Author Topic: Help! Mysterious virus sending thousands of spam e-mails from my PC :(  (Read 64035 times)

0 Members and 1 Guest are viewing this topic.

bitoclass

  • Guest
Hi,

My PC has somehow picked up a virus, which has been sending out tonnes of spam for some time :(

I am so careful, virus-scanning all downloads, keeping Windows up-to-date etc., I'm the first person friends and family turn to when they get their PCs in a mess, and in nearly a decade online I've never previously had so much as a spyware infection, let alone a spambot!

This has really shocked me and I have no idea how it got onto my PC, still less how to track it down and remove it. (I only know it's here because the Avast On-Access Scanner window was showing a new outgoing message every few seconds (under 'Last scanned') with awful Subjects like "Important security information for your bank account" and so forth.)

Since discovering it I have been blocking traffic carefully so I'm no longer spamming, and have tried System Restore to one and two months ago but it didn't work, so then I disabled System Restore in case the virus was hiding in the restore files.

A Thorough Scan with Avast didn't find anything, and nor has Kaspersky's Online Scanner. Windows Defender also failed to find anything, as did Spybot - Search and Destroy.

Finally, through a complicated chain of investigation I have determined the following:

1. The process making the connections to send the spam is svchost.exe.
2. It tries to connect from ports in the 3000 range on my PC to HTTP ports on a range of remote servers such as stormpay.com, leapcash.com and missoula.servershost.net. I guess these are compromised web servers or something.
3. If I disable the "DCOM Server Process Launcher" (path: "C:\WINDOWS\system32\svchost -k DcomLaunch") in the Windows Services list, on the next reboot the connection attempts are no longer made. This is an important system service, though, so I can't just leave this disabled to work around the problem!

Can anyone help me identify what's behind this problem, why Avast (and other scanners) are not picking up on it, and most importantly what I can do to stop this happening and thoroughly clean my computer of this malware?

Thanks in advance everyone!

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #1 on: August 19, 2007, 02:09:02 PM »
You should post a combofix Report. yoou can find a guide here:
http://forum.avast.com/index.php?topic=29972.msg246988#msg246988
Only combofix, not the BFU mentioned there!
MfG Ralf

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #2 on: August 19, 2007, 03:00:48 PM »
Sometimes, could be good to download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives). Other tools that could help are machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

Maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
The best things in life are free.

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #3 on: August 19, 2007, 03:29:39 PM »
Maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.
I tried HijackThis soon after I found the problem and posted the log here:

http://forums.spywareinfo.com/index.php?showtopic=104414&st=0&p=571430

There didn't look anything amiss in it, and no-one replied, so I guess it didn't reveal anything, but you're welcome to have a look and see if you can see anything of course!

I've just tried F-Secure Blacklight and it failed to find anything wrong at all.

I'm running ComboFix but it has been going for much longer than the '10 minutes' it says it should take and it doesn't show any progress bar or anything so it's hard to know when it will finish, if ever! Hopefully it being so slow is a sign it is finding something!

Do you know where it will save a log of its findings or anything? I saved it to and ran it from my desktop - will the log appear there?

Hmm, does anyone know how long should I leave it running without it saying anything before I decide it's hung or something?  ???  It's been going for a good half-hour or more now.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #4 on: August 19, 2007, 03:42:08 PM »
I tried HijackThis soon after I found the problem and posted the log here:
http://forums.spywareinfo.com/index.php?showtopic=104414&st=0&p=571430
There didn't look anything amiss in it, and no-one replied, so I guess it didn't reveal anything, but you're welcome to have a look and see if you can see anything of course!
Are you sure?
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

Do you know where it will save a log of its findings or anything? I saved it to and ran it from my desktop - will the log appear there? Hmm, does anyone know how long should I leave it running without it saying anything before I decide it's hung or something?  ???  It's been going for a good half-hour or more now.
Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
The best things in life are free.

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #5 on: August 19, 2007, 03:58:27 PM »
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

That file is digitally signed by Microsoft and dated 2004 so unfortunately I don't think it's at fault, but I can't find anything out about it on the internet - the only Google result for rasrad32.dll is my Hijack This forum post!

Quote
Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

OK, I've tried closing ComboFix and starting it again - I assume that's what you were suggesting I should do. It's running at the moment so I'm going to leave it going and come back when it's finished. In the meantime here's my Hijack This log again - I just ran it again to get an up-to-date one.

