|
|
#1
November 1st, 2006, 09:43 AM
|
|||
|
|||
something is sending spam but I can't find it!
I have a system that is sending SPAM but I cannot find what process is doing so.
I have run several anti-virus and anti-spyware programs and found nothing. I have cleared up the startup and run Hijack this and everything looks OK. But when I run Wireshark I can see the damned SMTP packets going out! It bypasses TDImon, and Kerio personal firewall. I can't see anything with Procexp. I have run Rootkit Revealer and found nothing. Has anyone any suggestions for finding the damned thing??!!! Thanks |
|
#2
November 1st, 2006, 10:16 AM
|
||||
|
||||
Re: something is sending spam but I can't find it!
You don't say what OP sysytem you are using, but if it it XP, why don't you try System Restore to a day/time prior to the infection.
__________________
All electrons used in the creation of this message were recycled. No electrons were harmed or mistreated in any manner. |
|
#3
November 1st, 2006, 11:03 AM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
Quote:
What if it can't successfully restore the system to an earlier day and time? Now that's my fear. Were your antivirus and antispyware programs up to date when you scanned? From my perspective your system appears to be a spambot. Download SecCheck from here: http://www.mynetwatchman.com/tools/sc/ SecCheck is a Windows forensic tool which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses that may be unknowningly installed on your computer. Please post the results back here for further analysis. Save the results as a text-file and upload here as an attachment. Last edited by nadirah : November 1st, 2006 at 12:10 PM. |
|
#4
November 2nd, 2006, 09:00 AM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
Quote:
Good point. XP Pro, but I have recently removed all checkpoints as various anti-virus / anti-spam software I have run turned up several things in the system restore area. Thanks. |
|
#5
November 2nd, 2006, 09:07 AM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
Quote:
I would agree! Quote:
Thanks. Impressive piece of software. Log attached. BTW, the system is XP Pro, on a dial-up connection. |
|
#6
November 2nd, 2006, 12:21 PM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
Let's get down to work, baby.
 I inspect every line of text and pick out suspicious items: Other services registered on local machine (55) M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe" Why is a service running from the temp files? What I would suggest is you look for this file on your system, and visit here: http://www.virustotal.com/en/indexf.html and upload the file to the site for scanning and post the results. iAimFP0 = "iAimFP0" [Stopped/Manual] / "System32\DRIVERS\wADV01nt.sys" iAimFP1 = "iAimFP1" [Stopped/Manual] / "System32\DRIVERS\wADV02NT.sys" iAimFP2 = "iAimFP2" [Stopped/Manual] / "System32\DRIVERS\wADV05NT.sys" iAimFP3 = "iAimFP3" [Stopped/Manual] / "System32\DRIVERS\wSiINTxx.sys" iAimFP4 = "iAimFP4" [Stopped/Manual] / "System32\DRIVERS\wVchNTxx.sys" iAimTV0 = "iAimTV0" [Stopped/Manual] / "System32\DRIVERS\wATV01nt.sys" iAimTV1 = "iAimTV1" [Stopped/Manual] / "System32\DRIVERS\wATV02NT.sys" iAimTV2 = "iAimTV2" [Stopped/Manual] / "System32\DRIVERS\wATV03nt.sys" iAimTV3 = "iAimTV3" [Stopped/Manual] / "System32\DRIVERS\wATV04nt.sys" iAimTV4 = "iAimTV4" [Stopped/Manual] / "System32\DRIVERS\wCh7xxNT.sys" Verify that these files are in the locations mentioned. Might as well submit them to the site for scanning too just for safety. lbrtfdc = "lbrtfdc" [Stopped/System] / "" Any clues as to what this lbrtfdc system driver is? Googled it and others' results return n/a descriptions of lbrtfdc. PDCOMP = "PDCOMP" [Stopped/Manual] / "" PDFRAME = "PDFRAME" [Stopped/Manual] / "" PDRELI = "PDRELI" [Stopped/Manual] / "" PDRFRAME = "PDRFRAME" [Stopped/Manual] / "" Do these four guys exist? If so, what are they?  Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome' Is your Internet Explorer home page/home page settings ok? Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome' TID = 332 / 0x0000014C, StartEIP = 0x7C810856 StartAddr = 0x771D3E0F --> 'wininet.dll+0x00023E0F' Can you do a search for wininet.dll on your computer to make sure that its not located in any other place other than system32? |
|
#7
November 2nd, 2006, 04:20 PM
|
||||
|
||||
|
Re: something is sending spam but I can't find it!
