Spam

[mara-]

Hi,

I need an urgent help. I was just disconnected from my ISP for almost two day because they detected a spam from my computer. This was really strange to me. I did a full scan with NAV 2010 and MBAM, and nothing. Does anyone have some suggestion how to check if I have some spam virus, which do spamming from my computer? They said if this happens, they'll disconnect me permanently, and this would be bad for me since it's only ADSL provider which I can use. Also, what do you think, can uTorrentt cause this, because I'm seeding over 100 torrent for pretome tracker? And what about mirc? Can it cause spam, because I'm idling on pretome?

Cheers ;)

[DKT27]

It can be a spamming bot. I don't think it would be because of torrents. But not too sure if mIRC can cause that.

If its spamming bot. You did a full MBAM scan or quick scan? Cause you have to do full system scan. Viruses and worms hide in windows folder but trojans etc don't and do their job sitting at just one place. That's why full scan is important.

But if you have not found anything with full scan, then Microsoft Malicious Software Removal Tool would surly help here. Run > MRT > Full scan.

I would also suggest a hijackthis log being posted here. ;)

[Sl@pSh0ck™]

@mara

Are you sharing your internet connection with anybody like a home LAN maybe? If yes, I would suggest scanning (AV and Antimalware) every PC on your home network as well.

[shought]

A HijackThis log and a screenshot of (ALL, so check the 'Show all users' box) your running processes would be nice ;)

You should also check with your ISP who reported your IP for spamming and ask them for proof.

Edit: And as nivrid said you should ensure that any other PC linked to your home network is clean as well.

[mara-]

Yes, I'm sharing and Internet Connection. But I personally scanned all computers, all full scans. I'll post log in few minutes and screens shot. and nobody reported me, they told me it's automatically detected by them. I'll also check with Microsoft Malicious Software Removal Tool

Cheers ;)

[LeetPirate]

I think they are mistaken somehow, you are one person I am confident knows enough about pc security to avoid being infected by spam bots like this. If it is the torrents try forcing protocol encryption and change the port used on uTorrent to a high value perhaps between 50000 to 65000.

Did anyone hack your wireless though? :blink:

Possibly you could call them and explain that you have scanned all machines with the top 5 scanners and picked up nothing so you need more details such as what port the spam was detected on etc.

[shought]

Tell them to provide you with what evidence they got, it might not even be spam but just some dumb-ass mistake (by them)...

[mara-]

Well, I have wireless but just Ad-Hoc for laptop with usb adapted, and I'm sure no one hacked because in my neighborhood, nobody knows to do it, they mostly call me to check their computer, as a matter a fact, I'm the only one with wireless in my area.

OK, I'll see what will happen in next few days, and if they disconnect me by chance, I'll ask for proof and more details.

@LeetPirate

Yes, I really care for my security, and it was really strange to me when they said it was spam. Now I configured Eset Smart Security on all computers to individual mode and I'll check every application that tries to go to Internet.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:52:01, on 5.1.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\ASUS\EPU-6 Engine\SixEngine.exe
D:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
D:\Program Files (x86)\Lavalys\EVEREST Ultimate Edition\everest.exe
C:\Program Files (x86)\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Common Files\Nokia\NoA\nokiaaserver.exe
C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files (x86)\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files (x86)\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
I:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\17.1.0.19\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - D:\Program Files (x86)\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [PowerPanel Personal Edition User Interaction] C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\pppeuser.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files (x86)\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NokiaOviSuite2] C:\Program Files (x86)\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe -tray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - D:\Program Files (x86)\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: d:\program files (x86)\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: d:\program files (x86)\vmware\vmware workstation\vsocklib.dll
O13 - Gopher Prefix: 
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5038A40-94EE-4055-93F9-E01E0FAAD58E}: NameServer = 81.93.64.1,81.93.64.9
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files (x86)\Common Files\BinarySense\hlAPP.dll" (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - D:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\Dfsdks.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: HDD & SSD access service - Unknown owner - C:\Program Files (x86)\Common Files\BinarySense\disksvc.exe (file missing)
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files (x86)\Common Files\BinarySense\hldasvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files (x86)\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PowerPanel Personal Edition Service (ppped) - Cyber Power Systems, Inc. - C:\Program Files (x86)\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files (x86)\RelevantKnowledge\rlservice.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ServiceLayer - Nokia - C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: SystemUp HardDisk Service (SysUpHDService) - zoneLink - C:\Program Files (x86)\Common Files\SystemUp Harddisk\hdservice.exe
O23 - Service: @D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - D:\Program Files (x86)\VMWare\VMWare Workstation\vmware-ufad.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files (x86)\VMWare\VMWare Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Windows7FirewallService - Sphinx Software - C:\Program Files\Windows7FirewallControl\Windows7FirewallService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 12133 bytes

Screen Shots:

Cheers ;)

[shought]

Log looks clean.

