Spam is being sent from computer

[guzinsk3]

I work at a computer repair shop and have a great deal of experience
removing spyware and viruses, however I am stumped.

I have a machine in here that sends a great deal of spam when it is
connected to the internet. I have done extensive cleanup with many
spyware removal programs (Ad-aware, Spybot, Ewido, Windows Defender,
Hijack This, Blacklight) and several antivirus programs (Norton both on
the computer itself and with the hard drive hooked up as a secondary
drive, as well as housecall and panda anti-virus). I also have dug
through just about every file on the computer manually looking for
suspicious files. Most recently, I have done a reapir on windows.

From temporarily installing a firewall on the pc, it looks as though

only typical windows services are accessing the internet, and nothing
else, when this occurs. The e-mails being sent are to completely
random addresses (not from address book) and send regardless of
settings in outlook and outlook express. From opening tmp files
created in the temp directory I was able to see that these e-mails were
urging people to purchase a specific stock (a common scam).
I have tried running LSPfix and it looks clean, as well as running
winsockfix for the hell of it.

This is a business computer and if it is at all possible I would like
to avoid reformatting.

Although Hijack This looks clean to me, I will post a log (I have read
enough posts on message boards to know that some people are anal about
this before they will help). I appreciate any help anyone can give me
in advance. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 10:30:41 AM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
C:\Documents and Settings\User\Desktop\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://msn.com/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -
C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29}
- C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX
Scan Agent 6.5) -
http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[Art]

I work at a computer repair shop and have a great deal of experience
removing spyware and viruses, however I am stumped.

I have a machine in here that sends a great deal of spam when it is
connected to the internet. I have done extensive cleanup with many
spyware removal programs (Ad-aware, Spybot, Ewido, Windows Defender,
Hijack This, Blacklight) and several antivirus programs (Norton both on
the computer itself and with the hard drive hooked up as a secondary
drive, as well as housecall and panda anti-virus). I also have dug
through just about every file on the computer manually looking for
suspicious files. Most recently, I have done a reapir on windows.

only typical windows services are accessing the internet, and nothing
else, when this occurs. The e-mails being sent are to completely
random addresses (not from address book) and send regardless of
settings in outlook and outlook express. From opening tmp files
created in the temp directory I was able to see that these e-mails were
urging people to purchase a specific stock (a common scam).
I have tried running LSPfix and it looks clean, as well as running
winsockfix for the hell of it.

This is a business computer and if it is at all possible I would like
to avoid reformatting.

Although Hijack This looks clean to me, I will post a log (I have read
enough posts on message boards to know that some people are anal about
this before they will help). I appreciate any help anyone can give me
in advance. Thanks.

Hijack This logs aren't welcome here. There are forums for that
purpose.

One thing I notice is that Windows Messenger Service seems to
be enabled. Why haven't you disabled it? And when you do, does
the problem disappear?

http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

Art
http://home.epix.net/~artnpeg

 

[guzinsk3]

Hijack This logs aren't welcome here. There are forums for that
purpose.

One thing I notice is that Windows Messenger Service seems to
be enabled. Why haven't you disabled it? And when you do, does
the problem disappear?

http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx

Art
http://home.epix.net/~artnpeg

Thats fine that, even if you said it very rudely (I have not spent any
time on this forum I am just looking for help, and I have spent good
deals of time on other forums where people will demand just as rudely
for hijack this logs before they will even consider the problem).
Secondly, Windows Messenger Service is disabled. MSN Messenger is not,
but that would not have anything to do with this

 

[Art]

Thats fine that, even if you said it very rudely

Since when is stating a fact rude?

Art
http://home.epix.net/~artnpeg

 

[Beauregard T. Shagnasty]

On 11 Jul 2006 09:34:58 -0700, (e-mail address removed) wrote:
[Art wrote:]

Thats fine that, even if you said it very rudely

Since when is stating a fact rude?

Art, thank you for not being more rude and advising him this is not a
"forum" nor asking him why he didn't post his HiJackThis in one of those
"other forums where people will demand just as rudely for hijack this
logs".

Appreciate your restraint! ;-)

 

[guzinsk3]

I was never asking for help with hijack this. I posted it, because as
i previously mentioned, some people will demand it before they will
help you. Also, as i previously stated, I am unfamilar with this
forum. However, I don't see how that degrades if that the hijack this
log is useful in demonstrating that it isn't just something simple. If
i was wrong and this forum does not have people with experience with
viruses and would possibly encountered such a virus before and know of
a program or method that could remove it then I apologize again.

 

[Art]

On 11 Jul 2006 09:34:58 -0700, (e-mail address removed) wrote:
[Art wrote:]

Hijack This logs aren't welcome here. There are forums for that
purpose.

