• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Reoccurring instances (9) of DropSpam in Windows 2000 Server

I am finding 9 instances of DropSpam when running Spy-Bot S&D each week. These instances coincide with a slow down of internet related services and IE 6 locking up. It seems that there may be a file resident that is reloading this spyware on boot. Two of the keys that SPyBot is finding are:
 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ANSMTO.MassSender
 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ANSMTO.MassSender1
My latest HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:01 AM, on 2/16/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\termsrv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\drivers\CDAC11BA.EXE
D:\WINNT\system32\crypserv.exe
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
D:\WINNT\system32\hidserv.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\System32\llssrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
D:\WINNT\system32\ntfrs.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\lserver.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\wins.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Dfssvc.exe
D:\WINNT\System32\dns.exe
D:\WINNT\System32\msdtc.exe
D:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\WINNT\system32\VTTimer.exe
D:\WINNT\system32\VTtrayp.exe
D:\Program Files\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINNT\system32\ctfmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\ConfigUtility.exe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\SpamButcher\spambutcher.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\WINNT\system32\WISPTIS.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasprecision.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpamButcher.lnk = D:\Program Files\SpamButcher\spambutcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ConfigUtility.lnk = D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\ConfigUtility.exe
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231263151625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232229444937
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AVTA-US.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4544E16-81DA-4595-A021-29CF0D10EE73}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{DABB1127-D581-4BC6-8AB9-DAF940F8E72A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AVTA-US.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AVTA-US.local
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 7454 bytes

How do I rid myself of this pest?
0
Big_Harry1
Asked:
Big_Harry1
  • 4
  • 2
1 Solution
 
David-HowardCommented:
This entry can be removed if you are uncertain as to its purpose.
D:\Program Files\SpamButcher\spambutcher.exe
This entry should be removed.
R3 - URLSearchHook: (no name) - - (no file)
Another instance of spambutcher that can be removed if you do not know its origin.
O4 - Startup: SpamButcher.lnk = D:\Program Files\SpamButcher\spambutcher.exe
Other than that your log file is clean.
I suggest that you download and update Malwarebytes from
www.malwarebytes.org
Reboot into Safe Mode and scan.
0
 
David-HowardCommented:
Spambutcher is listed as a legitimate product. I just want to make sure that you are aware of it and that it is something you installed.
Prior to running Malwarebytes (or any other anti-virus/malware suite),
disable System Restore. Directions can be found here:
http://support.microsoft.com/kb/310405
If the above steps fail to remove the threat,
you may need to download and run Combofix.
The free download and directions can be located here.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
As noted in the directions, prior to running Combofix or any other anti-malware/anti-virus application please stop your anti-virus and anti-malware programs. Combofix should be saved to and run from your desktop.
You should rename the anti-malware suites to a different name prior to downloading as some threats can prevent them from running with their default names.
When you have finished running your scans and the threats have been removed enable System Restore.
There is also a trusted and free utility that shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. This is handy if you are receiving rundll errors or pop ups when you log on.
AutoRuns for Windows
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
Big_Harry1Author Commented:
The Spambutcher program is my email checker and the problem did not become visible until at least a year after that one was loaded. I will run the combofix program and post the results.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
David-HowardCommented:
Okay great. Please don't forget to run Malwarebytes as well.
0
 
David-HowardCommented:
I found some more information on this junk here.
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097437
0
 
Big_Harry1Author Commented:
I've used the Combofix and Malwarebytes and they cleaned the server up! Thanks for the additional links also, they will be helpful.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now