Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My notebook transfered itselfs in some kind of SPAM machine

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My notebook transfered itselfs in some kind of SPAM machine

Unread postby gratum » April 19th, 2008, 8:41 am

No idea how it happend, buy my notebook seems to send thousands of

emails from the background every minute, which results my ADSL line to

block, and a router restart is required.

I am not using any email programs on this PC, it's exclusive used for

browsing and design work.

I did several Trojan Scans, Malware, Antivirus, Adware, etc etc, but no

results.

I discoverd the problem with some simple packet sniffer, which send all the

time background packages, each time with a new local port.

I wanted to check which application is using this PORT, with "Active Ports"

from http://www.ntutility.com, but this let's me know,
PROCESS = UNKNOW
PID = 0

Each packet sniffer used port 53 as remote port and used each time a new

local port. As example

Local Port 1436 > Remote Port 53
Local Port 1438 > Remote Port 53
Local Port 1440 > Remote Port 53
Local Port 1442 > Remote Port 53
Local Port 1444 > Remote Port 53
Local Port 1446 > Remote Port 53

The same happends with 25
Local Port 1302 > Remote Port 25
Local Port 1304 > Remote Port 25
Local Port 1306 > Remote Port 25
Local Port 1308 > Remote Port 25
Local Port 1310 > Remote Port 25

Each time it attemps to connect to some new IP

I tried to block the remote port 25 and port 53, which has no success.
I tried to close all services running, no success.

Ok, i do realize reinstalling my xp would be faster, but, hey, i want to find out

what is the problem.

Some example of some port 53 package
----
00000000 8E 83 01 00 00 01 00 00 00 00 00 00 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 .com.... .

00000000 8E 83 81 80 00 01 00 03 00 00 00 04 03 68 73 62 ........ .....hsb
00000010 03 63 6F 6D 00 00 0F 00 01 C0 0C 00 0F 00 01 00 .com.... ........
00000020 00 1F D5 00 0A 00 14 05 6D 61 69 6C 32 C0 0C C0 ........ mail2...
00000030 0C 00 0F 00 01 00 00 1F D5 00 0A 00 1E 05 6D 61 ........ ......ma
00000040 69 6C 33 C0 0C C0 0C 00 0F 00 01 00 00 1F D5 00 il3..... ........
00000050 09 00 0A 04 6D 61 69 6C C0 0C C0 27 00 01 00 01 ....mail ...'....
00000060 00 00 1F D5 00 04 C0 4D 8B 02 C0 3D 00 01 00 01 .......M ...=....
00000070 00 00 49 83 00 04 C0 4D 8B 08 C0 53 00 01 00 01 ..I....M ...S....
00000080 00 00 53 4B 00 04 C0 4D 8B 02 C0 53 00 01 00 01 ..SK...M ...S....
00000090 00 00 53 4B 00 04 C0 4D 8B 08 ..SK...M ..


Some example of some port 25 Package
----
Date: Sat, 19 Apr 2008 09:41:15 +0000
From: "Pont Strauf" <blackhead@motohaus.lu>
X-Mailer: The Bat! (3.51.9) Professional
Reply-To: Pont Strauf <blackhead@motohaus.lu>
X-Priority: 3 (Normal)
Message-ID: <1481138195.20080419093817@motohaus.lu>
To: <landis29@hanmail.net>
Subject: cytologist
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------CA6F92D8DC4368"

------------CA6F92D8DC4368
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello,=09
=20
Increaase Sexual EEnergy and Pleasuure!
http://q4ri5z8og58qd.blogspot.com



=09And owen, watching, took her pallor for the ashy of gold
thread on stiff ultramarine tissue, which carry us three
men and our when the raft was finished most of them carrying
hand bags. During rehearsals want yes, said ellie, i know
what you mean. But about arthur because he thought hetty
would be whiskers, dark eyes, husky voice, tooth missing
preposterous for words. They had quite an excited gordon.
they think he stabbed his cousin. My sakes! With a bump.
then again, the mischievous ants one jump in her nightgown,
just before going to want me, he said, and he offered no
humorous remarks, a living brain. You will be annihilated
in the ob serve the round hole through the chainmail said
emily. Don't be indelicate. And anyway, she.
ishbnhiieaaaakbmfi.
------------CA6F92D8DC4368
Content-Type: text/html; chars. #Host Name Server
nicname 43/tcp whois
domain 53/tcp #Domain Name Server
domain 53/udp #Domain Name Server
bootps 67/udp dhcps #Bootstrap Protocol Server
bootpc 68/udp dhcpc #Bootstrap Protocol Client
tftp 69/udp #Trivial File Transfer
gopher 70/tcp
finger 79/tcp
http 80/tcp www www-http #World Wide Web
kerberos 88/tcp g></p><st=
rong> </strong>
<p>And owen, watching, took her pallor for the ashy of gold<br> thread

on=
stiff ultramarine tissue, which carry us three<br> men and our when the =
raft was finished most of them carrying<br> hand bags. During rehearsals =
want yes, said ellie, i know<br> what you mean. But about arthur because

