1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: ISP says Sending Spam emails?

Discussion in 'General Security' started by Laurie52, Oct 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Laurie52

    Laurie52 Thread Starter

    Joined:
    Jul 11, 2004
    Messages:
    171
    My ISP provider support sent me a notification that my computer has been sending out massive spam emails. The notification had an "important-details.zip" attachment.

    I did not open the attachment. But will contact my provider's support team tomorrow, to find out what is going on.

    I am using a loaner as my current business/personal computer has been down since early September. The loaner's owner kept it clean and secure....as so do I. All anti spyware and anti virus programs are kept up to date. We both only use Firefox as the browser of choice. He never enabled his "Outlook 6" and uses online email services instead. For any mail sent through my ISP Provider, I use an online email resource (Mail2Web.com) to access them with (after all, it is not my computer) I pay extra to use my provider's "Postini" as a security filter...on top of my present anti virus program. All firewalls are up.

    I keep up to date on what new narsties pop up through this site and others like it. But know the culprits making these are getting sneakier.
    -----------------------------------------------------

    In the meantime, here is the Hijack This log on the loaner:


    Logfile of HijackThis v1.99.1
    Scan saved at 12:52:46 AM, on 10/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\system32\slmdmsr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\GetRight\getright.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\GetRight\getright.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runegame.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1324FA-AE25-4783-8308-3291CFAF4499}: NameServer = 66.185.224.15 66.185.224.16
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe
    --------------------------------------------------------------

    I prefer NOT to use Explorer to allow an online scan with Kaparsky and it does not support Firefox. I am going through a HouseCall instead and will see if it finds anything to post here. But it will take awhile as I am on dialup with only a 24,000 connection speed (dang rural phonelines)
     
  2. Frank4d

    Frank4d Retired Trusted Advisor

    Joined:
    Sep 10, 2006
    Messages:
    9,126
  3. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,406
    Change your email account(s) password
    Since you use web mail client, block pop3 and smtp at the firewall and review the logs.
     
  4. Laurie52

    Laurie52 Thread Starter

    Joined:
    Jul 11, 2004
    Messages:
    171
    Frank4d, "thank you" and could be. The descriptions seem to show this angle. I saw "important-details.zip" listed as what to watch for in this worm's possible "attachment" name list.

    Dang it. So it might not have been from my provider's support team after all. But because this possible infected email is in an online email "holding pen" and not actually downloaded into the loaner's "Outlook" (as would happen normally if my own computer was working right) This worm is stuck in the "waiting queue" instead. (I hope) Sooo.... I will go back and promptly delete it from the waiting list.

    But, just in case, I will contact my provider's support team, later, anyway to let them know.

    In the meantime, I will use your suggestions wk2000.
     
  5. Laurie52

    Laurie52 Thread Starter

    Joined:
    Jul 11, 2004
    Messages:
    171
    Because of my slow rural dialup connection (24,000 kbs), the TrendMicro HouseCall download and it's scan took over five hours to complete. But it was well worth it. It found a worm WORM_MYTOB.EP information because of a vulnerability issue. Do not know if this was in that attachment or not (although I did not open the zip, I did click on it at first....stupid me.)

    TrendMicro removed the worm and I took care of the vulnerability issue.

    I did call my provider's tech support to report this email, though. They were surprised it got through their filter to end up in my regular email queue.....but agreed these "things" are getting sneakier and told me they do get occasional inquiries from others getting similar emails. But I just bet others do not and open/unzip the attachments only to infect their computers.

    I guess this is solved then. Thank you for all your help.
     
  6. hewee

    hewee

    Joined:
    Oct 26, 2001
    Messages:
    57,791
    Better change all your passwords because that link says...

    Side effects

    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Modifies data on the computer
     
  7. Laurie52

    Laurie52 Thread Starter

    Joined:
    Jul 11, 2004
    Messages:
    171
    Thank you and had done that.

    Immediately after the email with infected attachment arrived, all steps to remove it were done within the six hours it took for the HouseCall to download and scan files due to slow dialup. When I created this subject thread, I was already about 90 minutes into the HouseCall download.

    By the 10:45 am posting (that was about 8:45 am my time) HouseCall had fully downloaded, scanned and removed the worm completely. To make sure, I checked my Windows32, Registry and all points covered by both TrendMicro and Sophos to look for anything this worm may have installed or changed. Nothing was found. My AVG was automatically updated successfully (as normal) the day after and it's scan found nothing.
    If anything was still left behind, this would not have been possible.

    As I said, I had clicked on the attachment but did not unzip it ....that installed the worm but, according to what TrendMicro and Sophos says, unzipping would have installed the rest. Like I said before, Stupid of me in any case.

    Right after the 10:45 posting, I deleted the email and attachment out of my Mail2Web waiting queue. I called my provider's Tech Support to let them know what happened. Next time, they told me if this appeared again, forward the email/attachment to them. They can find the actual IP this came from and alert the sender's provider/user of the infection so this party can disinfect their computer/s.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved says Sending
  1. carribc
    Replies:
    4
    Views:
    2,858
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/636496

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice