1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Iam paranoid....anything wrong? [HijackThis Log]

Discussion in 'Malware and Virus Removal Archive' started by Hill, 2006/08/24.

  1. 2006/08/24
    Hill

    Hill Inactive Thread Starter

    Joined:
    2002/03/16
    Messages:
    130
    Likes Received:
    0
    A few weeks ago my ISP called and told me I was a spammer:(

    At the time I didn't have any anti-spyware software. So, I went out and got spysweeper and from reading these boards also have Adware SE personal and spybot S&D. Have Zonealarm Pro, Pc-cillian all updated.
    After scanning for spyware it came with around 50 low level threats had all removed. Since, I haven't had any spyware detected.

    I asked the guy if Mailwasher may have triggered flagging my account as a spammer and he said he didn't think so. At the time, I was bouncing all the spam back to there senders.

    Nothing strange happening with my browser, and I stopped bouncing emails with mailwasher. And I reset my message filter eith my ISP.

    Sorry, for being longwinded.

    Anyways, I've been getting, about everyother day, emails saying message undeliverable. Although I have no idea who these people are. Are these just spoof emails trying to get me to open them or is my comp sending stuff?

    Thanks for the time
    Heath
     
    Hill,
    #1
  2. 2006/08/24
    Hill

    Hill Inactive Thread Starter

    Joined:
    2002/03/16
    Messages:
    130
    Likes Received:
    0
    ran hijack this on account 1

    Logfile of HijackThis v1.99.1
    Scan saved at 12:07:15 PM, on 8/24/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    e:\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\KMaestro\KMaestro.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    E:\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\SYSTEM32\USRshutA.exe
    C:\WINDOWS\SYSTEM32\USRmlnkA.exe
    C:\WINDOWS\system32\devldr32.exe
    E:\Stickit\STICKIT.EXE
    E:\MailWasher\MailWasher.exe
    e:\Webroot\Spy Sweeper\SSU.EXE
    E:\Trend Micro\Antivirus\tmproxy.exe
    E:\Trend Micro\Antivirus\Tmntsrv.exe
    E:\Trend Micro\Antivirus\PCClient.EXE
    E:\Trend Micro\Antivirus\PCCGUIDE.EXE
    E:\Trend Micro\Antivirus\TMOAgent.exe
    F:\Heath\hijack this\HijackThis.exe

    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://e%3A%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Heath\Application Data\Mozilla\Profiles\default\rt8tnxgg.slt\prefs.js)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
    O4 - HKLM\..\Run: [PCClient.exe] "E:\Trend Micro\Antivirus\PCClient.exe "
    O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Trend Micro\Antivirus\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [USRpdA] "C:\WINDOWS\SYSTEM32\USRmlnkA.exe" RunServices \Device\3cpipe-USRpdA
    O4 - HKLM\..\Run: [SpySweeper] "E:\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "E:\Trend Micro\Antivirus\pccguide.exe "
    O4 - Startup: StickIt Launcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Unknown owner - E:\Adobe Suite\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\Tmntsrv.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\tmproxy.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - e:\Webroot\Spy Sweeper\SpySweeper.exe
     
    Hill,
    #2

  3. to hide this advert.

  4. 2006/08/30
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Hi, Heath. I'm sorry you haven't heard from one of us sooner. :eek:

    Hopefully a HijackThis log expert will comment on your HJT log soon.


    It's hard to say what was/is causing your ISP to accuse you of spamming. You did very well with taking proactive steps to clean and protect your computer though! :)

    I have received "Mailer Daemon" type messages (with unfamiliar information) in the past (before my ISP changed their anti-spam software) and I am fairly certain my computer has never been used for sending spam. About a year ago, I even asked my ISP's tech support about one of those "Mailer Daemon" messages and he stated,
    On the other hand, I suppose it is possible your computer has malware that automatically sends/sent spam and you're now getting those bounced messages back. I'm not a HijackThis expert, but I will look over your HJT log to see if I can find any conclusive information. :) The N3 Netscape entry looks strange to my untrained eye.

    I know you said your browser doesn't act strangely. Does your computer behave strangely in any way?