=
he thought hetty<br> would be whiskers, dark eyes, husky voice, tooth

mis=
sing<br> preposterous for words. They had quite an excited gordon.<br>

=
they think he stabbed his cousin. My sakes! With a bump.<br> then again, =
the mischievous ants one jump in her nightgown,<br> just before going to =
want me, he said, and he offered no<br> humorous remarks, a living brain.=
You will be annihilated<br> in the ob serve the round hole through the c=
hainmail said<br> emily. Don't be indelicate. And anyway, she.<br>
ishbnhiieaaaakbmfi.</p>
</body></html>
------------CA6F92D8DC4368--
.

454 5.7.1 DXNS3 83.34.2.243: Message refused. Your host name dosen't

match with your IP address: ilpo.rima-tde.net

QUIT

221 2.0.0 rmail-142.hanmail.net closing connection



========================
Finaly some HIJACK OUTPUT
========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:20, on 19/04/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SmartSniff\smsniff.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLLoginProxy.exe
C:\WINDOWS\system32\telnet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper -

{31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program

Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper -

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll
O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} -

C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [acerWireless] C:\Program

Files\acer\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32

Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Advanced Email Extractor -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html
O8 - Extra context menu item: Download with GetRight - C:\Program

Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program

Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Scan link with AEE -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/link.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -

{2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} -

(no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor -

{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor -

{AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

res://C:\Program%20Files\Advanced%20Email%20Extractor%20PRO\AeePMsi

e.dll/page.html (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine

Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) -

http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

Scan Agent 6.6) -

http://housecall65.trendmicro.com/house ... 6/win32/ac

tivex/hcImpl.cab
O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin

Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin

Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{FAA969F8-2960-4B55-8A6D-0CE7D04C0

456}: NameServer = 80.58.61.250,195.235.113.3
O18 - Protocol: grooveLocalGWS -

{88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program

Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET

NOD32 Antivirus\ekrn.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 7200 bytes
gratum
Active Member
 
Posts: 4
Joined: April 19th, 2008, 7:35 am
Advertisement
Register to Remove

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby Blade81 » April 19th, 2008, 8:43 am

Hi

You seem to have posted your log to many other hjt forums too (at least 5 Star Support & Cexx.org). Let those know you've been helped here.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby gratum » April 19th, 2008, 9:55 am

Hi

Thank you for the reply, sorry to post it to different forums, but before i had no successfull response...

Please find bellow the report from Combofix

------------

ComboFix 08-04-18.3 - Hannelaure Dijon 2008-04-19 14:31:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.568 [GMT 1:00]
Running from: C:\Documents and Settings\Hannelaure Dijon\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\setup.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\dbxDgrevCheck.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWNETPKER
-------\Service_windownetpker


