something is sending spam but I can't find it!

Discussion in 'malware problems & news' started by ninereeds, Nov 1, 2006.

Thread Status:
Not open for further replies.
  1. ninereeds

    ninereeds Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    5
    I have a system that is sending SPAM but I cannot find what process is doing so.

    I have run several anti-virus and anti-spyware programs and found nothing. I have cleared up the startup and run Hijack this and everything looks OK.

    But when I run Wireshark I can see the damned SMTP packets going out!

    It bypasses TDImon, and Kerio personal firewall. I can't see anything with Procexp.

    I have run Rootkit Revealer and found nothing.

    Has anyone any suggestions for finding the damned thing??!!!

    Thanks
     
  2. john2g

    john2g Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    207
    Location:
    UK
    You don't say what OP sysytem you are using, but if it it XP, why don't you try System Restore to a day/time prior to the infection.
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    What if it can't successfully restore the system to an earlier day and time? Now that's my fear.

    Were your antivirus and antispyware programs up to date when you scanned?
    From my perspective your system appears to be a spambot.

    Download SecCheck from here:
    http://www.mynetwatchman.com/tools/sc/

    SecCheck is a Windows forensic tool which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses that may be unknowningly installed on your computer.


    Please post the results back here for further analysis. Save the results as a text-file and upload here as an attachment.
     
    Last edited: Nov 1, 2006
  4. ninereeds

    ninereeds Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    5
    Good point. XP Pro, but I have recently removed all checkpoints as various anti-virus / anti-spam software I have run turned up several things in the system restore area.

    Thanks.
     
  5. ninereeds

    ninereeds Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    5
    I would agree!

    Thanks. Impressive piece of software. Log attached.

    BTW, the system is XP Pro, on a dial-up connection.
     

    Attached Files:

  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Let's get down to work, baby. :D

    I inspect every line of text and pick out suspicious items:
    Other services registered on local machine (55)
    M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe"
    Why is a service running from the temp files? What I would suggest is you look for this file on your system, and visit here: http://www.virustotal.com/en/indexf.html
    and upload the file to the site for scanning and post the results.
    [FONT=&quot][/FONT] iAimFP0 = "iAimFP0" [Stopped/Manual] / "System32\DRIVERS\wADV01nt.sys"
    iAimFP1 = "iAimFP1" [Stopped/Manual] / "System32\DRIVERS\wADV02NT.sys"
    iAimFP2 = "iAimFP2" [Stopped/Manual] / "System32\DRIVERS\wADV05NT.sys"
    iAimFP3 = "iAimFP3" [Stopped/Manual] / "System32\DRIVERS\wSiINTxx.sys"
    iAimFP4 = "iAimFP4" [Stopped/Manual] / "System32\DRIVERS\wVchNTxx.sys"
    iAimTV0 = "iAimTV0" [Stopped/Manual] / "System32\DRIVERS\wATV01nt.sys"
    iAimTV1 = "iAimTV1" [Stopped/Manual] / "System32\DRIVERS\wATV02NT.sys"
    iAimTV2 = "iAimTV2" [Stopped/Manual] / "System32\DRIVERS\wATV03nt.sys"
    iAimTV3 = "iAimTV3" [Stopped/Manual] / "System32\DRIVERS\wATV04nt.sys"
    iAimTV4 = "iAimTV4" [Stopped/Manual] / "System32\DRIVERS\wCh7xxNT.sys"
    Verify that these files are in the locations mentioned. Might as well submit them to the site for scanning too just for safety.

    lbrtfdc = "lbrtfdc" [Stopped/System] / ""
    Any clues as to what this lbrtfdc system driver is? Googled it and others' results return n/a descriptions of lbrtfdc.

    PDCOMP = "PDCOMP" [Stopped/Manual] / ""
    PDFRAME = "PDFRAME" [Stopped/Manual] / ""
    PDRELI = "PDRELI" [Stopped/Manual] / ""
    PDRFRAME = "PDRFRAME" [Stopped/Manual] / ""
    Do these four guys exist? If so, what are they? :doubt:
    [FONT=&quot][/FONT][FONT=&quot]Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome'
    [/FONT]
    [FONT=&quot]Is your Internet Explorer home page/home page settings ok?
    [/FONT][FONT=&quot]Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome' [/FONT] TID = 332 / 0x0000014C, StartEIP = 0x7C810856
    StartAddr = 0x771D3E0F --> 'wininet.dll+0x00023E0F'
    Can you do a search for wininet.dll on your computer to make sure that its not located in any other place other than system32?