    ZoneAlarm Pro has a master setting that allows you to "block Internet servers ". Enable it in ZAPro as follows:
    • Click on the Firewall item at the left side of your ZAPro screen.
    • Click on the Advanced button towards the lower right corner of the ZAPro window.
    • Place a check mark next to "Block Internet servers ".
    • Click the OK button.
    Here's what ZAPro's help file says about the setting:

    Ideas for Investigating:

    • An application you might want to try for monitoring your computer's Internet communication ports is Sysinternals' TCPView. It's an easy-to-use, free stand-alone program (doesn't need to be installed) that might help you identify whether your computer is creating excessive connections, what processes are opening those connections, and what Remote Addresses they are connecting to. Look for the "Download TCPView and TCPVCon (81 KB)" link near the end of the web page.
      -
    • Another handy free stand-alone utility that might be helpful is Sysinternals' Process Explorer. You can double-click on processes to get detailed information about them. You can right-click on entries in Process Viewer's main window and then select Google or MSN search engine to look for more details. Look for the appropriate "Download Process Explorer (x86 - 1.47 MB)" link at the end of the web page.

    Sysinternals has a very good reputation. Sysinternals has even been acquired by Microsoft. :)


    EDIT: BTW, if you have "Block Internet servers" enabled in ZAPro, then ZAPro should block any possible spamming programs you may have installed from opening ports to "listen" for Internet connections. Therefore, TCPView would not indicate any questionable activity. You might want to temproarily disable ZAPro's "block Internet servers" option to see if you notice any differences in TCPView. I think doing so might be handy for quickly identifying any processes you may have running that attempt to send spam (or create other such unwanted connections).

    Keep in mind, malware might use legitimate processes as slaves for its dirty work so don't be too quick to "kill" processes. If you suspect malware activity or exploits, then you should seek guidance from a malware expert before proceeding. Often malware removal must be done in a very specific manner to completely remove malware.

    I assume you have all your critical Windows Updates up to date. :)


    EDIT #2:
    I have researched this HJT log item via Google and I did not find anything indicating it is bad (although there were VERY FEW results that contained 5CSBWeb _01.src).

    However, since you appear to be using Netscape 7, I am referring you to this link: ATTN: Netscape 7.xx Users. (I am guessing Netscape might be related to your outgoing spam issue.)

    Please consider upgrading to a more secure browser (and possibly e-mail program). Mozilla (the same organization that used to maintain Netscape) currently offers Firefox for web browsing and Thunderbird for e-mail. I was a devoted Netscape user and now I use Firefox, so I guess you could say I am biased toward Firefox. :)

    If you want to try a suite that is supposedly very similar to Netscape, here's a link for Mozilla's SeaMonkey suite.

    SeaMonkey:

    I hope this helps.

    Good luck! ...and please keep us posted.
     
    Last edited: 2006/08/31
  5. 2006/08/30
    Hill

    Hill Inactive Thread Starter

    Joined:
    2002/03/16
    Messages:
    130
    Likes Received:
    0
    Thanks for reply mailman. I too was getting worried no one was looking at my post. Thought, maybe I did a bad!

    I too think now the "returned mail" thing was a spoof. Iam hoping. They all say it was sent through outlook. Is it at all possible outlook could be sending things out without my intervention?

    Computer is behaving normally. Same with browser.

    Thanks for the rec. on the file DL. I'll probably get TCPView after I lay down the little ones tonight. And have some peace and quiet.

    I use Firefox, but have explorer and netscape on my comp for varies reason, but they are hardly used.

    For a mail program the family uses thunderbird.

    I have a total of 3 accounts of this comp. Do I need to run Hijack logs for all accounts?

    Thanks for replying maybe temarc will stop by?
    Heath
     
    Hill,
    #4
  6. 2006/08/30
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Hi, Heath. I'm glad to know you haven't given up on us. :)

    I certainly hope TeMerc will at least briefly comment that your HJT log looks clean. I suspect he (and others) looked at your HJT log and did not notice anything significant. Given that TeMerc is one of the very few people here capable of analyzing/helping with HJT logs and looking through this forum leads me to believe he works quickly through the numerous help requests, I expect he tends to comment only on HJT logs that implicate malware (simply because he is very busy with them).

    (BTW, I highlighted TeMerc's name to try to snag his attention rather than correct your spelling. :))

    If it's any consolation, I have researched a few entries in your HJT log with my untrained eye and I didn't notice anything significant. If we don't hear from TeMerc (or PeteC, Geri, or anyone else I have confidence in), then I will investigate every entry in your HJT log and report back to ease your conscience. I've been there. I feel your pain. :)

    Given that Outlook is a very popular e-mail client and it's closely tied with Windows/Internet Explorer, I'm inclined to say yes. Based on my readings over the years, I think malicious people tend to focus on applications that are the most popular because they offer the greatest return on their exploits. I would also guess there are such exploits being used that haven't been detected yet simply because so many malicious people focus on exploiting popular applications/operating systems.