Thats fine that, even if you said it very rudely

Since when is stating a fact rude?

Art, thank you for not being more rude and advising him this is not a
"forum" nor asking him why he didn't post his HiJackThis in one of those
"other forums where people will demand just as rudely for hijack this
logs".

Or for mentioning that it's rude to post logs without first asking if
it's permissable.

Appreciate your restraint! ;-)

I'm softening up in my old age.

Art
http://home.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

If
i was wrong and this forum

This is not a "forum", this is usenet. This is a giant collection of
blackboards, following a protocol, that is older than the WWW.

You just can't see it, because you had accessed it via a mirror, called
"Google Groups".

If you want to know, what Usenet is, read
http://en.wikipedia.org/wiki/Usenet


Gabriele Neukam

(e-mail address removed)

 

[Steve Pope]

This is not a "forum", this is usenet. This is a giant collection of
blackboards, following a protocol, that is older than the WWW.

"Forum" is a generic term that includes newsgroups.

(Just to be pedantic.)

Steve

 

[Rhonda Lea Kirk]

"Forum" is a generic term that includes newsgroups.

(Just to be pedantic.)

Steve

And in the meantime, the computer in question continues to spew spam.

(Just to be pragmatic.)

rl
--
Rhonda Lea Kirk

If you ever need some proof that time can heal your wounds,
just step inside my heart and walk around these rooms;
where the shadows used to be.... Mary Chapin Carpenter

 

[davidkir]

Sorry for barging in here, I happen to find this group (Usenet) by
searching Google as well, I empathize with the guys problem as I just
went thru the same problems, I can't see why you follks don't get get
past the Hack this issue and help the guy!

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I work at a computer repair shop and have a great deal of experience
removing spyware and viruses, however I am stumped.

I have a machine in here that sends a great deal of spam when it is
connected to the internet. I have done extensive cleanup with many
spyware removal programs (Ad-aware, Spybot, Ewido, Windows Defender,
Hijack This, Blacklight) and several antivirus programs (Norton both on
the computer itself and with the hard drive hooked up as a secondary
drive, as well as housecall and panda anti-virus). I also have dug
through just about every file on the computer manually looking for
suspicious files. Most recently, I have done a reapir on windows.

Have you tried RootkitRevealer from http://www.sysinternals.com/ ?
You might also get somewhere looking for the most recently created/modified
..dll's in %windir% and %windir%\system32 if you can't find any suspect .exe's.

only typical windows services are accessing the internet, and nothing
else, when this occurs.

Something must have hooked into one of the services - unless the virus is
running using the same name as something commonly found on a Windows PC. Or
it's been root-kitted.

I see you've run quite a few AV engines against the machine - and not
wanting to overkill - I still think it's worth you running Eset's NOD32
Threat Protection on the machine. They offer a fully-functional 30-day
trial on their web site http://www.eset.com/
Only drawback is that you must uninstall any other AV first, which may mess
with your subscription if your AV is badly written.

NOD32's malware detection is superior to Symantec (which is unacceptable in
my opinion), Trend Micro and Panda in my experience. I had a client with
very similar problems who was using a functional and up-to-date install of
Norton Antivirus.
You should block outgoing port 25 before hooking it up to the Internet
again; at least this will stem the tide and stop you being relay
blacklisted and/or kicked off your ISP.

The e-mails being sent are to completely
random addresses (not from address book) and send regardless of
settings in outlook and outlook express. From opening tmp files
created in the temp directory I was able to see that these e-mails were
urging people to purchase a specific stock (a common scam).

Interesting - you should try seeing which process is creating these files
with Filemon http://www.sysinternals.com/

Although Hijack This looks clean to me, I will post a log (I have read
enough posts on message boards to know that some people are anal about
this before they will help). I appreciate any help anyone can give me
in advance.

Excuse the pedants.

Logfile of HijackThis v1.99.1

I'm not an HJT expert but it looks mostly clean to me. Looking at the other
replies I might be the only help you get ;-)

C:\WINDOWS\system32\wuauclt.exe

I'm pretty sure this process doesn't normally stay running (on NT-based
Windows) unless the PC is downloading updates or is notifying you that
updates are available. Right-click the file and see if it's got a "Digital
Signature" tab and is signed by Microsoft. Might be worth uploading it to
VirusTotal http://www.virustotal.com/

HTH

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEtB707uRVdtPsXDkRAuF2AJ48YsEcYnkaJL4NhpSyahxCfhM3qACgggJw
CBKGVrQWTr65FnyshdHHv4A=
=C6D/
-----END PGP SIGNATURE-----

 

[guzinsk3]

Thank you Adam, I will try your suggestions. I already looked at
recently created modified files in the windows and system directories,
and I have already tried a rootkit removal tool (which did remove
several files), but I will give the sysinetrnals one a shot. Thanks
for suggesting the anti-virus program as well, I am not familar with
it.

It's nice to get someone that actually wants to help!

 

[Art]

Thank you Adam, I will try your suggestions. I already looked at
recently created modified files in the windows and system directories,
and I have already tried a rootkit removal tool (which did remove
several files), but I will give the sysinetrnals one a shot. Thanks
for suggesting the anti-virus program as well, I am not familar with
it.

Better yet is a "no-install" scanner with top notch detection. See my
web site for the KAVDOSNT kit. After using one of the UIs it contains
to "Update" (download data bases), do the scan in Safe mode. Let us
know what it finds.

Art
http://home.epix.net/~artnpeg

 

[John Coutts]

I work at a computer repair shop and have a great deal of experience
removing spyware and viruses, however I am stumped.

I have a machine in here that sends a great deal of spam when it is
connected to the internet. I have done extensive cleanup with many
spyware removal programs (Ad-aware, Spybot, Ewido, Windows Defender,
Hijack This, Blacklight) and several antivirus programs (Norton both on
the computer itself and with the hard drive hooked up as a secondary
drive, as well as housecall and panda anti-virus). I also have dug
through just about every file on the computer manually looking for
suspicious files. Most recently, I have done a reapir on windows.

only typical windows services are accessing the internet, and nothing
else, when this occurs. The e-mails being sent are to completely
random addresses (not from address book) and send regardless of
settings in outlook and outlook express. From opening tmp files
created in the temp directory I was able to see that these e-mails were
urging people to purchase a specific stock (a common scam).
I have tried running LSPfix and it looks clean, as well as running
winsockfix for the hell of it.

This is a business computer and if it is at all possible I would like
to avoid reformatting.

Although Hijack This looks clean to me, I will post a log (I have read
enough posts on message boards to know that some people are anal about
this before they will help). I appreciate any help anyone can give me
in advance. Thanks.

************* REPLY SEPARATER **************
It sounds very much like whatever you have is running as a service. To narrow
it down, you can use 2 very common Microsoft command line utilities; Netstat &
Tasklist. By using netstat -ano, you can identify the process ID that is using
port 25. Then by using Tasklist, you should be able to identify the process
using that ID. Shut down the process, and the IP connection should disappear.

Once you have identified the process, now you have to determine if it is the
legitimate one. Backdoors often use one of the common system names to hide
themselves, but usually the file date /file size will tell you if it is the
proper one. Sometimes they will even use a boot file name, such as kernel32.

J.A. Coutts

 

[* * Chas]

<snip>

Sorry for barging in here, I happen to find this group (Usenet) by
searching Google as well, I empathize with the guys problem as I just
went thru the same problems, I can't see why you follks don't get get
past the Hack this issue and help the guy!

First off, there is some long standing prfotocol related to posting
procedures in Usenet Newsgroups.

Second, there are a lot of expereinced folks who regularly contribute
their knowledge and experince to help others solve problems. Attacking
the group is no way to solicit FREE help!

Third, this group's main focus is on computer viruses but in the last
few years there has been a lot of overlap with malware caused problems
so quite a few messages also deal with trojans, worms and other issues.

I would venture that many of the regulars have glanced at this thread
and moved on.

You will catch more flys with honey than vinegar!

Chas.

 

[Virus Guy]

I have a machine in here that sends a great deal of spam when
it is connected to the internet.

Hmmm. How useful would it be get that PC into the hands of experts
who could monitor how exactly it gets it's spam payload and
destination address list???

In any case, why haven't you removed the drive and connected it as a
slave to a trusted computer and then scan it for viruses/trojans etc?

You work at a computer repair shop. It should be trivial for you to
do this.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In any case, why haven't you removed the drive and connected it as a
slave to a trusted computer and then scan it for viruses/trojans etc?

"Norton both on the computer itself and with the hard drive hooked up as a
secondary drive, as well as housecall and panda anti-virus"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFEtlVO7uRVdtPsXDkRAj1pAKCMh5WvxlMH0tY/hT52Dmlmiy4OdQCfVGUW
psWeC6YomHgz3E0vNO14Oo0=
=lmbX
-----END PGP SIGNATURE-----

 

[Gaz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



"Norton both on the computer itself and with the hard drive hooked up as a
secondary drive, as well as housecall and panda anti-virus"

Uhm, I would certainly be a bit concerned about a repair shop that used
norton and panda for their anti-virus....

I think in situations like this, it might be worth using an excellent tool
such as multi-av to make sure the system really is clean.
http://www.ik-cs.com/got-a-virus.htm

Gaz