    [FONT=&quot]
    [/FONT]




    [FONT=&quot][/FONT][FONT=&quot]
    [/FONT]
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ nadirah

    Excellent diagnosis !!! SecCheck should be more widely promoted by everyone, as It's capable of some very good probing.

    @ ninereeds

    I think the wADV01nt.sys etc files may be ok ?

    It sounds as if you could have a trojan in there.

    local settings\temp\M.exe

    http://www.spywareinfoforum.com/lofiversion/index.php/t38994.html

    As that thread Is from some time ago, It might be a new variant/version. I would scan online with these

    http://www.bitdefender.com/scan8/ie.html

    http://www.kaspersky.com/kos/english/kavwebscan.html

    http://support.f-secure.com/enu/home/ols.shtml

    Also try some free antirootkit tools such as these.

    Rootkit Unhooker Beta 2, IceSword 1.20 English Version, Process Walker 1.02 Beta 1, GMER v1.0.12.11867 etc.

    http://forum.sysinternals.com/forum_posts.asp?TID=962&PN=1&TPN=13


    StevieO
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    A few random remarks.

    iexplore.exe -nohome
    The -nohome switch will open a internet explorer window without loading any page in the browser.


    The service has been stopped and its startup is set to disabled.
    That usually means something/someone has already taken care of it.

    But what is this scu.exe?
     
  9. ninereeds

    ninereeds Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    5
    Fixed!!!

    Thanks everyone, especially nadirah and StevieO.

    Problem fixed. It was Backdoor.Rustock.B aka Troj/RKRustok-B. (see http://www.geocities.jp/kiskzo/lzx32.sys.html )

    It was Rootkit Unhooker that gave the clue, it turned up this in the Code Hooks Detector section:

    Hook: SYSENTER/Int 2E, Type: System Call at address 0xEF773395 hook handler located in [unknown module]

    Someone in the Sysinternals forum kindly identified this. To fix it I had to get Rootkit Unhooker to unhook it, then I was able to see it's service entry in regedit and get rid of it.

    I had run Avast and AVG anti-virus; ad-aware, spybot s&d, PrevX, and AVG anti-spam; also Trojan Hunter. None of these picked it up.

    A very nasty thing.......

    Thanks again all.
     
  10. ninereeds

    ninereeds Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    5
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Aha. The processname for that tool is scu.exe
    I should have realized.

    Good to hear you found the nasty. :thumb:
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Wow.. -- nice job.:thumb: :thumb: :thumb:
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi I just though it,s better to post Virus total results here locally from a link above.

    ~Attachment removed - not necessary - Ron~
     
    Last edited by a moderator: Nov 3, 2006
  14. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    nine,

    I happen to notice your Seccheck submission to my system...we just released v2.1 of SecCheck and are having some intermittent submission problem...I see that your SCU version that you tried failed and you failed back to the standalone version (which you posted here).

    You might want to try running the full Seccheck scan again as it will likely give you more info to find the malware on the box. Be advised that the Standalone version of Seccheck can be also be run from a BartPE boot disk, enabling you to find even the most clever rootkits.

    Some comments on your submission:

    You are running totally exploitable versions of the Sun JRE:
    Registered Sun JRE Versions:
    Version: '1.4', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll'
    Version: '1.4.2', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll'

    Do not surf the web from this system until uninstalling above and installing latest JRE from http://java.sun.com


    This file looks interesting:

    [0319] [20061031 03:32:40]: "C:\Documents and Settings\Administrator\Local Settings\Temp\M.exe" = BD05AF36FEEA4639D3D37C65D9AF080A129D06A0

    There is a service entry pointing at it...I presume you already found this and disabled it:

    Other services registered on local machine (55):

    M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe"

    For more details on SCU see this DSLR post:
    http://www.dslreports.com/forum/remark,18090758


    Lawrence Baldwin
     
Loading...
Thread Status:
Not open for further replies.