------- c:\windows\system32\zpeng25.dll

============= FINISH: 19:45:25.53 ===============

Thanks for your assistance.

Josh

Attached Files



BC AdBot (Login to Remove)

 


#2 Josh00Si

Josh00Si
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 06 January 2009 - 07:57 PM

BTW, Malwarebytes didn't find anything either.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:27 AM

Posted 20 January 2009 - 09:38 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 Josh00Si

Josh00Si
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 20 January 2009 - 05:58 PM

Please disregard this. I have since done a reformat since it was about that time.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:01:27 AM

Posted 21 January 2009 - 08:01 AM

Thank you for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users