swiftlink
asked on
A Spam virus, cant get rid of it?
Hi Guys
I have laptop running windows xp pro. With trend micro virus scanner..
There is a virus or something that is sending out mass spam from the computer. I can tell becuase
1. When the laptop is connected to the internet it sucks the bandwidth completely.
2. Trend micro keeps poping up scanning outgoing messages even though the email client isnt even open.
Ive also tried scanning with nod32 and it picks up nothing
any ideas?
I have laptop running windows xp pro. With trend micro virus scanner..
There is a virus or something that is sending out mass spam from the computer. I can tell becuase
1. When the laptop is connected to the internet it sucks the bandwidth completely.
2. Trend micro keeps poping up scanning outgoing messages even though the email client isnt even open.
Ive also tried scanning with nod32 and it picks up nothing
any ideas?
Scan with SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) and send us your HijackThis (http://www.majorgeeks.com/download3155.html) log.
ASKER
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:27 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\S24EvM on.exe
C:\WINDOWS\system32\LEXBCE S.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\LEXPPS .EXE
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC. exe
C:\WINDOWS\System32\Ati2ev xx.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
C:\WINDOWS\system32\CAP4RS K.EXE
C:\WINDOWS\System32\RegSrv c.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\CAP 4SWK.EXE
C:\WINDOWS\system32\spool\ drivers\w3 2x86\3\CAP 4SWK.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\RunDll 32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\PcScnS rv.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Documents and Settings\Peter\Desktop\Hij ackThis.ex e
C:\Program Files\Symantec\LiveUpdate\ AUpdate.ex e
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.bigpond.com.au/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_11\bin \ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B A8D5E23E04 5} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C 2DECFC65FC 6} - C:\WINDOWS\system32\fyiglg yl.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B 7027CAE2F1 A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C 6B60AAEBA6 D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtil ities\QCWL ICON.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI T~1\pwrmon it.dll,Sta rtPwrMonit or
O4 - HKLM\..\Run: [BluetoothAuthenticationAg ent] rundll32.exe irprops.cpl,,BluetoothAuth entication Agent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Policies\Explorer\ Run: [{B8CD40E0-0256-1033-0303- 0303013100 3d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033- 0303-03030 131003d}\U pdate.exe" mc-110-12-0001411
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ ALUNotify. exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ ALUNotify. exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_11\bin \npjpi150_ 11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_11\bin \npjpi150_ 11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8 226143CFC0 A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-B E107C0EC16 6} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185785189811
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5 95F0A5519F F} (MsnMessengerSetupDownload Control Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{B CE3247A-9F 2D-4DB9-96 16-EF898FE 7123C}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\T cpip\Param eters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy. dll (file missing)
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev xx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC. exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms vc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE S.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcScnS rv.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRem ote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSV C.EXE (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrv c.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvM on.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
O24 - Desktop Component 0: (no name) - http://www.met-art.com/met-art_covers/061014-WICKY-TIM-FOX-107-4491-tn.jpg
--
End of file - 8610 bytes
Scan saved at 1:42:27 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\S24EvM
C:\WINDOWS\system32\LEXBCE
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\LEXPPS
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.
C:\WINDOWS\System32\Ati2ev
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\system32\CAP4RS
C:\WINDOWS\System32\RegSrv
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\PROGRA~1\TRENDM~1\INTER
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\system32\spool\
C:\WINDOWS\system32\spool\
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\RunDll
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTER
C:\WINDOWS\System32\svchos
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuaucl
C:\Documents and Settings\Peter\Desktop\Hij
C:\Program Files\Symantec\LiveUpdate\
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtil
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILI
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Policies\Explorer\
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {215B8138-A3CF-44C5-803F-8
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-5
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2ev
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpms
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRem
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSV
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrv
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvM
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O24 - Desktop Component 0: (no name) - http://www.met-art.com/met-art_covers/061014-WICKY-TIM-FOX-107-4491-tn.jpg
--
End of file - 8610 bytes
From what I see, it appears that your computer is clean. You should just remove any item next that says "(file missing)" next to it. TuneUp Utilities (http://tuneup.swmirror.com/TU2007TrialEN.exe) should be able to remove most of those items. I believe the only items it doesn't remove would be the "O20 - Winlogon Notify: " registry keys which can be found in:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows NT\CurrentVersion\Winlogon \Notify
HKEY_LOCAL_MACHINE\SOFTWAR
Actually, there appears to be one suspicious item which is:
O4 - HKCU\..\Policies\Explorer\ Run: [{B8CD40E0-0256-1033-0303- 0303013100 3d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033- 0303-03030 131003d}\U pdate.exe" mc-110-12-0001411
Maybe rpggamergirl will be here to find more suspicious items.