@ nadirah
Excellent diagnosis !!! SecCheck should be more widely promoted by everyone, as It's capable of some very good probing. @ ninereeds I think the wADV01nt.sys etc files may be ok ? It sounds as if you could have a trojan in there. local settings\temp\M.exe http://www.spywareinfoforum.com/lofi...hp/t38994.html As that thread Is from some time ago, It might be a new variant/version. I would scan online with these http://www.bitdefender.com/scan8/ie.html http://www.kaspersky.com/kos/english/kavwebscan.html http://support.f-secure.com/enu/home/ols.shtml Also try some free antirootkit tools such as these. Rootkit Unhooker Beta 2, IceSword 1.20 English Version, Process Walker 1.02 Beta 1, GMER v1.0.12.11867 etc. http://forum.sysinternals.com/forum_...62&PN=1&TPN=13 StevieO |
|
#8
November 3rd, 2006, 07:55 AM
|
||||
|
||||
|
Re: something is sending spam but I can't find it!
A few random remarks.
iexplore.exe -nohome The -nohome switch will open a internet explorer window without loading any page in the browser. Quote:
That usually means something/someone has already taken care of it. But what is this scu.exe? Quote:
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#9
November 3rd, 2006, 08:09 AM
|
|||
|
|||
Fixed!!!
Thanks everyone, especially nadirah and StevieO.
Problem fixed. It was Backdoor.Rustock.B aka Troj/RKRustok-B. (see http://www.geocities.jp/kiskzo/lzx32.sys.html ) It was Rootkit Unhooker that gave the clue, it turned up this in the Code Hooks Detector section: Hook: SYSENTER/Int 2E, Type: System Call at address 0xEF773395 hook handler located in [unknown module] Someone in the Sysinternals forum kindly identified this. To fix it I had to get Rootkit Unhooker to unhook it, then I was able to see it's service entry in regedit and get rid of it. I had run Avast and AVG anti-virus; ad-aware, spybot s&d, PrevX, and AVG anti-spam; also Trojan Hunter. None of these picked it up. A very nasty thing....... Thanks again all. |
|
#10
November 3rd, 2006, 08:12 AM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
Quote:
http://www.mynetwatchman.com/tools/sc/ Nadirah suggested I use it. It's worth a look! |
|
#11
November 3rd, 2006, 08:22 AM
|
||||
|
||||
|
Re: something is sending spam but I can't find it!
Aha. The processname for that tool is scu.exe
I should have realized. Good to hear you found the nasty. 
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#12
November 3rd, 2006, 08:36 AM
|
||||
|
||||
|
Re: something is sending spam but I can't find it!
Wow.. -- nice job.
__________________
Ubuntu 12.10 AX64 Time Machine, Comodo FW & Defence Plus, |
|
#13
November 3rd, 2006, 09:05 AM
|
||||
|
||||
|
Re: something is sending spam but I can't find it!
Hi I just though it,s better to post Virus total results here locally from a link above.
~Attachment removed - not necessary - Ron~
__________________
Ubuntu 12.10 AX64 Time Machine, Comodo FW & Defence Plus, Last edited by ronjor : November 3rd, 2006 at 09:14 AM. Reason: Remove attachment |
|
#14
April 3rd, 2007, 04:47 PM
|
|||
|
|||
|
Re: something is sending spam but I can't find it!
nine,
I happen to notice your Seccheck submission to my system...we just released v2.1 of SecCheck and are having some intermittent submission problem...I see that your SCU version that you tried failed and you failed back to the standalone version (which you posted here). You might want to try running the full Seccheck scan again as it will likely give you more info to find the malware on the box. Be advised that the Standalone version of Seccheck can be also be run from a BartPE boot disk, enabling you to find even the most clever rootkits. Some comments on your submission: You are running totally exploitable versions of the Sun JRE: Registered Sun JRE Versions: Version: '1.4', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll' Version: '1.4.2', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll' Do not surf the web from this system until uninstalling above and installing latest JRE from http://java.sun.com This file looks interesting: [0319] [20061031 03:32:40]: "C:\Documents and Settings\Administrator\Local Settings\Temp\M.exe" = BD05AF36FEEA4639D3D37C65D9AF080A129D06A0 There is a service entry pointing at it...I presume you already found this and disabled it: Other services registered on local machine (55): M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe" For more details on SCU see this DSLR post: http://www.dslreports.com/forum/remark,18090758 Lawrence Baldwin
__________________
----- http://www.mynetwatchman.com The Internet "Neighborhood Watch" |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
: "scu.exe" / CmdLine: 'scu' / SecDesc: 'O:S-1-5-21-126307619-1213808773-922360966-1008G:S-1-5-21-126307619-1213808773-922360966-513D
A;;0x1f0fff;;;S-1-5-21-126307619-1213808773-922360966-100
