[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 749
  • Last Modified:

A Spam virus, cant get rid of it?

Hi Guys

I have laptop running windows xp pro. With trend micro virus scanner..

There is a virus or something that is sending out mass spam from the computer. I can tell becuase

1. When the laptop is connected to the internet it sucks the bandwidth completely.
2. Trend micro keeps poping up scanning outgoing messages even though the email client isnt even open.

Ive also tried scanning with nod32 and it picks up nothing

any ideas?
  • 10
  • 5
  • 5
  • +4
1 Solution
swiftlinkAuthor Commented:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:27 PM, on 12/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Peter\Desktop\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C2DECFC65FC6} - C:\WINDOWS\system32\fyiglgyl.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{B8CD40E0-0256-1033-0303-03030131003d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033-0303-03030131003d}\Update.exe" mc-110-12-0001411
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185785189811
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCE3247A-9F2D-4DB9-9616-EF898FE7123C}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.dll (file missing)
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware  (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O24 - Desktop Component 0: (no name) - http://www.met-art.com/met-art_covers/061014-WICKY-TIM-FOX-107-4491-tn.jpg

End of file - 8610 bytes
From what I see, it appears that your computer is clean. You should just remove any item next that says "(file missing)" next to it. TuneUp Utilities (http://tuneup.swmirror.com/TU2007TrialEN.exe) should be able to remove most of those items. I believe the only items it doesn't remove would be the "O20 - Winlogon Notify: " registry keys which can be found in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Actually, there appears to be one suspicious item which is:
O4 - HKCU\..\Policies\Explorer\Run: [{B8CD40E0-0256-1033-0303-03030131003d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033-0303-03030131003d}\Update.exe" mc-110-12-0001411
Maybe rpggamergirl will be here to find more suspicious items.
Also, I would recommend scanning with a previous version of HijackThis (http://www.majorgeeks.com/download3155.html) and send us that log.
first thing which i noticed, you are running Symantec and Trend Micro together!
any specific reason? because this can be heavy on system resources.

second, you can fix the following line in hjt;

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C31C7A4F-BC8F-E275-F1D8-C2DECFC65FC6} - C:\WINDOWS\system32\fyiglgyl.dll (file missing)
O4 - HKCU\..\Policies\Explorer\Run: [{B8CD40E0-0256-1033-0303-03030131003d}] "C:\Program Files\Common Files\{B8CD40E0-0256-1033-0303-03030131003d}\Update.exe" mc-110-12-0001411
O20 - Winlogon Notify: efcyy - C:\WINDOWS\system32\efcyy.dll (file missing)
O20 - Winlogon Notify: rqrropp - rqrropp.dll (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE (file missing)

fix them and restart in safemode, scan with an updated SuperAntiSpyware and make sure it comes as clean.
run Disk Cleanup to get rid of the temp files present on the hard drive
restart back in normal mode and post the results :)
swiftlinkAuthor Commented:
hi guys, ive removed the above files but the spam message is still coming up, also i cant enable the firewall on trend micro internet security? possible this virus has the ablirty to stop the firewall??
what kind of account and email client you are using?
and do you get any error message while enabling the firewall?
Maybe its worth trying this:
When you first turn on your comp (so that as little connections as possible are created) open cmd prompt and type "netstat /anb" without the quotations. Look for strange connections, and the process thats created it. If there's nothing there, you can also put a number at the end to have it refresh every x seconds, i.e. "netstat /anb 1". Especially keep an eye out for a process using destination port 23.

Crude but effective.
swiftlinkAuthor Commented:
anyone know of the lzx32.sys tojan

Ive removed it with super antispyware many times and it keeps showing up.

Also the firewall is enabled, so it wasnt the virus that caused it.
swiftlinkAuthor Commented:
looks like that virus is a rootkit, no wonder it keep showing up.

>>anyone know of the lzx32.sys tojan <<
That's a Rustock.B rootkit, Combofix and SDFix are able to handle that one.

1.  Download ComboFix to your Desktop, from either of these locations:

Double click "combofix.exe" and follow the prompts.
When finished, it shall produce a log for you.
Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

2.  OR:
Download Rustbfix from one of these locations:
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
swiftlinkAuthor Commented:
thanks i found that number 2. worked. I know its worked coz my trend micro isnt poping up "scanning outgoing messages" anymore.

Wonder why trend micro didnt pick it up, does it have rootkit detection?
@ rpggamergirl:
>>Wonder why trend micro didnt pick it up, does it have rootkit detection?<<
Most antivirus doesn't detect rootkits, so I guess TrendMicro doesn't either.

Did you also try combofix before? usually combofix detects rustock rootkit and runs the Gmer app included to remove it.

Glad to know the issue is resolved.

Hey doc? not happy to see me? lol.
I'm soooo jealous... you always steal my points doctor's assistant...
>> I'm soooo jealous
and im soooo inspired by her!
especially when she kicks away every little nasty with just a single comment :)
>>Most antivirus doesn't detect rootkits, so I guess TrendMicro doesn't either.<<

TrendMicro OfficeScan 8.x has an anti-rootkit component. PC-cillin 2007 suite is supposed to as well.  Perhaps the PC-cillin version the Asker has does not.

Just sayin' ...
Hey, rpggamergirl, I'm just curious, do you know how the rootkit that swiftlink got works? Is it a hidden process or a hidden DLL?
Good info there from ShineOn.

>>do you know how the rootkit that swiftlink got works? Is it a hidden process or a hidden DLL?<<
No, but a hidden service/driver and ADS
Check Symantec's description of it:

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 66432
Total size: 66432 bytes.
ADS ...
File C:\WINDOWS\system32\lzx32.sys <-- ROOTKIT !!!
      C:\WINDOWS\system32\xpdx.sys <-- ROOTKIT !!!

Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

Variants of rustock rootkit:
Rootkit driver pe386 is present.
Rootkit driver msguard is present
Rootkit driver lzx32 is found
Rootkit driver xpdx is found

Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\lzx32
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\msguard
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\xpdx
Have you ever heard of a time when ADS was used for a good purpose?
ADS was created for a very good purpose, and that's for Windows to be compatible with MacIntosh file system, but of course virus writers/hackers also love this NTFS feature, a hidden files that are attached to the visible ones are exactly what they wanted, :)

Oh, do you know if it's possible to disable the use of ADS?
You want to change NTFS file capabilities?

That's a good question, I suggest you post your own question allocating 500 pts, I'm sure many experts will reply to that, :)
Programmers/developers spent a lot of time making tools that detects and remove ADS, if they could change the NTFS file capabilities maybe they would've done that instead, but I don't know.

We are spamming everyone who are still subscribed to this thread, you know :)
:) Oh, sorry everyone. This is my last post for this thread. Orangutang, over and out...
"... do you know if it's possible to disable the use of ADS?"

Yeah, don't use NTFS... ;)  

There are plenty of alternatives "out there," but then again, they don't run on Windows - and wouldn't keep rpggamergirl so busy hunting down and killing malware...  ;)
Try this:
Releast your "Windows Restore" files. Right click on the My Computer Icon, then the system restore tab. Check the box to turn off system restore. Reboot, and usually that will cure the alerts. The virus scan can see the fil in the restore files, but cannot remove it.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 10
  • 5
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now