something is sending spam but I can't find it!

I have a system that is sending SPAM but I cannot find what process is doing so.

I have run several anti-virus and anti-spyware programs and found nothing. I have cleared up the startup and run Hijack this and everything looks OK.

But when I run Wireshark I can see the damned SMTP packets going out!

It bypasses TDImon, and Kerio personal firewall. I can't see anything with Procexp.

I have run Rootkit Revealer and found nothing.

Has anyone any suggestions for finding the damned thing??!!!

Thanks

 

You don't say what OP sysytem you are using, but if it it XP, why don't you try System Restore to a day/time prior to the infection.

 

What if it can't successfully restore the system to an earlier day and time? Now that's my fear.

Were your antivirus and antispyware programs up to date when you scanned?
From my perspective your system appears to be a spambot.

Download SecCheck from here:
http://www.mynetwatchman.com/tools/sc/

SecCheck is a Windows forensic tool which aids in the detection and removal of malicious applications, backdoors, trojans, worms, and viruses that may be unknowningly installed on your computer.

Please post the results back here for further analysis. Save the results as a text-file and upload here as an attachment.

 

Good point. XP Pro, but I have recently removed all checkpoints as various anti-virus / anti-spam software I have run turned up several things in the system restore area.

Thanks.

 

I would agree!

Thanks. Impressive piece of software. Log attached.

BTW, the system is XP Pro, on a dial-up connection.

 

Let's get down to work, baby.

I inspect every line of text and pick out suspicious items:
Other services registered on local machine (55)
M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe"
Why is a service running from the temp files? What I would suggest is you look for this file on your system, and visit here: http://www.virustotal.com/en/indexf.html
and upload the file to the site for scanning and post the results.
[FONT=&quot][/FONT] iAimFP0 = "iAimFP0" [Stopped/Manual] / "System32\DRIVERS\wADV01nt.sys"
iAimFP1 = "iAimFP1" [Stopped/Manual] / "System32\DRIVERS\wADV02NT.sys"
iAimFP2 = "iAimFP2" [Stopped/Manual] / "System32\DRIVERS\wADV05NT.sys"
iAimFP3 = "iAimFP3" [Stopped/Manual] / "System32\DRIVERS\wSiINTxx.sys"
iAimFP4 = "iAimFP4" [Stopped/Manual] / "System32\DRIVERS\wVchNTxx.sys"
iAimTV0 = "iAimTV0" [Stopped/Manual] / "System32\DRIVERS\wATV01nt.sys"
iAimTV1 = "iAimTV1" [Stopped/Manual] / "System32\DRIVERS\wATV02NT.sys"
iAimTV2 = "iAimTV2" [Stopped/Manual] / "System32\DRIVERS\wATV03nt.sys"
iAimTV3 = "iAimTV3" [Stopped/Manual] / "System32\DRIVERS\wATV04nt.sys"
iAimTV4 = "iAimTV4" [Stopped/Manual] / "System32\DRIVERS\wCh7xxNT.sys"
Verify that these files are in the locations mentioned. Might as well submit them to the site for scanning too just for safety.

lbrtfdc = "lbrtfdc" [Stopped/System] / ""
Any clues as to what this lbrtfdc system driver is? Googled it and others' results return n/a descriptions of lbrtfdc.

PDCOMP = "PDCOMP" [Stopped/Manual] / ""
PDFRAME = "PDFRAME" [Stopped/Manual] / ""
PDRELI = "PDRELI" [Stopped/Manual] / ""
PDRFRAME = "PDRFRAME" [Stopped/Manual] / ""
Do these four guys exist? If so, what are they?
[FONT=&quot][/FONT][FONT=&quot]Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome'
[/FONT][FONT=&quot]Is your Internet Explorer home page/home page settings ok?
[/FONT][FONT=&quot]Threads in PID 520 (PPID 776): "iexplore.exe" / CmdLine: '"C:\Program Files\Internet Explorer\iexplore.exe" -nohome' [/FONT] TID = 332 / 0x0000014C, StartEIP = 0x7C810856
StartAddr = 0x771D3E0F --> 'wininet.dll+0x00023E0F'
Can you do a search for wininet.dll on your computer to make sure that its not located in any other place other than system32?