O4 - HKCU\..\Policies\Explorer\
Maybe rpggamergirl will be here to find more suspicious items.
Also, I would recommend scanning with a previous version of HijackThis (http://www.majorgeeks.com/download3155.html) and send us that log.
first thing which i noticed, you are running Symantec and Trend Micro together!
any specific reason? because this can be heavy on system resources.
second, you can fix the following line in hjt;
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B A8D5E23E04 5} - (no file)
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C 2DECFC65FC 6} - C:\WINDOWS\system32\fyiglg yl.dll (file missing)
O4 - HKCU\..\Policies\Explorer\ Run: [{B8CD40E0-0256-1033-0303- 0303013100 3d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033- 0303-03030 131003d}\U pdate.exe" mc-110-12-0001411
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy. dll (file missing)
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSV C.EXE (file missing)
fix them and restart in safemode, scan with an updated SuperAntiSpyware and make sure it comes as clean.
run Disk Cleanup to get rid of the temp files present on the hard drive
restart back in normal mode and post the results :)
any specific reason? because this can be heavy on system resources.
second, you can fix the following line in hjt;
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-B
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C
O4 - HKCU\..\Policies\Explorer\
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSV
fix them and restart in safemode, scan with an updated SuperAntiSpyware and make sure it comes as clean.
run Disk Cleanup to get rid of the temp files present on the hard drive
restart back in normal mode and post the results :)
ASKER
hi guys, ive removed the above files but the spam message is still coming up, also i cant enable the firewall on trend micro internet security? possible this virus has the ablirty to stop the firewall??
what kind of account and email client you are using?
and do you get any error message while enabling the firewall?
and do you get any error message while enabling the firewall?
Maybe its worth trying this:
When you first turn on your comp (so that as little connections as possible are created) open cmd prompt and type "netstat /anb" without the quotations. Look for strange connections, and the process thats created it. If there's nothing there, you can also put a number at the end to have it refresh every x seconds, i.e. "netstat /anb 1". Especially keep an eye out for a process using destination port 23.
Crude but effective.
When you first turn on your comp (so that as little connections as possible are created) open cmd prompt and type "netstat /anb" without the quotations. Look for strange connections, and the process thats created it. If there's nothing there, you can also put a number at the end to have it refresh every x seconds, i.e. "netstat /anb 1". Especially keep an eye out for a process using destination port 23.
Crude but effective.
ASKER
anyone know of the lzx32.sys tojan
Ive removed it with super antispyware many times and it keeps showing up.
Also the firewall is enabled, so it wasnt the virus that caused it.
Ive removed it with super antispyware many times and it keeps showing up.
Also the firewall is enabled, so it wasnt the virus that caused it.
ASKER
looks like that virus is a rootkit, no wonder it keep showing up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks i found that number 2. worked. I know its worked coz my trend micro isnt poping up "scanning outgoing messages" anymore.
Wonder why trend micro didnt pick it up, does it have rootkit detection?
Wonder why trend micro didnt pick it up, does it have rootkit detection?
@ rpggamergirl:
(sigh...)
(sigh...)
>>Wonder why trend micro didnt pick it up, does it have rootkit detection?<<
Most antivirus doesn't detect rootkits, so I guess TrendMicro doesn't either.
Did you also try combofix before? usually combofix detects rustock rootkit and runs the Gmer app included to remove it.
Glad to know the issue is resolved.
Thanks!
@orangutang:
Hey doc? not happy to see me? lol.
Most antivirus doesn't detect rootkits, so I guess TrendMicro doesn't either.
Did you also try combofix before? usually combofix detects rustock rootkit and runs the Gmer app included to remove it.
Glad to know the issue is resolved.
Thanks!
@orangutang:
Hey doc? not happy to see me? lol.
I'm soooo jealous... you always steal my points doctor's assistant...
>> I'm soooo jealous
and im soooo inspired by her!
especially when she kicks away every little nasty with just a single comment :)
and im soooo inspired by her!
especially when she kicks away every little nasty with just a single comment :)
>>Most antivirus doesn't detect rootkits, so I guess TrendMicro doesn't either.<<
TrendMicro OfficeScan 8.x has an anti-rootkit component. PC-cillin 2007 suite is supposed to as well. Perhaps the PC-cillin version the Asker has does not.
