My ISP says I have posted spam

I have no doubt the answer to this is somewhere in a previously posted message, if not many, but I can't work out what to try first.

My ISP security people rang to say that a spam message had been sent from my IP address, and suggested my PC had been hijacked. They threaten to cut me off if I don't fix my software. At the time they say it was sent, we had three machines running on the home network, one Win98SE, one XP SP2 and one Vista Home. We have two other XP SP2 machines both of which were switched off.

All except the Win98 have AVG 7.5 Free edition, fully updated, virus checks have been run and nothing found. All except the Win98 have Windows Firewall on, though I find it very hard to work out if this is set up properly. There is also a Firewall built in to the LinkSys ADSL gateway modem/router. I'm going to fit up the Win98 machine with AV and Firewall after I finish this, but I feel it's unlikely to be the infected machine, and if the worst comes to the worst I can just disconnect it from the network and transfer data by floppy or USB stick - it never needs to go online.

I have checked the Task Manager on all the machines and cannot see any processes running which don't belong there. I have done my best to check that smss.exe and similar files are located in the folders that various websites tell me they should be in, but frankly it's all a bit mind-blowing after the first couple of machines and I'm easily confused. I tried some online scans recommended by my ISP but despite them downloading all sorts of stuff to my PCs that I don't want, I couldn't get a single one to complete the scan for one reason or another. Very frustrating.

So, basically I have two questions. (1) What's the most efficient way to track down this worm or whatever it is, if indeed I do have one? (I have my doubts actually...). (2) What can I do to make sure my Firewalls keep these things out? I've been under the impression that I was fully protected.

Thanks in advance

Michael Hooker

 

Welcome to WindowsBBS Michael

I'm guessing your ISP has determined this by a large number of emails sent out from an email account belonging to you. Did they happen to tell you which account? Can you contact them to find out? Gets as much information from them as you can.

What online scans have they recommended? What happens when they fail?

Lets get a HijackThis log from each of the 3 machines anyway. Post all three of them into this topic.

Please download the HijackThis Installer from here, then run a scan and save the log. Post the contents of that log here.

 

You would think so, but they only mentioned one, sent at a certain time, which they said had been reported to them by SpamCop or something similar, which is why I believe we can narrow the possibilities down to three machines. Apparently it pretended to come from Washington and advertises medication designed for masculine enhancement if you know what I mean. And isn't too subtle about it.

No. Do you mean the thing would hijack a specific e-mail account? If so that would help narrow it down. The Vista machine doesn't have any personal e-mail accounts set up. The XP machine is my wife's, the Win98 machine used to be my wife's and probably still has her e-mail account set up on it, but I can simply erase that - not needed any more.

I can contact them easily. Whether or not I get any useful information back is something else!

The scans recommended were as follows:

I'll try them again before reporting as to be perfectly honest I can't remember what combination of events happened with each of the four online scanners. But it was mainly timing out I think. One didn't appear to work with Vista. As it seems to take a very long time just to scan one machine, even with my own AVG, don't hold your breath.

In the meantime I have installed AVG on the Win98 machine and checked it, with absolutely nothing found, as I rather expected. It sits there all day logging data through the RS232 and hopefully not doing anything else.

OK, will do. Sounds a good start. May take a while though

Thanks very much for the help.

Michael Hooker

 

Thanks for the details. There's a very good possibility that the email in question was sent with a 'from' address that corresponds to your ISP provided email account, which could have very easily be harvested from someone else's address book. 1 email report, IMO, is not something your ISP should be threatening your service status over ..... just dumbfounds me

Hold off on the Vista and 98 machines for now. Lets look at just the XP machine.

You should also see if you can run a Kaspersky scan.

Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log.

 

Oh dear. I spent all day yesterday getting Trend Homecall to run to completion on all 5 of our machines, and doing HijackThis logs, came here to post them and now see you're asking for something else...

OK, I'll go off and do that, but I'll say now that HomeCall found absolutely no viruses or trojans on any machine. A few bits of adware (all deleted, except one that wouldn't delete) and a few Windows vulnerabilities (all related to Office 2000, or my reluctance to convert to IE7 on one particular machine, but now "fixed "). The Vista machine was totally clear, I just wish it hadn't taken 3 hours to prove it!

I have asked the ISP for more info and await their answer. One development was that yesterday evening I received a whole bunch of returned "address not known" e-mails on the machine I use for e-mail (that was switched off when the message which started all this was apparently sent). I'm a bit reluctant to post an example header here in public and give away my details for yet another spambot to pick up, but if it helps I will. The messages being returned seemed to be advertising "personal enhancement" and indicated they were sent from x, y or z @mydomainname. My domain e-mail provider works on the system that you log in as root@mydomainname and get everything sent to the domain, you can't just get the stuff you want, in my case michael. hooker @ mydomainname. As I just moved my domain from 1&1 to Streamline.net I am left wondering if all this is just coincidence.

Standard operating procedure I expect. They did mention my IP address though. I only very rarely use the e-mail account provided by them, as I have my own domain. Basically I just use their broadband service. But my wife uses their e-mail address. We shall see, when (if) they send me any further detail.

I shall now go off and do the Kaspersky on all 3 XP machines, just to be certain, and get back to you.

Thanks very much for your help, it's much appreciated. Before I retired I used to spend my days solving people's problems (and correcting their mistakes) in a completely different field so I know what it's like, and how frustrating it can be sometimes.

Michael Hooker

 

I'm sorry that you probably won't see this until after you've aleady taken the time to run the kaspersky scan(s). It wasn't necessary since you were able to get the Trend scans done. I just wanted to make sure you were able. Post the logs if you have them anyway (if there's anything to report).

I think you've certainly narrowed things down ....... it's something to do with the domain email. Whether it's due to the move or not .....

So, you log into the root domain and get all email for the domain? Do you download it to your computer, as in, using Outlook or Outlook Express? That would be the computer I would focus on at this point.

Any chance your domain has been hacked? Not knowing myself what's on it, do you host something from which emails are sent?

You may want to check with your domain host on this too. Whichever was hosting the site when the reported email(s) was sent.

 

Thanks again.

Done the Kasperskys now, apart from the files which were reported as locked, the results are interesting, and different from AVG and Trend HomeCall:

My wife's XP laptop (the one that was under suspicion): totally clear.

My XP laptop, the least likely offender: several bits of adware and malware found in installer files I'd downloaded and kept, and "Snooper ", a sound recording application (not as scary as it sounds). I just deleted the entire folders, I no longer need them. Then I emptied the recycle bin and ran the scan again - Kaspersky then found everything again under...System Volume Information/_restore.... I presume they're safe in there but I'd appreciate knowing how to get totally rid of them anyway.

My XP laptop: clearly Kaspersky is suspicious of LogMeIn/RemotelyAnywhere, finding 3 "not a virus's ". I tend to trust the program.

But it did find something under this heading:

That sounds a nasty one, but again it wasn't noticed by AVG or HomeCall.

So, where do we start? First I had a reply from my ISP (on a Sunday, too). They sent me the header from the offending e-mail. There's no mention of a particular e-mail account of mine but there's an IP address which relates to the local area - if they say it's me it must be.

Interestingly I see a Sacramento CA IP address in there and an edd.ca.gov address: I know someone in Sacramento, who's attending college there and has my address in her address book. Coincidence?

Also interestingly, this is nothing like the header I mentioned earlier. I tend to agree on that one with your theory about my domain and shall be putting this to my new hoster. I've had a lot of e-mail problems since transferring to them, authsmpt not recognising me and so on. I don't host anything from which e-mails can be sent, other than the usual "contact me" links but maybe their webmail system has been hacked?

On with the HijackThis logs for the three XP machines, known as Mike XP, Rose XP and Desktop XP. You can work out which one is my wife's
==========================================================
Mike XP - lot of stuff I don't recognise at all in here, mainly the junk that came pre-installed I suspect! It was switched off at the relevant time.

==========================================================

Rose XP: obviously a tidier machine! But this is the one that was on at the relevant time.

=========================================================

CONTINUES IN NEXT POST AS TOTAL EXCEEDS FORUM LIMIT.... (But you asked for it! )

 

SECOND PART OF POST...

==========================================================
Desktop XP: a well-cluttered machine getting on in years. The Kaspersky scan took nearly 5 hours, but then it does have an unbelievable amount of photos stored on it. This is the one I do all my e-mailing from, but it was switched off at the time quoted in the e-mail header (I was in Madrid, actually).

==========================================================

I hope you enjoy looking at this stuff, it gives me a headache. I'd rather have an Act of Parliament to analyse, and that's saying something.

If there's anything else you want to see just let me know, I suspect that's more than enough to be going on with.

Many thanks

Michael Hooker

 

It might well be that your contact is the one that is infected, and the header information, including IP address, was harvested from an email sent there .... I just don't know.

You can check your IP (though like most, it may change on occasion) just by clicking this link or this link. If you want to verify that, log into your router.