[FONT=&quot]
[/FONT]




[FONT=&quot][/FONT][FONT=&quot]
[/FONT]

 

@ nadirah

Excellent diagnosis !!! SecCheck should be more widely promoted by everyone, as It's capable of some very good probing.

@ ninereeds

I think the wADV01nt.sys etc files may be ok ?

It sounds as if you could have a trojan in there.

local settings\temp\M.exe

http://www.spywareinfoforum.com/lofiversion/index.php/t38994.html

As that thread Is from some time ago, It might be a new variant/version. I would scan online with these

http://www.bitdefender.com/scan8/ie.html

http://www.kaspersky.com/kos/english/kavwebscan.html

http://support.f-secure.com/enu/home/ols.shtml

Also try some free antirootkit tools such as these.

Rootkit Unhooker Beta 2, IceSword 1.20 English Version, Process Walker 1.02 Beta 1, GMER v1.0.12.11867 etc.

http://forum.sysinternals.com/forum_posts.asp?TID=962&PN=1&TPN=13


StevieO

 

A few random remarks.

iexplore.exe -nohome
The -nohome switch will open a internet explorer window without loading any page in the browser.

The service has been stopped and its startup is set to disabled.
That usually means something/someone has already taken care of it.

But what is this scu.exe?

 

Fixed!!!

Thanks everyone, especially nadirah and StevieO.

Problem fixed. It was Backdoor.Rustock.B aka Troj/RKRustok-B. (see http://www.geocities.jp/kiskzo/lzx32.sys.html )

It was Rootkit Unhooker that gave the clue, it turned up this in the Code Hooks Detector section:

Hook: SYSENTER/Int 2E, Type: System Call at address 0xEF773395 hook handler located in [unknown module]

Someone in the Sysinternals forum kindly identified this. To fix it I had to get Rootkit Unhooker to unhook it, then I was able to see it's service entry in regedit and get rid of it.

I had run Avast and AVG anti-virus; ad-aware, spybot s&d, PrevX, and AVG anti-spam; also Trojan Hunter. None of these picked it up.

A very nasty thing.......

Thanks again all.

 

http://www.mynetwatchman.com/tools/sc/

Nadirah suggested I use it. It's worth a look!

 

Aha. The processname for that tool is scu.exe
I should have realized.

Good to hear you found the nasty.

 

Wow.. -- nice job.

 

Hi I just though it,s better to post Virus total results here locally from a link above.

~Attachment removed - not necessary - Ron~

 

nine,

I happen to notice your Seccheck submission to my system...we just released v2.1 of SecCheck and are having some intermittent submission problem...I see that your SCU version that you tried failed and you failed back to the standalone version (which you posted here).

You might want to try running the full Seccheck scan again as it will likely give you more info to find the malware on the box. Be advised that the Standalone version of Seccheck can be also be run from a BartPE boot disk, enabling you to find even the most clever rootkits.

Some comments on your submission:

You are running totally exploitable versions of the Sun JRE:
Registered Sun JRE Versions:
Version: '1.4', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll'
Version: '1.4.2', Path: 'C:\Program Files\Java\j2re1.4.2\bin\client\jvm.dll'

Do not surf the web from this system until uninstalling above and installing latest JRE from http://java.sun.com


This file looks interesting:

[0319] [20061031 03:32:40]: "C:\Documents and Settings\Administrator\Local Settings\Temp\M.exe" = BD05AF36FEEA4639D3D37C65D9AF080A129D06A0

There is a service entry pointing at it...I presume you already found this and disabled it:

Other services registered on local machine (55):

M = "M" [Stopped/Disabled] / "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M.exe"

For more details on SCU see this DSLR post:
http://www.dslreports.com/forum/remark,18090758


Lawrence Baldwin