Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Sending out Spam - Help


  • This topic is locked This topic is locked
53 replies to this topic

#1 mdrobo

mdrobo

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 07 February 2009 - 11:35 AM

Hi all and thanks in advance,
I've got a computer that is sending out spam when connected to the internet and I can't figure out where its coming from. Outlook is not setup or being used. I've run Malwarebytes and it comes back clean, I've run avast anti-virus and it comes back clean. When running Super AntiSpyware it causes the computer to restart right at the end of the memory scan. It will run in safemode. I'm not really sure what else to try at this point, so I hope someone can help me out. Attached is my HijackThis log.
Thanks.
MDROBO

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:16 PM, on 2/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-21-220523388-2052111302-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-220523388-2052111302-839522115-500\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User '?')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1212593513093
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5183 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:04:36 AM

Posted 19 February 2009 - 10:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 20 February 2009 - 12:27 PM

Thanks for the reply KoanYorel,
Well I still have problems. I've tried running some other scans, installing a different Virus program in hope of finding something that will identify the nasty. Currently, it won't boot into normal mode, as it looks to be getting a BSOD in the middle of startup. It will boot to Safe mode, and I ran the DDS that you requested and attached are the two reports from DDS. Thank you for your help.

MDROBO

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 20 February 2009 - 04:24 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

May I ask why you think this computer is sending out spam? Is it because you are getting messages from people telling them that you sent them spam? Or is there a lot of network traffic on your computer that you cannot explain?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 20 February 2009 - 06:02 PM

Hi Hoov,
Thank you for your help. A friend originally brought to me with a host of nasties in it and inactivated virus protection. I managed to get it to what I thought was a pretty clean state. Then my internet service was shut down by my service provider saying I had a computer sending out thousands of spam emails one night. I assumed it was one of the kids PCs. So but anyway, I installed AVAST anti-virus on it and was sitting there watching it and I noticed a little icon that I had never seen before, and it was scanning outbound mail for viruses.. So then I managed to get some warnings to pop up and it basically was saying it was sending the same message many times. So thats how I know that its sending them out. I would have just wiped it clean and started over, but the guy doesn't have the windows XP Pro disk for it. As far as what I've done on it so far, its hard to recall, as I"ve been messing with it for a few weeks. I've run Malwarebyes ( runs clean ) , Spybot Search and Destroy (runs clean), I was running AVAST anti-virus for awhile and it was running clean, uninstalled that and tried CA eTrust and it ran clean. There are a couple of strange things that happen in my search to remove this. Super-AntiSpyware will run in Safe Mode, however when running in Normal mode, it gets to a certain point and basically shuts the PC down and restarts. At first it was at the end of the scanning of the active memory items, but I think the last time I ran it it was into the scanning of the registry items when it did it. Also, when running HijackThis, which from running it on other PCs usually runs pretty quick, on this one it runs quick, then sorta stops and then just sits there half way thru and then finally finishes up. The other day, I started getting these messages about Windows files not being right, and to insert the Windows disk to correct, but of course I don't have the disk. Today I tried booting it up in normal mode , and it gives me the BSOD.
Anyway, so there you go... Thanks again for any help you can offer.
MDROBO

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 20 February 2009 - 07:26 PM

OK. I would like you to update Malwarebytes' Anti-Malware, Superantispyware, Spybot, and whatever you are using for an Antivirus now. Also I would like you to download combofix (instructions below). But don't run anything yet. Then I would like you to try something that may give you a better chance of finding things. In safe mode go to the run command and type in msconfig. When it opens the window select selective startup. Then uncheck the selection for services and startup programs. You may get a warning about not being able to stop all the services, just click OK. It may take a minute or two, but you should be able to click apply then reboot. Now run Malwarebytes' Anti-Malware, Superantispyware, Spybot and your antivirus. Everything except Spybot will give you a log to post. For Spybot you need to right click where the results are and select save full report to file. Remember where the file is, when you make your next post, I would like you to attach (not paste in) that report file. After you have run those 4 programs I need you to run combofix and post its log with the others in your next post. After all this is done, run msconfig again and select normal startup and then click apply and then reboot. Let windows reboot normally, and when / if you get the BSOD, write down the stop code and message for me. Include that with the next post as well.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 February 2009 - 10:09 AM

Thanks Hoov. I will get right on it. Downloading updates now. Just one note, no BSOD when I booted up this morning, so I didn't need to uncheck the services and startup programs to get my updates. I will still run all the scans in safe mode. I will post back when done. Thanks.

#8 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 February 2009 - 10:31 AM

Oh one more thing. Just to clarify, before I run all this and give you something you didnt' want. Did you want me to uncheck the services and startup anyway, or was that just to get around the BSOD ? I've started the Malwarebytes scan in safe mode, but I didn't uncheck the two items in msconfig. Let me know if I need to do this anyway, and I will go back and do it before posting. And one other thing, I did also run ComboFix at some point before I heard from you yesterday and probably at some point in the last couple weeks prior to that also but I"m not sure. Yesterday, it deleted one .dat file, but then i never got a report since it wasn't able to fully reboot because of the BSOD. Anyway, let me know if you still want me to uncheck the services and startup items. Thanks for your help.

#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 21 February 2009 - 11:23 AM

I was just trying to get around the BSOD. Sometimes it happens because of a bad driver or bad software. Sometimes they happen because the moon is in retrograde, or you used the wrong finger to hit the power button, or a million other silly reasons. But if it started up normally, then chances are that there was a sunspot causing the BSOD. :thumbup2: If it is working in windows normally, then that is a bonus.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 February 2009 - 02:12 PM

Hoov,
Here you go. I've got to run out. I couldn't figure out how to pull the e-trust log, but there were no infections found. Thanks again for any help.

MDROBO

Attached Files



#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 21 February 2009 - 04:13 PM

Did you ever install something called RapidAntivirus? Looks like Spybot caught the remnants. Other than that you looked good.

Next thing I would like you to do is please download RunScanner
  • Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  • Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
  • Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
  • Check Beginner Mode
  • Click Scan computer
  • Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
  • At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
  • A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
  • Next, zip up the runscanner.run file that you just saved.
  • I want you to upload the zipped runscanner.run file as an attachment in your next reply
  • To do that choose "Additional Options" under "Post Reply"
  • Browse to the zipped RUN file location and then click the "Post" button to attach the file.
  • I will review the run file, and then upload it back to you with items marked for deletion.
  • Please await my directions and the returned RUN file, and do not delete anything in the interim
This will give me a really good picture of what is running, down to the cricket behind the computer. :thumbup2:
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 February 2009 - 09:14 PM

Thanks Hoov. Will do tommorrow . Just got home a bit ago. Thanks for the help again. As for the Rapid AntiVirus, I'm not sure where that came from. Thats the first time I've noticed that on anything I've run, but thought it a little strange when it popped up on the Spybot results. Will run the Runscanner and post back to you tommorrow . thanks.

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 21 February 2009 - 09:40 PM

Attach it, don't post. I am going to use it to hopefully send the fix back to you with. If you post it, then it won't work.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 mdrobo

mdrobo
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 22 February 2009 - 10:03 AM

Hoov, Here is the RunScan file zip. I zipped the folder also, when you unzip the .run file is in a folder called RunscanZip or something like that. Thanks.

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:04:36 AM

Posted 22 February 2009 - 12:05 PM

Well, that didn't help. Does Avast tell you what is sending out all those emails?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users