Quote
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:52, on 2007-08-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Service.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\WINDOWS\system32\3007WFP\LcdOsd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BBC Alerts\BBC_Alerts.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\findstr.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
(I'll continue this in another post - it was too long for the forum to allow in a single post unfortunately.)

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #6 on: August 19, 2007, 04:00:12 PM »
Hijack This log continued...

Quote
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BBC Alerts] "C:\Program Files\BBC Alerts\BBC_Alerts.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User '?')
O4 - HKUS\S-1-5-21-507921405-1965331169-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Oh dear, out of room again - a third post follows!

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #7 on: August 19, 2007, 04:00:55 PM »
Hijack This log, part three:

Quote
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172765515765
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172938035906
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0D940FA-FF03-4B3B-950A-2B22E03A2A18}: NameServer = 192.168.1.1
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Dell 3007WFP (Service) - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 12909 bytes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #8 on: August 19, 2007, 04:16:55 PM »
Can I hitch onto this thread and try out a new programe.  It doesn't make any changes to the system it is purely analysis only

Please download http://www.runscanner.net/download.aspx and install
When the first page comes up select Beginner Mode
On the next page  select Save a binary .Run file (optional) 
Then click Start full computer scan at the bottom
At this time Runscanner.exe may request access to the Internet please allow it to do so
It will then run for 2 or 3 minutes
On completion it will ask for a location to save the file and a name
It will do this for both the .run file and the log
Call the file test and save to your desktop
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced
« Last Edit: August 19, 2007, 04:27:21 PM by essexboy »

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #9 on: August 19, 2007, 04:27:35 PM »
Then upload that as an attachment to your next post.
Along with the Log file produced
I can't actually see any Attachment option on this forum - am I overlooking a button somewhere?
I'll paste the log in in the meantime:
Quote
Runscanner logfile http://www.runscanner.net

000 General info
----------------
Computer name : BITOCLASS
Type of scan : Full scan
RunScanner Version : 1.0.1.0
Creation time : 2007-08-19 15:21:27
User rights : Administrator
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
User Language : English (United Kingdom)
IE version : 7.0.5730.11
Windows folder : C:\WINDOWS
Hosts file location : %SystemRoot%\System32\drivers\etc
Hosts <> 127.0.0.1 : 3

001 Running processes
---------------------
* c:\program files\avast4\aswupdsv.exe (ALWIL Software)
* c:\program files\avast4\ashserv.exe (ALWIL Software)
c:\program files\nvidia corporation\ntune\ntuneservice.exe (NVIDIA)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
c:\windows\system32\service.exe
c:\windows\system32\3007wfp\lcdosd.exe
c:\windows\system32\3007wfp\lcdosd.exe
* c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Software)
c:\program files\belkin bulldog plus\upsd.exe (Delta)
c:\program files\ultravnc\winvnc.exe (UltraVNC)
* c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
* c:\program files\avast4\ashmaisv.exe (ALWIL Software)
* c:\program files\avast4\ashwebsv.exe (ALWIL Software)
* c:\program files\sunbelt software\personal firewall\kpf4gui.exe (Sunbelt Software)
* c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
* c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)
* c:\program files\kontiki\kservice.exe
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)
c:\program files\belkin bulldog plus\mups.exe
c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (Macrovision Europe Ltd.)
* c:\documents and settings\paul\desktop\runscanner.exe (Runscanner.net)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\analog devices\core\smax4pnp.exe (Analog Devices, Inc.)
c:\program files\analog devices\soundmax\smax4.exe (Analog Devices, Inc.)
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation)
C:\WINDOWS\system32\nwiz.exe
c:\program files\ultravnc\winvnc.exe (UltraVNC)
* c:\progra~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe (Adobe Systems Inc.)
c:\program files\nvidia corporation\ntune\ntunecmd.exe (NVIDIA)
* c:\program files\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\program files\kontiki\khost.exe (Kontiki Inc.)
* c:\windows\system32\nvmctray.dll (NVIDIA Corporation)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\bbc alerts\bbc_alerts.exe (Skinkers Communications)
* c:\program files\kontiki\khost.exe (Kontiki Inc.)
* c:\program files\spybot - search & destroy\teatimer.exe (Safer Networking Limited)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
* c:\progra~1\adobe\acroba~1.0\acrobat\adobec~1.exe
c:\progra~1\common~1\adobe\calibr~1\adobeg~1.exe (Adobe Systems, Inc.)
c:\progra~1\belkin~1\mups.exe

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
c:\program files\common files\adobe systems shared\service\adobelmsvc.exe (Adobe LM Service)
* c:\program files\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program files\avast4\ashserv.exe (avast! Antivirus)
* c:\program files\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program files\avast4\ashwebsv.exe (avast! Web Scanner)
c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe (FLEXnet Licensing Service)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe (Windows CardSpace)
* c:\program files\kontiki\kservice.exe (KService)
c:\program files\common files\macromedia shared\service\macromedia licensing.exe (Macromedia Licensing Service)
c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe (Net.Tcp Port Sharing Service)
c:\program files\nvidia corporation\ntune\ntuneservice.exe (nTune Service)
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
c:\windows\system32\service.exe (Dell 3007WFP)
* c:\program files\sunbelt software\personal firewall\kpf4ss.exe (Sunbelt Personal Firewall 4)
c:\program files\belkin bulldog plus\upsd.exe (UPS - UPSentry Service)
c:\program files\ultravnc\winvnc.exe (VNC Server)

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* C:\WINDOWS\system32\drivers\adihdaud.sys (ADI UAA Function Driver for High Definition Audio Service)
* C:\WINDOWS\system32\drivers\aeaudio.sys (AE Audio Service)
C:\WINDOWS\system32\drivers\asio.sys (AsIO)
c:\windows\system32\drivers\entech.sys (ENTECH)
* c:\windows\system32\drivers\fwdrv.sys (Firewall Driver)
C:\WINDOWS\system32\drivers\gmer.sys (Base)
* C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
* c:\windows\system32\drivers\khips.sys (Kerio HIPS Driver)
* C:\WINDOWS\system32\drivers\asacpi.sys (ATK0110 ACPI UTILITY)
* C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
c:\windows\nvoclock.sys (NVR0Dev)
C:\WINDOWS\system32\drivers\pfc.sys (Padus ASPI Shell)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* C:\WINDOWS\system32\drivers\rtenicxp.sys (Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver)
c:\windows\system32\drivers\sbkupnt.sys (SBKUPNT)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\senfilt.sys (SenFilt Service)
C:\WINDOWS\system32\drivers\sfdrv01.sys (StarForce Protection Environment Driver (version 1.x))
* C:\WINDOWS\system32\drivers\sfdrv01a.sys (StarForce Protection Environment Driver (version 1.x.a))
* C:\WINDOWS\system32\drivers\sfhlp02.sys (StarForce Protection Helper Driver (version 2.x))
* C:\WINDOWS\system32\drivers\sfsync04.sys (StarForce Protection Synchronization Driver (version 4.x))
* C:\WINDOWS\system32\drivers\sfvfs02.sys (StarForce Protection VFS Driver (version 2.x))
C:\WINDOWS\system32\drivers\sonypvs1.sys (Sony Digital Imaging Video2)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)

Continued in next post...

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #10 on: August 19, 2007, 04:28:12 PM »
Runscanner log continued:

Quote
030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program files\common files\microsoft shared\web folders\pkmcdo.dll (Microsoft Corporation) {CD00020A-8B95-11D1-82DB-00C04FB1625D}

035 HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
-------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {47833539-D0C5-4125-9FA8-0819E2EAAC93}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
c:\program files\orbitdownloader\orbitcth.dll (Orbitdownloader.com) {000123B4-9B42-4900-B3F7-F4B073EFC214}
* c:\program files\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {AE7CD045-E861-484f-8273-0445EE161910}
c:\program files\free download manager\iefdmcks.dll {CC59E0F9-7E43-44FA-9FAA-8377850BF205}

061 HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
----------------------------------------------------------------------------
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {e82a2d71-5b2f-43a0-97b8-81be15854de8}
c:\windows\system32\dfshim.dll (Microsoft Corporation) {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}
c:\windows\system32\phototoys.dll (Microsoft Corporation) {1530F7EE-5128-43BD-9977-84A4B0FAD7DF}
* c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
* c:\program files\serif\pageplus\12.0\program\thumbnailprovider.dll (Serif (Europe) Ltd) {2170E0A4-42F2-4EB5-911F-ABC2717F6563}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}

