Big_Harry1
asked on
Reoccurring instances (9) of DropSpam in Windows 2000 Server
I am finding 9 instances of DropSpam when running Spy-Bot S&D each week. These instances coincide with a slow down of internet related services and IE 6 locking up. It seems that there may be a file resident that is reloading this spyware on boot. Two of the keys that SPyBot is finding are:
HKEY_LOCAL_MACHINE\SOFTWAR E\Classes\ ANSMTO.Mas sSender
HKEY_LOCAL_MACHINE\SOFTWAR E\Classes\ ANSMTO.Mas sSender1
My latest HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:01 AM, on 2/16/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon .exe
D:\WINNT\system32\services .exe
D:\WINNT\system32\lsass.ex e
D:\WINNT\System32\termsrv. exe
D:\WINNT\system32\svchost. exe
D:\WINNT\System32\svchost. exe
D:\WINNT\system32\spoolsv. exe
D:\WINNT\system32\drivers\ CDAC11BA.E XE
D:\WINNT\system32\crypserv .exe
D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
D:\WINNT\system32\hidserv. exe
D:\WINNT\System32\inetsrv\ inetinfo.e xe
D:\WINNT\System32\llssrv.e xe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
D:\WINNT\system32\ntfrs.ex e
D:\WINNT\system32\regsvc.e xe
D:\WINNT\system32\MSTask.e xe
D:\WINNT\System32\tcpsvcs. exe
D:\WINNT\system32\stisvc.e xe
D:\WINNT\System32\lserver. exe
D:\WINNT\System32\WBEM\Win Mgmt.exe
D:\WINNT\System32\wins.exe
D:\WINNT\system32\svchost. exe
D:\WINNT\system32\Dfssvc.e xe
D:\WINNT\System32\dns.exe
D:\WINNT\System32\msdtc.ex e
D:\Program Files\Common Files\System\MSSearch\Bin\ mssearch.e xe
D:\WINNT\System32\svchost. exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
D:\WINNT\system32\VTTimer. exe
D:\WINNT\system32\VTtrayp. exe
D:\Program Files\VIAudioi\SBADeck\ADe ck.exe
D:\Program Files\iTunes\iTunesHelper. exe
D:\WINNT\system32\ctfmon.e xe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService .exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\Confi gUtility.e xe
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\SpamButcher\spambutc her.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e
D:\WINNT\system32\ZoneLabs \vsmon.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX E
D:\WINNT\system32\WISPTIS. EXE
D:\Program Files\Common Files\Real\Update_OB\reals ched.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX E
D:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dallasprecision.com/
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIE Helper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2 06D7942484 F} - D:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0 445EE16191 0} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - D:\WINNT\system32\msdxm.oc x
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0 819E2EAAC9 3} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClien t.dll
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMAN T~1\vptray .exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADe ck.exe 1
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\dr ivers\w32x 86\3\hpzts b04.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e"
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroChe ck.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpamButcher.lnk = D:\Program Files\SpamButcher\spambutc her.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: ConfigUtility.lnk = D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\Confi gUtility.e xe
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - D:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - D:\PROGRA~1\SPYBOT~1\SDHel per.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - D:\PROGRA~1\SPYBOT~1\SDHel per.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0 E3A5CAA8CD 8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-3 14DEE697D8 3} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231263151625
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232229444937
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = AVTA-US.local
O17 - HKLM\System\CCS\Services\T cpip\..\{B 4544E16-81 DA-4595-A0 21-29CF0D1 0EE73}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\T cpip\..\{D ABB1127-D5 81-4BC6-8A B9-DAF940F 8E72A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = AVTA-US.local
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = AVTA-US.local
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINNT\system32\drivers\ CDAC11BA.E XE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINNT\SYSTEM32\crypserv .exe
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin. exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Secu rity\Syman tec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs \vsmon.exe
--
End of file - 7454 bytes
How do I rid myself of this pest?
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
My latest HiJack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:01 AM, on 2/16/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon
D:\WINNT\system32\services
D:\WINNT\system32\lsass.ex
D:\WINNT\System32\termsrv.
D:\WINNT\system32\svchost.
D:\WINNT\System32\svchost.
D:\WINNT\system32\spoolsv.
D:\WINNT\system32\drivers\
D:\WINNT\system32\crypserv
D:\Program Files\Symantec_Client_Secu
D:\WINNT\system32\hidserv.
D:\WINNT\System32\inetsrv\
D:\WINNT\System32\llssrv.e
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Symantec_Client_Secu
D:\WINNT\system32\ntfrs.ex
D:\WINNT\system32\regsvc.e
D:\WINNT\system32\MSTask.e
D:\WINNT\System32\tcpsvcs.
D:\WINNT\system32\stisvc.e
D:\WINNT\System32\lserver.
D:\WINNT\System32\WBEM\Win
D:\WINNT\System32\wins.exe
D:\WINNT\system32\svchost.
D:\WINNT\system32\Dfssvc.e
D:\WINNT\System32\dns.exe
D:\WINNT\System32\msdtc.ex
D:\Program Files\Common Files\System\MSSearch\Bin\
D:\WINNT\System32\svchost.
D:\WINNT\Explorer.EXE
D:\PROGRA~1\SYMANT~1\SYMAN
D:\WINNT\system32\VTTimer.
D:\WINNT\system32\VTtrayp.
D:\Program Files\VIAudioi\SBADeck\ADe
D:\Program Files\iTunes\iTunesHelper.
D:\WINNT\system32\ctfmon.e
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iPod\bin\iPodService
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\Confi
D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\SpamButcher\spambutc
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
D:\WINNT\system32\ZoneLabs
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
D:\WINNT\system32\WISPTIS.
D:\Program Files\Common Files\Real\Update_OB\reals
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EX
D:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMAN
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIAudioi\SBADeck\ADe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINNT\system32\spool\dr
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroChe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpamButcher.lnk = D:\Program Files\SpamButcher\spambutc
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: ConfigUtility.lnk = D:\Program Files\HAWKING\Hawking Technologies HWP54G Wireless-G PCI Card\Installer\WIN2K\Confi
O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINNT\system32\drivers\
O23 - Service: Crypkey License - Kenonic Controls Ltd. - D:\WINNT\SYSTEM32\crypserv
O23 - Service: DefWatch - Symantec Corporation - D:\Program Files\Symantec_Client_Secu
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - D:\Program Files\Symantec_Client_Secu
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs
--
End of file - 7454 bytes
How do I rid myself of this pest?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The Spambutcher program is my email checker and the problem did not become visible until at least a year after that one was loaded. I will run the combofix program and post the results.
Okay great. Please don't forget to run Malwarebytes as well.
I found some more information on this junk here.
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097437
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097437
ASKER
I've used the Combofix and Malwarebytes and they cleaned the server up! Thanks for the additional links also, they will be helpful.
D:\Program Files\SpamButcher\spambutc
This entry should be removed.
R3 - URLSearchHook: (no name) - - (no file)
Another instance of spambutcher that can be removed if you do not know its origin.
O4 - Startup: SpamButcher.lnk = D:\Program Files\SpamButcher\spambutc
Other than that your log file is clean.
I suggest that you download and update Malwarebytes from
www.malwarebytes.org
Reboot into Safe Mode and scan.