    I suppose the downside of choosing a less popular program would be that the program would be more easily exploited because detection would occur much less often (simply because fewer savvy people are there to intercept such exploits and fewer people maintain the program). However, I tend to think one would be substantially at risk only if one has reason to be a selected target of exploits (perhaps as a celebrity, CEO, or subject of a criminal investigation, for example).

    I don't know for sure. I will investigate this later and see if I can give you a definitive answer. I tend to think running HJT from an account with Administrator privileges might be all that is necessary.

    Great! If you have any questions, feel free to ask. :) I'm looking forward to hearing from you about what you observe with TCPView if/when you get around to it.

    Good luck!
     
    Last edited: 2006/08/30
  7. 2006/08/30
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    I will echo mailman's sentiments when we say we're sorry for overlooking your log file for so long. And I was even looking at some of the back pages the other nite, and I still missed yours. My bad.:confused:

    Your log file looks clear of any malware indicators as mailman also commented.

    And yes, I'll also agree that OE can be used without your knowledge to be sending spam. but usually if you have a firewall you can find the culprit and snuff him out.

    Using the tools mailman mentioned is a great start for sure. Once you have done that, let us know what you find. Whereas I'm not familiar with TCPView, I just DLed it onto the test box to give it a whirl to see what it shows.

    And other accounts must also be scanned for nasties and then HJT log files run for analysis. Usually, there could be a couple of tings in a heavily infected machine, but in your case I don't expect to find anything.

    Keep us abreast of your progress and as mailman said, drop a note if you have any questions.

    And our apologies again for making your wait as long as it was.
     
  8. 2006/08/31
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Thanks, TeMerc!

    Heath, I also thought of another idea. (Using TCPView might not be necessary...although it almost certainly won't hurt.)

    Idea:

    In your ZoneAlarm Pro Program Control > Programs tab, scroll through your list of progams and look for green checkmarks under the Server heading (Internet sub-heading). If you find any green checkmarks, click on each of the program names and then look at the pale yellow section at the bottom of your ZAPro window. The pale yellow section contains details about those programs. If you right-click on that pale yellow section, you will be presented with an option to Copy the contents to your clipboard. Then you can paste that information into Notepad or a forum message, for example.

    If any of those programs are suspicious, then you may want to disable their Server permission for the Internet zone and investigate further via Google, for example. Often simply entering a filename into the Google search field is sufficient for determining whether that filename is good or bad.

    • The "filename" is to the right of the last "[SIZE= "3"]\[/SIZE]" in my examples below.
    • The "path" is everything to the left of the last "[SIZE= "3"]\[/SIZE]" in my examples below.
      • The path is helpful for locating files in case you want to upload a suspicious file to http://virusscan.jotti.org/ for analysis, for example.
    Keep in mind that some malware uses filenames that match legitimate filenames but the path to those filenames may be different than the normal path to the legitimate ones though.

    Consider keeping track of your ZAPro setting changes and what the "Smart Defense" column originally contains for each of those programs in case you want to use that information when/if deciding what to re-enable server permissions for later.


    Here are portions of the pale yellow section for all of my programs that currently have "Server" permission in ZAPro (although I have ZAPro's global "Block Internet servers" enabled which supposedly overrides these individual permissions):

    My Examples:
    Code:
    Product name        Java(TM) 2 Platform Standard Edition 5.0 Update 8
    File name           C:\PROGRAM FILES\Java\JRE1.5.0_08\bin\javaw.exe
    
    Product name        Microsoft® Windows® Operating System
    File name           C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe
    
    Product name        Microsoft® Windows® Operating System
    File name           C:\WINDOWS\system32\mmc.exe
    
    Product name        Client and Host Security Platform
    File name           C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
    
    Product name        Client and Host Security Platform
    File name           C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
    
    Product name        WinPatrol Explorer
    File name           C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe
    
    Product name        WinPatrol Monitor
    File name           C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    I trust those applications so I don't feel a need to disable their server permissions. (EDIT: I think Java can be potentially dangerous to allow to act as a server but I have the global "Block Internet settings" enabled in ZAPro and I typically have Java disabled in my web browsers. Therefore I think I am safe with the server permission enabled for the individual Java program.)

    I have read recommendations in the ZoneAlarm forums to disable server permission for all applications unless doing so affects system performance in some way. I have also played around a little with "Expert Rules" settings in ZAPro but I am not confident about offering suggestions in that regard.


    Also, pay close attention to the alerts ZAPro may give you, especially the ones that inform you that a program wants to act as a server. If you're not sure about whether to grant permission or not, it's always safest to deny now, investigate, and then enable it later if necessary.

    Be sure you have ZAPro's Program Control > Main tab > Program Control slider set to Med. or High so ZAPro will intercept programs seeking server rights.

    Good luck! I hope to hear from you about how you progress in resolving your issue and I will help if I can. :)


    EDIT: Another tool that is helpful when Googling filenames is McAfee's SiteAdvisor, which is a browser extension available for Firefox and Internet Explorer. (Look for the "Download SiteAdvisor" button at SiteAdvisor.)

    SiteAdvisor gives you a quick view of whether Google search results links are likely to be dangerous or not. Often, when researching filenames via Google with the SiteAdvisor extension installed, all one has to do is look at the short descriptions on the first page of Google results. SiteAdvisor is not a fool-proof tool though, so don't rely on it as your sole determination of the reputability of a site.


    I apologize if the information in my messages is overwhelming. I tend to be long-winded in my replies. I just want to present all the information I can that may be helpful to you.
     
    Last edited: 2006/09/01
  9. 2006/08/31
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Just Dled TCPView and it's a little bit bare bones, but for free I guess it would be ok.

    If you want something a little mor robust(even tho it's a pay app, 30 day trial) DL Port Explorer
    No, I'm not a shill, the free trial comes to mind in your case. You get 50 openings of the app or 30 days whichever comes first.

    I've used it on my test box and may purchase it too.
     
  10. 2006/08/31
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    Hi, TeMerc.

    I downloaded Port Explorer. :) You're right! TCPView is pretty bare-bones, especially when compared to Process Explorer. Port Explorer is definitely a "Cadillac" program. :)

    If Heath wants to investigate his network traffic in regards to possible malware spamming activity, I certainly think he should use Port Explorer instead of TCPView.


    Heath, there are two important features Port Explorer has for you that TCPView does not have.

    • Port Explorer displays hidden servers (a characteristic very rare in normal programs but very common in trojans, according to DiamondCS).
    • Port Explorer also supports logging (including logging of individual processes).
      -
      • Port Explorer Page (with "Free Download" button)
        -
      • Screenshots (Click on each image to view the enlarged screenshot.)
        Below the enlarged first screenshot, DiamondCS describes and briefly explains the color codes used for many of Port Explorer's displays.
     
  11. 2006/09/01
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    To be fair, they really are not the same. But the comparison with TCPView is indeed an obvious winner for PE.
     
  12. 2006/09/01
    Hill

    Hill Inactive Thread Starter

    Joined:
    2002/03/16
    Messages:
    130
    Likes Received:
    0
    Hey TeMerc, thanks for the info on Port Explorer. Sweet program.
    Had it running for about an hour and saw nothing strange/wrong. Will keep it running for the next few days and see if anything pops up.

    I was going to post my other account hijack logs but I think its unness.

    Thanks a bunch for helping me out mailman and TeMerc. I'll be out traweling.

    Heath
     
  13. 2006/09/02
    mailman Lifetime Subscription

    mailman Geek Member

    Joined:
    2004/01/17
    Messages:
    1,901
    Likes Received:
    11
    You're very welcome, Heath. I am glad it appears you don't have any nasty processes running. :) I expect it gives you some peace of mind.

    If you do decide to post HijackThis (HJT) logs for your computer's other user accounts, I will look them over (probably next week or weekend) and see if I recognize anything that might be malware-related (unless TeMerc, PeteC, and/or Geri look them over and briefly comment).

    Posting the HJT logs for your computer's other user accounts would be helpful to further verify that your computer isn't being used as a spam relay.

    After doing so, if a reputable person with HJT log experience (not me) comments that ALL your HJT logs are clean, then you can point your ISP to this thread to show your ISP that you have done all you can (as far as I know anyway) to confirm your computer is NOT being used for spamming. :)

    The URL for this thread is http://www.windowsbbs.com/showthread.php?t=57120

    You can paste that URL into a message to your ISP's representative that accused you of spamming. :)

    Good luck!
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.