Results 1 to 2 of 2

Thread: Spamers exploiting my Computer

  1. 2008-03-03, 10:19 #1
    agas7
    agas7 is offline
    Junior Member
    Join Date
    Mar 2008
    Posts
    1

    Default Spamers exploiting my Computer

    Hi, I have been having trouble with my computer over past two months. My email was blocked by some servers, based on the listing in some blacklists (see, e. g., http://cbl.abuseat.org/lookup.cgi?ip=80.188.41.127 or http://www.blacklistalert.org/?q=80.188.41.127).

    I did a scan with SpyBot and MWAV and nothing serious came up. Then I did use the KAV and some old viruses were detected. I did delete the "C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst" file, where all the viruses ware present, but I ma not sure, if it is enough.

    I am sending the KAV log (I have deleted all the "Object is locked" objects) and the HJT log, asking for your assistance.

    Thanks.

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Monday, March 03, 2008 7:24:47 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 2/03/2008
    Kaspersky Anti-Virus database records: 593805
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 375552
    Number of viruses found: 8
    Number of infected objects: 13
    Number of suspicious objects: 2
    Duration of the scan process: 04:05:55

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Odstraněná pošta/19 Oct 2006 12:20 from sec@logoluso.com:Mail server report./Update-KB5473-x86.zip/Update-KB5473-x86.exe Infected: Email-Worm.Win32.Warezov.do skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Odstraněná pošta/19 Oct 2006 12:20 from sec@logoluso.com:Mail server report./Update-KB5473-x86.zip Infected: Email-Worm.Win32.Warezov.do skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Odstraněná pošta/19 Oct 2006 12:26 from brent:Status/test.msg.cmd Infected: Email-Worm.Win32.Warezov.do skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Doručená pošta/Odpovědět/05 Aug 2004 08:27 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From agas@seznam.cz][Date Thu, 5 Aug 2004 10:26:40 +0200]/UNNAMED/shower.rtf.pif Infected: Email-Worm.Win32.NetSky.c skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Doručená pošta/Odpovědět/05 Aug 2004 08:27 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From agas@seznam.cz][Date Thu, 5 Aug 2004 10:26:40 +0200]/UNNAMED Infected: Email-Worm.Win32.NetSky.c skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Doručená pošta/Odpovědět/05 Aug 2004 08:27 from MAILER-DAEMON@email.seznam.cz:failure not.eml Infected: Email-Worm.Win32.NetSky.c skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ Pastorace/22 Sep 2003 17:01 from Petr Breindl (pldieceze@pandora.cz):Annou.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ Počítače/19 Sep 2003 16:42 from Microsoft:Current Net Security Update/q719383.exe Infected: Email-Worm.Win32.Swen skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ Počítače/16 Mar 2004 22:05 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From agas@seznam.cz][Date Tue, 16 Mar 2004 23:04:15 +0100]/UNNAMED/document_4351.pif Infected: Email-Worm.Win32.NetSky.d skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ Počítače/16 Mar 2004 22:05 from MAILER-DAEMON@email.seznam.cz:failure not.eml/[From agas@seznam.cz][Date Tue, 16 Mar 2004 23:04:15 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.d skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ Počítače/16 Mar 2004 22:05 from MAILER-DAEMON@email.seznam.cz:failure not.eml Infected: Email-Worm.Win32.NetSky.d skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Archív/+ KKK/28 Apr 2004 15:38 from Pavel Hofírek (pastorace@pandora.cz):Re: /Message.com Infected: Email-Worm.Win32.Bagle.z skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Nevyžádaná pošta/07 May 2004 12:47 from Adenov:Re: Msg reply.html Suspicious: Email-Worm.Win32.Bagle.mail skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst/Osobní složky/Nevyžádaná pošta/07 May 2004 12:47 from Adenov:Re: Msg reply/Details.zip Infected: Email-Worm.Win32.Bagle.gen skipped
    C:\Documents and Settings\PC1\Local Settings\Data aplikací\Microsoft\Outlook\Outlook_toshisba.pst Mail MS Mail: infected - 12, suspicious - 2 skipped

    Scan process completed.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:05:54, on 3.3.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
    C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\PROGRA~1\GENIUS~1\STouch.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\WINDOWS\system32\CAPM2RSK.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
    C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\PC1\Plocha\Zabezpečení\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.farnostcheb.cz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: &Crawler lišta - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
    O4 - Startup: Výřezy obrazovky a spuštění aplikace OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Místní vyhledávání.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O4 - Global Startup: Smart Touch -- Genius Scanner.lnk = ?
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1177176760390
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

    --
    End of file - 9944 bytes
  2. 2008-03-03, 14:01 #2
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I notice this item onboard: C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
    Have you read this information? http://vil.mcafeesecurity.com/vil/content/v_137764.htm

    I see no "malware" in the HJT log and the infected items in the Kaspersky Online Scan are all infected email:

    You seem to know where they are so delete them. Here are some of the email worms, you really need to be more careful who you receive email from. You can bet these all come in as attachments to email. I personally never open a email attachment.

    Email-Worm.Win32.Warezov.do
    Email-Worm.Win32.NetSky.c
    Email-Worm.Win32.Bagle.mail
    Exploit.HTML.Iframe.FileDownload
    Email-Worm.Win32.Bagle.gen

    My advice would be to delete all email stored in your Outlook program, then scan again with KOS to make sure it is gone.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules