Spam is being sent from computer

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I work at a computer repair shop and have a great deal of experience
removing spyware and viruses, however I am stumped.

I have a machine in here that sends a great deal of spam when it is
connected to the internet.  I have done extensive cleanup with many
spyware removal programs (Ad-aware, Spybot, Ewido, Windows Defender,
Hijack This, Blacklight) and several antivirus programs (Norton both on
the computer itself  and with the hard drive hooked up as a secondary
drive, as well as housecall and panda anti-virus).  I also have dug
through just about every file on the computer manually looking for
suspicious files.  Most recently, I have done a reapir on windows.

Quoted text here. Click to load it
only typical windows services are accessing the internet, and nothing
else, when this occurs.  The e-mails being sent are to completely
random addresses (not from address book) and send regardless of
settings in outlook and outlook express.  From opening tmp files
created in the temp directory I was able to see that these e-mails were
urging people to purchase a specific stock (a common scam).
I have tried running LSPfix and it looks clean, as well as running
winsockfix for the hell of it.

This is a business computer and if it is at all possible I would like
to avoid reformatting.

Although Hijack This looks clean to me, I will post a log (I have read
enough posts on message boards to know that some people are anal about
this before they will help).  I appreciate any help anyone can give me
in advance.  Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 10:30:41 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://msn.com /
O2 - BHO: Comcast Toolbar - -
C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar -
- C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Norton AntiVirus -
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
- C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: (Trend Micro ActiveX
Scan Agent 6.5) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Re: Spam is being sent from computer

On 11 Jul 2006 07:33:30 -0700, guzinsk3@gmail.com wrote:

Quoted text here. Click to load it

Hijack This logs aren't welcome here. There are forums for that
purpose.

One thing I notice is that Windows Messenger Service seems to
be enabled. Why haven't you disabled it? And when you do, does
the problem disappear?

http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

Art
http://home.epix.net/~artnpeg

Re: Spam is being sent from computer


Quoted text here. Click to load it

Thats fine that, even if you said it very rudely (I have not spent any
time on this forum I am just looking for help, and I have spent good
deals of time on other forums where people will demand just as rudely
for hijack this logs before they will even consider the problem).
Secondly, Windows Messenger Service is disabled.  MSN Messenger is not,
but that would not have anything to do with this


Re: Spam is being sent from computer

On 11 Jul 2006 09:34:58 -0700, guzinsk3@gmail.com wrote:

Quoted text here. Click to load it


Since when is stating a fact rude?

Art
http://home.epix.net/~artnpeg

Re: Spam is being sent from computer

Art wrote:

Quoted text here. Click to load it

Art, thank you for not being more rude and advising him this is not a
"forum" nor asking him why he didn't post his HiJackThis in one of those
"other forums where people will demand just as rudely for hijack this
logs".

Appreciate your restraint!  ;-)

--
   -bts
   -Warning: I brake for lawn deer

Re: Spam is being sent from computer

I was never asking for help with hijack this.  I posted it, because as
i previously mentioned, some people will demand it before they will
help you.  Also, as i previously stated, I am unfamilar with this
forum.  However, I don't see how that degrades if that the hijack this
log is useful in demonstrating that it isn't just something simple.  If
i was wrong and this forum does not have people with experience with
viruses and would possibly encountered such a virus before and know of
a program or method that could remove it then I apologize again.


Re: Spam is being sent from computer

On that special day, , (guzinsk3@gmail.com) said...

Quoted text here. Click to load it

This is not a "forum", this is usenet. This is a giant collection of
blackboards, following a protocol, that is older than the WWW.

You just can't see it, because you had accessed it via a mirror, called
"Google Groups".

If you want to know, what Usenet is, read
http://en.wikipedia.org/wiki/Usenet


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de


--
Ah, Information. A property, too valuable these days, to give it away,
just so, at no cost.

Re: Spam is being sent from computer


Quoted text here. Click to load it

"Forum" is a generic term that includes newsgroups.

(Just to be pedantic.)

Steve

Re: Spam is being sent from computer

Steve Pope wrote:
Quoted text here. Click to load it

And in the meantime, the computer in question continues to spew spam.

(Just to be pragmatic.)

rl
--
Rhonda Lea Kirk

If you ever need some proof that time can heal your wounds,
just step inside my heart and walk around these rooms;
where the shadows used to be....     Mary Chapin Carpenter



Re: Spam is being sent from computer

Sorry for barging in here, I happen to find this group (Usenet) by
searching Google as well,  I empathize with the guys problem as I just
went thru the same problems, I can't see why you follks don't get get
past the Hack this issue and help the guy!
Rhonda Lea Kirk wrote:
Quoted text here. Click to load it


Re: Spam is being sent from computer

<snip>
Quoted text here. Click to load it

First off, there is some long standing prfotocol related to posting
procedures in Usenet Newsgroups.