062 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
-------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
C:\WINDOWS\system32\rasrad32.dll (Microsoft Corporation)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
* c:\windows\system32\adobepdf.dll (Adobe Systems Incorporated.)
* C:\WINDOWS\system32\ebpmon24.dll (SEIKO EPSON CORPORATION)

073 %windir%\Tasks
------------------
AboutTime.job : c:\progra~1\aboutt~1\aboutt~1.exe

100 Internet Explorer settings
------------------------------
Start Page HKCU : about:blank
Start Page HKLM : about:blank
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=54896
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

102 HKLM - HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
------------------------------------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat\acroiefavclient.dll (Adobe Systems Incorporated) {182EC0BE-5110-49C8-A062-BEB1D02A220B}

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
GUID / CLSID not found {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8}
* c:\windows\system32\macromed\director\swdir.dll (Adobe Systems, Inc.) {166B1BCA-3F9C-11CF-8075-444553540000}
c:\windows\downloaded program files\housecall_activex.dll (Trend Micro Inc.) {215B8138-A3CF-44C5-803F-8226143CFC0A}
c:\windows\downloaded program files\accounttracking.dll (eWise Systems Pty Ltd) {4E62C4DE-627D-4604-B157-4B7D6B09F02E}
* c:\windows\downloaded program files\sysreqlab2.dll (Husdawg, LLC) {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
* c:\windows\downloaded program files\asinst.dll (Panda Software) {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
* c:\program files\java\jre1.5.0_11\bin\npjpi150_11.dll (Sun Microsystems, Inc.) {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

120 Domain/DNS hijacking
------------------------
NameServer {F0D940FA-FF03-4B3B-950A-2B22E03A2A18} : 192.168.1.1

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
* c:\program files\adobe\acrobat 8.0\acrobat elements\contextmenu.dll (Adobe Systems Inc.) {D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
* c:\program files\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
GUID / CLSID not found
* c:\program files\trillian\buddy.dll (Cerulean Studios) {6F1DC701-9891-11d5-B8C6-444553540001}
c:\progra~1\tugzip\tzshell.dll {B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}

CombiFix is still running without seeming to be doing anything again btw - been going for about half an hour again now.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #11 on: August 19, 2007, 04:30:12 PM »
What about...
O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

That file is digitally signed by Microsoft and dated 2004 so unfortunately I don't think it's at fault, but I can't find anything out about it on the internet - the only Google result for rasrad32.dll is my Hijack This forum post!

I did a google search on that file and the only hit that it returns is your topic in spywareinfo and that because it is in your HJT log, so if it were an MS signed file I would have thought there would be some hits on google. What does it say in the file properties about what it is/does ?

It may be worthwhile scanning it:
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #12 on: August 19, 2007, 04:38:54 PM »
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.

Wow, those sites are brilliant - I will use those whenever I have any suspicions in future, what a great idea they are - thanks!

I'm afraid that both those sites found nothing wrong with rasrad32.dll so it looks like it's probably OK.

In my Googling I found rasrad.dll came up a bit so maybe this is just a 32-bit update which no-one uses any more or something. Not that I even understood exactly what it was anyway!

45 minutes and counting with CombiFix now, and still no sign of it using any CPU or seeming to do anything :(

bitoclass

  • Guest
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #13 on: August 19, 2007, 04:43:45 PM »
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced

I've just put the run file through the advanced mode and got it up online for you to look at instead:
http://www.runscanner.net/report.aspx?report=54bd4472-80c9-4e01-8b1e-15df2874ee91

Nothing shows up as definitely bad and I think I can account for the blue things so I'm not sure if this is going to help :( But if you can see anything for me to look at further please let me know!

Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Help! Mysterious virus sending thousands of spam e-mails from my PC :(
« Reply #14 on: August 19, 2007, 04:58:30 PM »
Looks good to me,  the run file would also have given me the running processes

O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

I can find no info on this at all including the Microsoft dll list which in itself is suspicious.  If combofix is not running then you could try winpfind

This is a deep analaysis tool

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
      Reg - BotCheck
      Reg - Disabled MS Config Items
      Reg - IE CmdMapping

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.