My notebook transfered itselfs in some kind of SPAM machine.

  1. 19-04-2008  #1
    gratum
    gratum is offline Newbie

    My notebook transfered itselfs in some kind of SPAM machine.

    No idea how it happend, buy my notebook seems to send thousands of

    emails from the background every minute, which results my ADSL line to

    block, and a router restart is required.

    I am not using any email programs on this PC, it's exclusive used for

    browsing and design work.

    I did several Trojan Scans, Malware, Antivirus, Adware, etc etc, but no

    results.

    I discoverd the problem with some simple packet sniffer, which send all the

    time background packages, each time with a new local port.

    I wanted to check which application is using this PORT, with "Active Ports"

    from www.ntutility.com, but this let's me know,
    PROCESS = UNKNOW
    PID = 0

    Each packet sniffer used port 53 as remote port and used each time a new

    local port. As example

    Local Port 1436 > Remote Port 53
    Local Port 1438 > Remote Port 53
    Local Port 1440 > Remote Port 53
    Local Port 1442 > Remote Port 53
    Local Port 1444 > Remote Port 53
    Local Port 1446 > Remote Port 53

    The same happends with 25
    Local Port 1302 > Remote Port 25
    Local Port 1304 > Remote Port 25
    Local Port 1306 > Remote Port 25
    Local Port 1308 > Remote Port 25
    Local Port 1310 > Remote Port 25

    Each time it attemps to connect to some new IP

    I tried to block the remote port 25 and port 53, which has no success.
    I tried to close all services running, no success.

    Ok, i do realize reinstalling my xp would be faster, but, hey, i want to find out

    what is the problem.

    Some example of some port 53 package
    ----
    00000000 8E 83 01 00 00 01 00 00 00 00 00 00 03 68 73 62 ........ .....hsb
    00000010 03 63 6F 6D 00 00 0F 00 01 .com.... .

    00000000 8E 83 81 80 00 01 00 03 00 00 00 04 03 68 73 62 ........ .....hsb
    00000010 03 63 6F 6D 00 00 0F 00 01 C0 0C 00 0F 00 01 00 .com.... ........
    00000020 00 1F D5 00 0A 00 14 05 6D 61 69 6C 32 C0 0C C0 ........ mail2...
    00000030 0C 00 0F 00 01 00 00 1F D5 00 0A 00 1E 05 6D 61 ........ ......ma
    00000040 69 6C 33 C0 0C C0 0C 00 0F 00 01 00 00 1F D5 00 il3..... ........
    00000050 09 00 0A 04 6D 61 69 6C C0 0C C0 27 00 01 00 01 ....mail ...'....
    00000060 00 00 1F D5 00 04 C0 4D 8B 02 C0 3D 00 01 00 01 .......M ...=....
    00000070 00 00 49 83 00 04 C0 4D 8B 08 C0 53 00 01 00 01 ..I....M ...S....
    00000080 00 00 53 4B 00 04 C0 4D 8B 02 C0 53 00 01 00 01 ..SK...M ...S....
    00000090 00 00 53 4B 00 04 C0 4D 8B 08 ..SK...M ..


    Some example of some port 25 Package
    ----
    Date: Sat, 19 Apr 2008 09:41:15 +0000
    From: "Pont Strauf" <blackhead@motohaus.lu>
    X-Mailer: The Bat! (3.51.9) Professional
    Reply-To: Pont Strauf <blackhead@motohaus.lu>
    X-Priority: 3 (Normal)
    Message-ID: <1481138195.20080419093817@motohaus.lu>
    To: <landis29@hanmail.net>
    Subject: cytologist
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----------CA6F92D8DC4368"

    ------------CA6F92D8DC4368
    Content-Type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: quoted-printable

    Hello,=09
    =20
    Increaase Sexual EEnergy and Pleasuure!
    http://q4ri5z8og58qd.blogspot.com



    =09And owen, watching, took her pallor for the ashy of gold
    thread on stiff ultramarine tissue, which carry us three
    men and our when the raft was finished most of them carrying
    hand bags. During rehearsals want yes, said ellie, i know
    what you mean. But about arthur because he thought hetty
    would be whiskers, dark eyes, husky voice, tooth missing
    preposterous for words. They had quite an excited gordon.
    they think he stabbed his cousin. My sakes! With a bump.
    then again, the mischievous ants one jump in her nightgown,
    just before going to want me, he said, and he offered no
    humorous remarks, a living brain. You will be annihilated
    in the ob serve the round hole through the chainmail said
    emily. Don't be indelicate. And anyway, she.
    ishbnhiieaaaakbmfi.
    ------------CA6F92D8DC4368
    Content-Type: text/html; chars. #Host Name Server
    nicname 43/tcp whois
    domain 53/tcp #Domain Name Server
    domain 53/udp #Domain Name Server
    bootps 67/udp dhcps #Bootstrap Protocol Server
    bootpc 68/udp dhcpc #Bootstrap Protocol Client
    tftp 69/udp #Trivial File Transfer
    gopher 70/tcp
    finger 79/tcp
    http 80/tcp www www-http #World Wide Web
    kerberos 88/tcp g></p><st=
    rong> </strong>
    <p>And owen, watching, took her pallor for the ashy of gold<br> thread

    on=
    stiff ultramarine tissue, which carry us three<br> men and our when the =
    raft was finished most of them carrying<br> hand bags. During rehearsals =
    want yes, said ellie, i know<br> what you mean. But about arthur because