Second, there are a lot of expereinced folks who regularly contribute
their knowledge and experince to help others solve problems. Attacking
the group is no way to solicit FREE help!

Third, this group's main focus is on computer viruses but in the last
few years there has been a lot of overlap with malware caused problems
so quite a few messages also deal with trojans, worms and other issues.

I would venture that many of the regulars have glanced at this thread
and moved on.

You will catch more flys with honey than vinegar!

Chas.



Re: Spam is being sent from computer

On Tue, 11 Jul 2006 17:27:30 GMT, "Beauregard T. Shagnasty"

Quoted text here. Click to load it

Or for mentioning that it's rude to post logs without first asking if
it's permissable.

Quoted text here. Click to load it

I'm softening up in my old age.

Art
http://home.epix.net/~artnpeg

Re: Spam is being sent from computer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

guzinsk3@gmail.com wrote:
Quoted text here. Click to load it

Have you tried RootkitRevealer from http://www.sysinternals.com/ ?
You might also get somewhere looking for the most recently created/modified
.dll's in %windir% and %windir%\system32 if you can't find any suspect .exe's.


Quoted text here. Click to load it

Something must have hooked into one of the services - unless the virus is
running using the same name as something commonly found on a Windows PC. Or
it's been root-kitted.

I see you've run quite a few AV engines against the machine - and not
wanting to overkill - I still think it's worth you running Eset's NOD32
Threat Protection on the machine. They offer a fully-functional 30-day
trial on their web site http://www.eset.com /
Only drawback is that you must uninstall any other AV first, which may mess
with your subscription if your AV is badly written.

NOD32's malware detection is superior to Symantec (which is unacceptable in
my opinion), Trend Micro and Panda in my experience. I had a client with
very similar problems who was using a functional and up-to-date install of
Norton Antivirus.
You should block outgoing port 25 before hooking it up to the Internet
again; at least this will stem the tide and stop you being relay
blacklisted and/or kicked off your ISP. :-)


Quoted text here. Click to load it

Interesting - you should try seeing which process is creating these files
with Filemon http://www.sysinternals.com /


Quoted text here. Click to load it

Excuse the pedants.


Quoted text here. Click to load it

I'm not an HJT expert but it looks mostly clean to me. Looking at the other
replies I might be the only help you get ;-)


Quoted text here. Click to load it

I'm pretty sure this process doesn't normally stay running (on NT-based
Windows) unless the PC is downloading updates or is notifying you that
updates are available. Right-click the file and see if it's got a "Digital
Signature" tab and is signed by Microsoft. Might be worth uploading it to
VirusTotal http://www.virustotal.com /

HTH

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk /

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEtB707uRVdtPsXDkRAuF2AJ48YsEcYnkaJL4NhpSyahxCfhM3qACgggJw
CBKGVrQWTr65FnyshdHHv4A=
=C6D/
-----END PGP SIGNATURE-----

Re: Spam is being sent from computer

Thank you Adam, I will try your suggestions.  I already looked at
recently created modified files in the windows and system directories,
and I have already tried a rootkit removal tool (which did remove
several files), but I will give the sysinetrnals one a shot.  Thanks
for suggesting the anti-virus program as well, I am not familar with
it.

It's nice to get someone that actually wants to help!


Re: Spam is being sent from computer

On 12 Jul 2006 06:40:15 -0700, guzinsk3@gmail.com wrote:

Quoted text here. Click to load it

Better yet is a "no-install" scanner with top notch detection. See my
web site for the KAVDOSNT kit. After using one of the UIs it contains
to "Update" (download data bases), do the scan in Safe mode. Let us
know what it finds.

Art
http://home.epix.net/~artnpeg

Re: Spam is being sent from computer

guzinsk3@gmail.com says...
Quoted text here. Click to load it
************* REPLY SEPARATER **************
It sounds very much like whatever you have is running as a service. To narrow
it down, you can use 2 very common Microsoft command line utilities; Netstat &
Tasklist. By using netstat -ano, you can identify the process ID that is using
port 25. Then by using Tasklist, you should be able to identify the process
using that ID. Shut down the process, and the IP connection should disappear.

Once you have identified the process, now you have to determine if it is the
legitimate one. Backdoors often use one of the common system names to hide
themselves, but usually the file date /file size will tell you if it is the
proper one. Sometimes they will even use a boot file name, such as kernel32.

J.A. Coutts


Site Timeline