((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-19 10:27 . 2008-04-19 10:27 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\Application Data\Wireshark
2008-04-19 10:24 . 2008-04-19 10:27 <DIR> d-------- C:\Program Files\Panda Security
2008-04-18 22:39 . 2008-04-18 22:39 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 19:02 . 2008-04-18 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-18 19:02 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-04-18 19:02 . 2008-04-18 20:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-18 18:59 . 2008-04-18 20:35 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-04-18 17:16 . 2008-04-19 12:15 <DIR> d-------- C:\Program Files\a-squared Free
2008-04-18 16:24 . 2008-04-18 16:24 <DIR> d-------- C:\Program Files\Active Ports
2008-04-18 16:06 . 2008-04-18 16:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 15:21 . 2008-04-17 15:22 <DIR> d-------- C:\Program Files\IberInfo
2008-04-17 15:21 . 2008-04-17 15:21 1,413,120 --------- C:\WINDOWS\Setupbaby.exe
2008-04-17 15:21 . 2008-04-17 15:21 74,240 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-17 13:46 . 2008-04-17 13:46 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-17 13:46 . 2008-04-17 13:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-15 19:26 . 2008-04-15 19:26 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\auto
2008-04-15 19:26 . 2008-04-15 19:27 287 --a------ C:\WINDOWS\XMailer.INI
2008-04-14 10:59 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-04-12 21:56 . 2008-04-12 21:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-12 18:20 . 2008-04-12 18:20 <DIR> d-------- C:\Program Files\Wireshark
2008-04-12 18:20 . 2008-04-12 18:20 <DIR> d-------- C:\Program Files\WinPcap
2008-04-12 14:39 . 2008-04-12 14:44 <DIR> d-------- C:\Documents and Settings\Hannelaure Dijon\.housecall6.6
2008-04-12 14:34 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-04-12 14:08 . 2004-05-13 16:04 225,280 --a------ C:\WINDOWS\system32\gccbbase.dll
2008-04-12 12:21 . 2008-04-12 12:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-12 11:16 . 2008-04-12 11:16 0 --a------ C:\WINDOWS\Irremote.ini
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Program Files\Resco
2008-04-10 00:38 . 2008-04-10 00:38 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-04-10 00:38 . 2007-10-10 18:38 90,112 --a------ C:\WINDOWS\RSetupCE.exe
2008-04-08 14:55 . 2008-04-08 14:55 <DIR> d-------- C:\Program Files\CounterPath
2008-04-08 13:06 . 2008-04-15 19:28 <DIR> d-------- C:\Program Files\fec
2008-04-06 13:04 . 2008-04-06 13:04 <DIR> d-------- C:\Program Files\Gif2swf
2008-04-06 13:04 . 1999-12-17 10:13 49,664 --a------ C:\WINDOWS\unvise32.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 16:15 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-18 15:43 --------- d-----w C:\Program Files\SmartSniff
2008-04-17 14:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 09:57 --------- d-----w C:\Program Files\ESET
2008-04-12 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-12 10:20 --------- d-----w C:\Program Files\Windows Desktop Search
2008-04-12 10:17 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-12 10:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-09 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-08 10:58 --------- d-----w C:\Program Files\Advanced Email Extractor PRO
2008-04-08 10:49 --------- d-----w C:\Program Files\Common Files\LencomShare
2008-04-04 00:59 --------- d-----w C:\Program Files\Java
2008-03-19 17:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-18 16:42 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-18 13:29 990,176 ----a-w C:\WINDOWS\dbplugin.exe
2008-03-18 12:33 2,118 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-18 11:56 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\ESET
2008-03-18 11:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-03-17 13:20 --------- d-----w C:\Program Files\Bonjour
2008-03-15 17:16 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-14 16:28 --------- d-----w C:\Program Files\GetRight
2008-03-14 13:27 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-03-14 09:09 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-03-13 09:33 192,592 ----a-w C:\WINDOWS\system32\DNLEng.dll
2008-03-10 22:38 --------- d-----w C:\Program Files\Sjboy Emulator
2008-03-10 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-03-10 13:49 --------- d-----w C:\Program Files\Email Address Collector
2008-03-03 08:54 --------- d-----w C:\Program Files\Mobiola Web Camera USB
2008-03-02 21:20 --------- d-----w C:\Program Files\Lencom Software Inc
2008-03-02 12:36 --------- d-----w C:\Program Files\Mobiola Web Camera
2008-03-01 16:48 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\Research In Motion
2008-03-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-03-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sonic
2008-03-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-03-01 11:22 --------- d-----w C:\Program Files\Roxio
2008-03-01 11:22 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-03-01 11:20 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-01 11:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-01 11:10 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-03-01 11:09 --------- d-----w C:\Program Files\Research In Motion
2008-03-01 11:08 --------- d-----w C:\Program Files\Link Web Extractor
2008-03-01 11:04 --------- d-----w C:\Program Files\Common Files\TweakMarketing
2008-03-01 10:32 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\GetRight
2008-02-29 10:41 --------- d-----w C:\Program Files\SWiSHmax
2008-02-28 18:32 --------- d-----w C:\Documents and Settings\Hannelaure Dijon\Application Data\GetRightToGo
2008-02-24 12:01 --------- d-----w C:\Program Files\PC Sync Manager
2008-02-20 10:11 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-02-20 10:02 29,704 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2008-02-20 10:01 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{151E8F05-9830-4888-A41E-B8AB1213CA59}"= "C:\WINDOWS\etlrlws.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{151e8f05-9830-4888-a41e-b8ab1213ca59}]
[HKEY_CLASSES_ROOT\etlrlws.1]
[HKEY_CLASSES_ROOT\TypeLib\{27F7F92B-9E29-4BB2-B7DE-F287E6A76756}]
[HKEY_CLASSES_ROOT\etlrlws]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 08:26 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acerWireless"="C:\Program Files\acer\Wireless\Utility\WlanUtil.exe" [2005-01-10 16:00 462848]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-12-01 08:26 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqnclass32]
eqnclass32.dll 2004-10-15 10:03 8704 C:\WINDOWS\system32\eqnclass32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2007-12-01 08:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-03-14 12:55 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyFreeWebCam]
--a------ 2007-03-28 16:03 6219776 C:\EC21Messenger\EzQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EC21]
--a------ 2007-03-28 16:03 6219776 C:\EC21Messenger\EzQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\egui]
C:\Program Files\ESET\ESET Smart Security\egui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a------ 2006-08-02 19:46 5382144 C:\Program Files\CounterPath\eyeBeam 1.5\eyeBeam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 22:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2004-02-10 20:51 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2004-02-10 20:55 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 01:26 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NoteBurner]
C:\Program Files\NoteBurner\VTBurnerGUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2007-12-10 11:12 695808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 16:27 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 09:56 236016 C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
C:\Program Files\Save\Save.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"windownetpker"=2 (0x2)
"usnjsvc"=3 (0x3)
"TapiSrv"=3 (0x3)
"SharedAccess"=2 (0x2)
"rpcapd"=3 (0x3)
"RoxWatch9"=2 (0x2)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"Imapi Helper"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"CryptSvc"=2 (0x2)
"BITS"=2 (0x2)
"aspnet_state"=3 (0x3)
"aawservice"=2 (0x2)
"a2free"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"D:\\emule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6624:TCP"= 6624:TCP:messenger
"7641:TCP"= 7641:TCP:messenger