The only process I'd like you to check out is 'nokiaaserver.exe', filename looks fishy, description looks fishy, might be legit though... Upload to VirusTotal.com maybe or uninstall Nokia stuff, remove folders, download the installation(don't use the old one, if you even still have it), install it again and check whether the file is there again.

[DKT27]

Yea looks fully clean to me.

After you have completed MRT scan, you can find the log here - Run > notepad c:\windows\debug\mrt.log . ;)

[mara-]

Nice catch. It really looks suspicious. Checking it on VirusTotal now. Thanks for pointing on this.

@DKT

OK. Scan is really slow, it'll take time.

Cheers ;)

[mara-]

Just checked, only one suspects as a virus:

McAfee-GW-Edition	6.8.5	2010.01.05	Heuristic.BehavesLike.Win32.Suspicious.I

But, I did further check, and it seems that this is part ov Nokia Ovi Suite, which I'm removing now, just in case.

Thanks to everybody for help, I hope I won't get more problems.

If anyone have additional suggestions, please post.

Cheers ;)

[DKT27]

MRT scan takes more then 6-7 hours. Plus as long as I know it' the only software that can also scan image files(ISO, etc). That's just an example on how much useful it is.

For nokia file, if you want, send it to me, I'll hex it to see if I can find somethin more suspicions.

[HX1]

I have one suspicion that I think you should look into if you have time.. This has been quite common with IRC based items.. and it can start from the simplest of installations. Your registry needs to be scanned (I know everyone hates it) with SpyBot Search and Destroy. It ALWAYS picks up IRC/Virtumonde based registry entries that are otherwise undetectable. I can't remember if it was you or Box that hate SpyBot but I think in this instance you should atleast give it an update and scan.. and BTW I hope you have all the power you need to run all of that stuff.. BIG List...LOL Anyway thats what I have to suggest.. at minimum give it a full scan ( Takes a while ) maybe see what all shows up in other areas..when its finished, and make sure to enable all areas to be scanned..

EDIT: You might try switching it over to OpenDNS and see if the service picks anything up, or blocks it... (May help with your ISP from detecting it as well, maybe)

[DKT27]

Well now I remember something. Mara-, have you downloaded invision + mIRC bundle? I've tested many of the mIRCs and their cracks found on torrent sites. Most of them are unsafe.

[shought]

Spybot S&D is generally a good program, it really, really, still is.

[mara-]

Yes, I don't like Spybot, but I'll check it anyway.

@DKT

I disabled mirc, I can't remember which version of mirc I got, I think I used something from pretome, but not 100% sure.

Thanks again for suggestions, to you and heath28m and shought.

Cheers ;)

[DKT27]

It's not only mIRC running. Tell me are you using normal mIRC or invision one?

[mara-]

Well, I'm not sure, I think it's normal. How can I check?

Cheers ;)

[DKT27]

Well, I'm not sure, I think it's normal. How can I check?

Cheers ;)

Invision one looks like this -

And the normal one is quite ugly or whatever you may call it.

[mara-]

Well, it's definitely the normal mirc then.

Guys, check this out. I have cFosSpeed installed. With this tools I checked all connections happening. Obviously uTorrent creates the most connections, but I sow that there are some unknown connections. That unknown connection uses port which I opened in my router so uTorrent works OK. Now, I changed port in uTorrent and in my router. Now, just uTorrent uses this connection, and this unknown still tries to use old port. What is also strange, that unknown connection disappears when I exit uTorrent. Here is the screen shot (old port is 52795 and new is 5600):

Check the column Program. BTW, I removed my IP address in column Local, I just left port number.

Any ideas?

Cheers ;)

[karachidude]

@mara

u can use unhackme...just to b sure..i think

[shought]

Definitely something going on...

[DKT27]

Hmm. See it's a UDP. So if we think that it's with uTorrent. See the priority it's set to normal. Where as uTorrent is set to lowest at default. So indeed there's something wrong out there.

[mara-]

Well, I don't know what else to do. It seems that unhacke does not officially support 64-bit Windows, but I'll try it anyway. It's also strange that if I exit uTorrent I still see some new connections created from uTorrent in cFosSpeed. Any other tool which I can check this with?

Cheers ;)