Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SPAM bot on my computer, need help


  • This topic is locked This topic is locked
6 replies to this topic

#1 tuvalo

tuvalo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 23 January 2010 - 05:11 AM

I have a spam bot on my computer.

I can tell this because using WIRESHARKi see alot of outgoing SMTP traffic to random/unknown email addresses.
using "netstat -a -b" i can tell that the origin is in "services.exe" but i don't know which service is causing this.

AVG, sophos, and SuperAntiSpyware all fail to detect something is wrong.
I'm attaching a HijackThis log created just now.

i would appreciate it if you can kindly help, as i'm running out of ideas.

-----------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:36, on 23/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\AVG\AVG9\avgchsvx.exe
I:\Program Files\AVG\AVG9\avgrsx.exe
I:\Program Files\AVG\AVG9\avgcsrvx.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\RTHDCPL.EXE
J:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
I:\WINDOWS\system32\RUNDLL32.EXE
I:\PROGRA~1\AVG\AVG9\avgtray.exe
J:\Temp\newutorrent\MyTorrent181-x11.exe
J:\Program Files\Microsoft ActiveSync\wcescomm.exe
I:\WINDOWS\system32\ctfmon.exe
J:\PROGRA~1\MICROS~2\rapimgr.exe
J:\Program Files\Launchy\Launchy.exe
J:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap.exe
J:\Program Files\Stardock\ObjectDock\ObjectDock.exe
J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
I:\Program Files\AVG\AVG9\avgwdsvc.exe
J:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
I:\Program Files\AVG\AVG9\avgnsx.exe
J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Google\Update\GoogleUpdate.exe
J:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Service Controller.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\system32\vmnat.exe
I:\WINDOWS\system32\vmnetdhcp.exe
J:\Program Files\VMware\VMware Workstation\vmware-authd.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\system32\cmd.exe
J:\Program Files\Wireshark\wireshark.exe
J:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe
I:\WINDOWS\system32\msiexec.exe
J:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - J:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - j:\Program Files\FlashGet\jccatch.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - I:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - J:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - j:\Program Files\FlashGet\getflash.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - J:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "J:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] I:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [nwiz] I:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG9_TRAY] I:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [uTorrent] "J:\Temp\newutorrent\MyTorrent181-x11.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "J:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "j:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Syncplicity] I:\Program Files\Syncplicity\Syncplicity.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] I:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = J:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = J:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Launchy.lnk = J:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: LM Remote KeyMap.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - J:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - J:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://I:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://J:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - I:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - J:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - J:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - J:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - J:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - j:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - j:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - J:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: j:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: j:\program files\vmware\vmware workstation\vsocklib.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/36.21/uploader2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - J:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - I:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - I:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - I:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - I:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - J:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Update Service (gupdate1c9981b51ed4354) (gupdate1c9981b51ed4354) - Google Inc. - I:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LM Remote KeyMap Blaster (LM Remote KeyMap Blaster Service) - LM Gestion - J:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - I:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SageTV - SageTV, LLC - J:\Program Files\SageTV\SageTV\SageTVService.exe
O23 - Service: ServiceLayer - Nokia. - I:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - J:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - J:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - I:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - I:\WINDOWS\system32\vmnat.exe

--
End of file - 10859 bytes


BC AdBot (Login to Remove)

 


#2 tuvalo

tuvalo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 23 January 2010 - 12:13 PM

Managed to defeat this one by myself. (I'm kinda proud).

i found a file called yxtxa.sys which looked unbelieveable (size 0, can't access some relevant registry keys, other contained the GUID of my capture card driver).
deleted it using microsoft recover console.

no more viagra spam!


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 29 January 2010 - 02:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 01 February 2010 - 12:36 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 tuvalo

tuvalo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 01 February 2010 - 01:10 PM

Hi extremeboy,

thank you very much.
I managed to find that trojan and remove it, as i indicated in my reply to the original post.
I'm all clean now :-)


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 01 February 2010 - 01:19 PM

Okay. Below are some prevention tips and I'll close off this topic.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
Some of the main things you should consider to perform/read are:
  • Having ONE Anti-Virus installed and running with real-time protection
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Edited by extremeboy, 01 February 2010 - 01:19 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 PM

Posted 01 February 2010 - 01:20 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users