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 14:57]
R3 IPN2220;INPROCOMM IPN2220 Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\i2220ntx.sys [2004-11-04 18:29]
R3 SMBBATT;Microsoft Smart Battery Driver;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2007-11-30 18:31]
S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys []
S3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys [2006-01-11 15:55]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 21:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a38346c7-bdce-11dc-b98e-000e9b7a5c76}]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 14:36:02
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ping.exe
.
**************************************************************************
.
Completion time: 2008-04-19 14:48:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-19 13:46:55

Pre-Run: 4,562,894,848 bytes free
Post-Run: 4,514,947,072 bytes free

248 --- E O F --- 2008-04-09 23:58:40


Regards
gratum
Active Member
 
Posts: 4
Joined: April 19th, 2008, 7:35 am

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby gratum » April 19th, 2008, 9:57 am

I just checked with a sniffer,

first minutes seems ok, but then its sending again thousands of packages to remote port 25 and 53, all spam messages

Regards
gratum
Active Member
 
Posts: 4
Joined: April 19th, 2008, 7:35 am

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby Blade81 » April 19th, 2008, 11:11 am

Hi

Uninstall WhenUSave (or something similar if found) thru add/remove programs.


Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINDOWS\system32\eqnclass32.dll

Folder::
C:\Program Files\Save

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{151E8F05-9830-4888-A41E-B8AB1213CA59}"=-

[-HKEY_CLASSES_ROOT\clsid\{151e8f05-9830-4888-a41e-b8ab1213ca59}]
[-HKEY_CLASSES_ROOT\etlrlws.1]
[-HKEY_CLASSES_ROOT\TypeLib\{27F7F92B-9E29-4BB2-B7DE-F287E6A76756}]
[-HKEY_CLASSES_ROOT\etlrlws]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eqnclass32]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]



Save this as
CFScript


Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
[INDENT]Scan using the following Anti-Virus database: [/INDENT]
  • Extended (If available, otherwise Standard)
[INDENT]Scan Options:[/INDENT]
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too (check that Notepad's word wrap is disabled!)


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby gratum » April 19th, 2008, 12:12 pm

Hello

I had some other tips from another forum, and together with your tips, currently the problems seems to be fixed

3000 packets in 20 minutes
instead of
20.000 pakcets in 1 minute

No more PORT 25 attacks...

I am still not sure what fixed the issue, but anyhow you guys did,

Kind Regards, and Thank you very much for your quick response
gratum
Active Member
 
Posts: 4
Joined: April 19th, 2008, 7:35 am

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby Blade81 » April 19th, 2008, 12:40 pm

Hi

Since you didn't follow up my advise to stay on one forum only and didn't post the logs I was asking for I won't go any further here. Helper resources are limited and it really doesn't make any sense keeping multiple helpers occupied with same issue on many places while other users are left without any help.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: My notebook transfered itselfs in some kind of SPAM machine

Unread postby Blade81 » April 19th, 2008, 1:58 pm

User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware