Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is This a Part of a Virus?


  • Please log in to reply
3 replies to this topic

#1 Badnick24

Badnick24

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 26 April 2012 - 07:04 PM

Mod Edit: Moved from XP to Am I infected ~ Hamluis.

Hello Bleeping Computer. This is my first post on your site. So a couple months ago I had a virus on my computer called XP Antivirus 2012 or something. Anyways, I removed the virus but today I found this .zip file called attachments. It contained a text file that looked like an email log or something. Its basically a very long text file containing the message, sender, recipients, and thousands of letters (probably a script or something). I'm going to post what the text file below. However, whats even more interesting is that it contained the senders IP address which I used to find his house on Google Maps. :wink: I'm posting it because I'm just wondering if this was part of the virus.

Here is the text of the file:
EDIT: email addresses were removed. Sorry I should have done that when I posted this :mellow:

Return-Path: <email removed>
Received: from imta23.westchester.pa.mail.comcast.net (LHLO
imta23.westchester.pa.mail.comcast.net) (76.96.62.47) by
sz0113.ev.mail.comcast.net with LMTP; Fri, 11 Mar 2011 00:47:02 +0000 (UTC)
Received: from imr-mb02.mx.aol.com ([64.12.207.163])
by imta23.westchester.pa.mail.comcast.net with comcast
id Hcn21g0153Y3QEw0Pcn2ca; Fri, 11 Mar 2011 00:47:02 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=1.1 cv=WQK/On2/QT++mxkEFfTlsexb24alUJOFVwaKRpS9sMk=
c=1 sm=1 a=EXtj6UVFE6UA:10 a=dojW5qeDZjsA:10 a=Ap+SlrusTcRsoHFNXsBmgQ==:17
a=8MlrhpFFAAAA:8 a=biWhNPOWfIrcGGUz3R4A:9 a=KxE6gbmPIQe5ILXsdvEA:7
a=VQNT8mjitmdN-HmehOzsbrHQ0U0A:4 a=CjuIK1q_8ugA:10 a=SYIlMQAUENEA:10
a=cbEL-2q_AAAA:20 a=8kNGPFIqAAAA:8 a=bQEaMyaYAAAA:8 a=cbK-jarXyTdLImlTGokA:7
a=AadYuYuUNB63ROnXncMcAS_XcdYA:4 a=UNbxctZJR1NDcCXSXfMA:9
a=RxP01qRKdDrkMu-sjxXc4cOvn4kA:4 a=KQqxNPgzF0kA:10 a=ucH7BwLj_I8A:10
a=D0fsf0g5FD396zuz:21 a=kF8Cg4zh-Sw11qfD:21 a=nhzOQoppkH2wWukc:18
a=wYBjyuFh6BVt_okJjY8A:9 a=WMLGN0A6lZQrdVjSxjIgNNU2xbYA:4
a=PGPipaScORcZ9Uee:18 a=R2ZY8VZfRn5P2vgFP1gA:9
a=n9Np_-z5oA5sN6i2hU3epGeWF9gA:4 a=_nQU4G5mzGmlYcZT:21 a=3zu7knE3qn1HixY1:21
a=miX0or0cH37DMlhU:18 a=plAWXn9BdhtSOv+eOmvCXQ==:117
Received: from mtaomg-mb02.r1000.mx.aol.com (mtaomg-mb02.r1000.mx.aol.com [172.29.41.73])
by imr-mb02.mx.aol.com (8.14.1/8.14.1) with ESMTP id p2B0keDe002413;
Thu, 10 Mar 2011 19:46:40 -0500
Received: from core-mod005a.r1000.mail.aol.com (core-mod005.r1000.mail.aol.com [172.29.196.17])
by mtaomg-mb02.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id AD2BAE000081;
Thu, 10 Mar 2011 19:46:39 -0500 (EST)
References: <BLU0-SMTP187DCE2040A73CC120F760DCFC80@phx.gbl>
To: <emails removed>
Subject: Fwd: What is This Made Of?
X-AOL-IP: 24.192.186.245
In-Reply-To: <BLU0-SMTP187DCE2040A73CC120F760DCFC80@phx.gbl>
X-MB-Message-Source: WebUI
MIME-Version: 1.0
From: <email removed>
X-MB-Message-Type: User
Content-Type: multipart/alternative;
boundary="--------MB_8CDAD9CEA77E3E7_694_74DB_webmail-d036.sysops.aol.com"
X-Mailer: AOL Webmail 33356-STANDARD
Received: from 24.192.186.245 by webmail-d036.sysops.aol.com (205.188.181.89) with HTTP (WebMailUI); Thu, 10 Mar 2011 19:46:38 -0500
Message-Id: <8CDAD9CEA2223C7-694-30AC@webmail-d036.sysops.aol.com>
X-Originating-IP: [24.192.186.245]
Date: Thu, 10 Mar 2011 19:46:39 -0500 (EST)
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/69179
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-SCORE: 1:2:264362752:93952408
X-AOL-SCOLL-URL_COUNT: 4
x-aol-sid: 3039ac1d29494d7970ef25a1

This is a multi-part message in MIME format.
----------MB_8CDAD9CEA77E3E7_694_74DB_webmail-d036.sysops.aol.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"







-----Original Message-----
From: B.Sloboda <email removed>
To: Undisclosed-Recipient:;
Sent: Thu, Mar 10, 2011 5:08 pm
Subject: Fw: What is This Made Of?


=20
=20
Somebody has waaaaay too much time on their hands!!!


















=20
















Try to guess in the first few frames what this is made from . . . before y=
ou can see at the end! : )



=20
!













=20




=20




Flip flops!! =20




=20






=20




=20



=20




=20








=20






=20



































I am using the Free version of SPAMfighter.
SPAMfighter has removed 235 of my spam emails to date.

Do you have a slow PC? Try free scan!=20

----------MB_8CDAD9CEA77E3E7_694_74DB_webmail-d036.sysops.aol.com
Content-Type: multipart/related;
boundary="--------MB_8CDAD9CEA77E3E7_694_74DC_webmail-d036.sysops.aol.com"

----------MB_8CDAD9CEA77E3E7_694_74DC_webmail-d036.sysops.aol.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"

<font color=3D'black' size=3D'2' face=3D'arial'><br>
<br>


<div style=3D"CLEAR: both"></div>
<br>
<br>


Edited by Badnick24, 27 April 2012 - 02:38 PM.
Email addresses removed for security reasons ~Elise


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:23 PM

Posted 28 April 2012 - 09:51 AM

Hello,

I will be helping you with your problems
Please do the following:

Step 1

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Step 2

Please download Farbar Service Scanner to your Desktop and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


Step 3

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Step 4

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes'
    Anti-Malware
    and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 Badnick24

Badnick24
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:23 PM

Posted 03 May 2012 - 02:50 PM

Edit removed uneccessary quote.~~ boopme

I think you might be mistaken. I removed the virus on the computer a couple months ago. However just now, I found this file that I suspect was used to send the virus to me. I believe the file is harmless now. It contains the senders IP Address though. Which, if he sent the virus, is awesome. Now I know where he lives and can have a "chat" with him (jk).

What I'm here for is to find out whether this was used to send that virus or not. Thank you! :thumbup2:

Edited by boopme, 04 May 2012 - 12:24 PM.


#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:23 PM

Posted 05 May 2012 - 06:30 AM

Hi Badnick24,

It's highly unlikely that this is the IP address for the person who made the virus.

More likely: it's faked, or it's another victim who has (through no fault of their own) unknowingly distributed it after being infected themselves.

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users