I'll look over them a bit closer in a bit, but at first scan, those logs look good. The one that concerns me at this point is the laptop that the infected ntkrnlpa.exe was found on. Let's concentrate our efforts on that one for now. I'd like for you to run another tool that will remove any other files associated with that infection if they're lurking about.

Download ComboFix by sUBs from here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Thanks again, Dave. This is getting a bit bogged down with what are probably side-issues, so first let's clear up a couple of things:

Yes, it beats me why they do it like that. The old domain provider had specific named accounts, and you had to log in to each to download e-mail for that account. I don't like it much at all, but the new provider has lots of advantages over the old one as far as hosting my website is concerned. Actually, I use MailWasher, and sort out the e-mail online; then I only download what I want to keep, to Outlook Express. As you can tell I'm not the sort of person who would open up an unknown attachment, and my wife has been well-trained to delete anything she does not fully understand. All this is done on the machine which I probably confused you by calling XP laptop when referring to the Kaspersky scan, it's actually XP desktop as correctly named when referring to the HijackThis log. And this is the PC we are concentrating on.

I don't know what one can conclude but I've only ever had the one big batch of returned e-mails - no more have come in.

Yes, it does change, quite often, that's why I couldn't be sure if the number quoted was mine at the relevant time. But it was in the right ISP series, and the right locality.

OK, on with the ComboFix log and the new HijackThis log for XP desktop (the one with ntkrnlpa.exe Infected: Trojan-Dropper.Win32.Agent.bwf). Everything appeared to go smoothly.

Phew. All those Symantec files are due to the fact that I used to have the full suite; I still use Norton Password Manager, and an old version of SystemWorks for the benefit of the Protected Recycle bin thingy.

Once again, thanks.

Michael Hooker

 

Looks like ComboFix got the junk that was hiding. Suggest you delete that infected ntkrnlpa.exe file, then empty the recycle bin. No doubt that some of your system restore points are infected too, so you should clear those out.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Anything helpful from your domain host?

It appears to me that you should be good to go. If you have any more problems, consider adding some network monitoring application, such as a packet sniffer or bandwidth monitor. Then see what's happening with whatever computer(s) is connected to the internet.

 

OK thanks, done all that.

One or two possibly unrelated snags: some of my file associations have reverted to default - I can easily fix those. Second, CDs/DVDs/CF cards etc no longer auto-run - I don't even get the auto-run dialogue. They are visible in Windows Explorer if you go look for them so it's not the end of the world, but obviously something isn't as it should be, which could be a symptom of something worse. And everything was OK yesterday. Any ideas, please?

No response from domain provider, I have a feeling those particular e-mails were a form of spam directed at me, rather than genuine failure messages responding to spam supposedly from me, but we shall see. As far as my ISP is concerned, I suspect all they worry about is when spam coming from their system is reported to them so they are obliged to react. I doubt they actively monitor the number of e-mails I send. Certainly they haven't come back to me about any more reports.

I've just downloaded "IP Sniffer" - if I get a year or two spare I'll try to work out what it all means!

Just one other general question - I'm afraid I'm the sort of person who has to know what I'm doing and why I'm doing it. Yes, I deleted this particular file which Kaspersky said was infected (even though AVG and HomeCall didn't). But I have files of the same name in folders of similar names, in fact when I did a search I found over a dozen of them. They look to be connected with Windows updates, hence the KB numbers. So... if this file can just be deleted with no harm done, how many other zillion files and folders could just be zapped to free up space? They must be there for a purpose, surely? A file is either necessary or it isn't. Sometimes I wish we hadn't progressed past DOS 3.

Thanks once again, in my case an afternoon nap is called for before I carry on editing the 1,200 photos I was taking in Madrid while my PC at home was apparently sending spam. I still don't really believe it.

Michael Hooker

 

Hi Michael,

I wish I could give you an explanation as to why the autoplay stopped working, but in lieu of an explanation, I can offer a link to a tool to repair it.

http://www.windowsbbs.com/showpost.php?p=362560&postcount=4

We are much alike in regards to knowing the hows and whys of things.
The infected file you removed was most likely at home in the system32 folder when it became infected, and was placed in the C:\WINDOWS\$hf_mig$\KB890859\SP2QFE folder, along with a handful of others, after a Windows Update installation. Those files are now a backup, in the event that you would ever uninstall the update that placed them there. If that's a possibility, I recommend you grab one of those other copies, a recent one, and put back in that folder. At least then the system32 folder wouldn't be left without one in the event of a rollback.

As for what other files/folders could be zapped without harm, all of those C:\WINDOWS\$hf_mig$ folders are backups of files replaced with an updated version, and could in reality be removed without ill efect. Just makes uninstalling those updates out of the question.