    =
    he thought hetty<br> would be whiskers, dark eyes, husky voice, tooth

    mis=
    sing<br> preposterous for words. They had quite an excited gordon.<br>

    =
    they think he stabbed his cousin. My sakes! With a bump.<br> then again, =
    the mischievous ants one jump in her nightgown,<br> just before going to =
    want me, he said, and he offered no<br> humorous remarks, a living brain.=
    You will be annihilated<br> in the ob serve the round hole through the c=
    hainmail said<br> emily. Don't be indelicate. And anyway, she.<br>
    ishbnhiieaaaakbmfi.</p>
    </body></html>
    ------------CA6F92D8DC4368--
    .

    454 5.7.1 DXNS3 83.34.2.243: Message refused. Your host name dosen't

    match with your IP address: ilpo.rima-tde.net

    QUIT

    221 2.0.0 rmail-142.hanmail.net closing connection



    ========================
    Finaly some HIJACK OUTPUT
    ========================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:41:20, on 19/04/2008
    Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\acer\Wireless\Utility\WlanUtil.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\SmartSniff\smsniff.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows

    Live\WLLoginProxy.exe
    C:\WINDOWS\system32\telnet.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet

    Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper -

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: IE to GetRight Helper -

    {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program

    Files\GetRight\xx2gr.dll
    O2 - BHO: Groove GFS Browser Helper -

    {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

    C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

    C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper -

    {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

    Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper -

    {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO -

    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

    Files\Google\GoogleToolbarNotifier\3.0.914.9778\sw g.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

    c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: etlrlws - {151E8F05-9830-4888-A41E-B8AB1213CA59} -

    C:\WINDOWS\etlrlws.dll (file missing)
    O4 - HKLM\..\Run: [acerWireless] C:\Program

    Files\acer\Wireless\Utility\WlanUtil.exe
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32

    Antivirus\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

    Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE]

    C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE]

    C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE]

    C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE]

    C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Advanced Email Extractor -

    res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi

    e.dll/page.html
    O8 - Extra context menu item: Download with GetRight - C:\Program

    Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program

    Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Scan link with AEE -

    res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi

    e.dll/link.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Send to OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote -

    {2670000A-7350-4f3c-8081-5663EE0C6C49} -

    C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

    {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra button: (no name) - {ECC5777A-6E88-BFCE-13CE-81F134789E8B} -

    (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra button: Email Extractor -

    {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

    res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi

    e.dll/page.html (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Advanced Email Extractor -

    {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} -

    res://C:\Program%20Files\Advanced%20Email%20Extractor%20 PRO\AeePMsi

    e.dll/page.html (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine

    Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) -

    http://www.digitalwebbooks.com/reader/dbplugin.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

    Scan Agent 6.6) -

    http://housecall65.trendmicro.com/ho...e/x86/win32/ac

    tivex/hcImpl.cab
    O16 - DPF: {63E0388E-4CD2-4728-99CC-E3652A1AE7AD} (EzAutoLogin

    Control) - http://203.233.205.66:8080/help/EzAutoLoginProj1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin

    Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O17 -

    HKLM\System\CCS\Services\Tcpip\..\{FAA969F8-2960-4B55-8A6D-0CE7D04C0

    456}: NameServer = 80.58.61.250,195.235.113.3
    O18 - Protocol: grooveLocalGWS -

    {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

    C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O20 - Winlogon Notify: eqnclass32 - C:\WINDOWS\SYSTEM32\eqnclass32.dll
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program

    Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET

    NOD32 Antivirus\ekrn.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

    Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    --
    End of file - 7200 bytes



    Hopefully you guys know what happened.

  3. 19-04-2008  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    * Please download Malwarebytes' Anti-Malware from HERE or HERE

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked , and click Remove Selected.
    • When disinfection is completed , a log will open in Notepad and you may be prompted to Restart(See Extra Note).
    • A run log is automatically saved by MBAM and can be viewed by clicking the Logs TAB in MBAM.
    • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.





    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
    • Open the extracted folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.

      Please also provide any new current observations.
+ Reply to Thread
« Pop Up Problem, Can't get rid of it | Hijack This Log »