Just sayin' ...
TrendMicro OfficeScan 8.x has an anti-rootkit component. PC-cillin 2007 suite is supposed to as well. Perhaps the PC-cillin version the Asker has does not.
Just sayin' ...
Hey, rpggamergirl, I'm just curious, do you know how the rootkit that swiftlink got works? Is it a hidden process or a hidden DLL?
Good info there from ShineOn.
>>do you know how the rootkit that swiftlink got works? Is it a hidden process or a hidden DLL?<<
No, but a hidden service/driver and ADS
Check Symantec's description of it:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
ADS ...
File C:\WINDOWS\system32\lzx32. sys <-- ROOTKIT !!!
C:\WINDOWS\system32\xpdx.s ys <-- ROOTKIT !!!
Service C:\WINDOWS\System32\lzx32. sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
Variants of rustock rootkit:
Rootkit driver pe386 is present.
Rootkit driver msguard is present
Rootkit driver lzx32 is found
Rootkit driver xpdx is found
Reg \Registry\MACHINE\SYSTEM\C urrentCont rolSet\Ser vices\pe38 6
Reg \Registry\MACHINE\SYSTEM\C urrentCont rolSet\Ser vices\lzx3 2
Reg \Registry\MACHINE\SYSTEM\C urrentCont rolSet\Ser vices\msgu ard
Reg \Registry\MACHINE\SYSTEM\C urrentCont rolSet\Ser vices\xpdx
>>do you know how the rootkit that swiftlink got works? Is it a hidden process or a hidden DLL?<<
No, but a hidden service/driver and ADS
Check Symantec's description of it:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99&tabid=2
Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
ADS ...
File C:\WINDOWS\system32\lzx32.
C:\WINDOWS\system32\xpdx.s
Service C:\WINDOWS\System32\lzx32.
Variants of rustock rootkit:
Rootkit driver pe386 is present.
Rootkit driver msguard is present
Rootkit driver lzx32 is found
Rootkit driver xpdx is found
Reg \Registry\MACHINE\SYSTEM\C
Reg \Registry\MACHINE\SYSTEM\C
Reg \Registry\MACHINE\SYSTEM\C
Reg \Registry\MACHINE\SYSTEM\C
Have you ever heard of a time when ADS was used for a good purpose?
ADS was created for a very good purpose, and that's for Windows to be compatible with MacIntosh file system, but of course virus writers/hackers also love this NTFS feature, a hidden files that are attached to the visible ones are exactly what they wanted, :)
Oh, do you know if it's possible to disable the use of ADS?
You want to change NTFS file capabilities?
That's a good question, I suggest you post your own question allocating 500 pts, I'm sure many experts will reply to that, :)
Programmers/developers spent a lot of time making tools that detects and remove ADS, if they could change the NTFS file capabilities maybe they would've done that instead, but I don't know.
We are spamming everyone who are still subscribed to this thread, you know :)
That's a good question, I suggest you post your own question allocating 500 pts, I'm sure many experts will reply to that, :)
Programmers/developers spent a lot of time making tools that detects and remove ADS, if they could change the NTFS file capabilities maybe they would've done that instead, but I don't know.
We are spamming everyone who are still subscribed to this thread, you know :)
:) Oh, sorry everyone. This is my last post for this thread. Orangutang, over and out...
"... do you know if it's possible to disable the use of ADS?"
Yeah, don't use NTFS... ;)
There are plenty of alternatives "out there," but then again, they don't run on Windows - and wouldn't keep rpggamergirl so busy hunting down and killing malware... ;)
Yeah, don't use NTFS... ;)
There are plenty of alternatives "out there," but then again, they don't run on Windows - and wouldn't keep rpggamergirl so busy hunting down and killing malware... ;)
Try this:
Releast your "Windows Restore" files. Right click on the My Computer Icon, then the system restore tab. Check the box to turn off system restore. Reboot, and usually that will cure the alerts. The virus scan can see the fil in the restore files, but cannot remove it.
Releast your "Windows Restore" files. Right click on the My Computer Icon, then the system restore tab. Check the box to turn off system restore. Reboot, and usually that will cure the alerts. The virus scan can see the fil in the restore files, but cannot remove it.