2009-05-11, 11:59
|
Link #1 |
|
(。☉౪ ⊙。)
 Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Internet company warning me about so proclaimed porn spam I should be mailing
I got an email from Ziggo today, this is my internet hook on company that provides me with this yummy internet hate machine and they stated that they received a number of complaints that we were mailing about emails containing pornographic spam etc.
Now I was very confused by this, my mom was hysterical like the little tech caveman she is and she was talking to me that it was something about child porn so I went lol what ?! (lost the game lol) Anyway here's where it gets fishy, we have 2 computers in our house and for as far as I know my pc is clean but more on that later. Both pc's have Avast installed together with Comodo and the only thing my mom/dad do on their pc is either play patience or world of warcraft, my dad plays that and my mom the standard games, they both don't visit any other sites than the ones they know and so this left me with the conclusion that it might be my pc that is causing the problem. (also scanned it and it is clean of anythign fishy) Now here is the thing, if you scroll back a page (or 4) you can see these topics, I had a horrible virus problem going on several weeks back, in late April I think it was. Something with CSRCS.EXE and several other suddenly spawned files that messed up my pc so badly that it generally thought the only device that was inserted was my DVD burner. This was all caused thanks to a virus on our school computers and later that week @ school we had some porn problems as well, you'd be following class and shazam random porn pop up shows up (I didn't have this going on on ym pc though), I re installed windows several days after all this trouble started, but I would like to hear your opinion about this, could the so proclaimed porn emailing spam have happened when my computer was entirely infected beyond repair? It is after all less than a month ago when this happens and I don't know how long it takes before they decide to send you a warning, also for spam to be send you'd get a trojan on virus on your computer right? or be stupid enough to fill your email address on some random website.. I have Avast in this pc including the website protection and email protection function and we also have this downstairs so I should be protected right? I don't do anything stupid like open random emails from people I don't know or download random files from the web. So Asuki what do you think about this 
|
|
|
|
2009-05-11, 13:03
|
Link #3 |
|
Obey the Darkly Cute ...
Author
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 66
|
Did they say it was emanating from your home network (actually your assigned IP address) or was it someone forging mail using your email address?
If it was the former, then as Jinto says, you've got (or had) a "bot in the house" and you need to exorcise both of your computers - take them off the internet til they're clean. It may be that all the complaints derive from that period when your computer was "pwn3d" and that your installations are fine *now* - but I'd recheck them both anyway. If the problem is forged email though ... there's really not a damn thing you can do about someone else on the planet illegally forging your address. All you can do is dispute the complaint and suggest they analyze the offending mail headers more closely since the From: and Reply-to: are forged. Avast is a good decent tool --- but no AVG out there is perfect protection. You might also want to run spybot periodically. http://www.safer-networking.org/index2.html You should also write back to Ziggo and explain that you discovered your systems had become "bot infected" but you've cleaned up all the machines at your house. That mitigates the potential for the "think of the children" witchburning police to knock at your door.
__________________
|
|
|
|
|
2009-05-11, 14:19
|
Link #4 |
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
I called Ziggo right after reading the email and had told them that it could've been because of what happened, however the person I had on the phone was one of those dull call receivers, I told him that if he could check those dates that he would probably see that the spamming has now stopped, he never mentioned anything about IP addresses (it blew my mind completely as well until after the call), he couldn't give me any information whatever except for what I've just written: that it was merely a warning and that in worse cases the connection will be cut and that if I don't receive any more warnings that the problem was solved, I asked him if this was about only spam email and he answered yes, it wasn't about malware or anything (it wasn't about child porn lol I asked him about that)
I'm going to run spybot on this computer first, tommorow I'll do another full system scan with both Avast and Spybot on our other computer edit: there is however one thing I have discovered with firefox, the scan is still running so far no hits but on google sometimes when I go to one of the listed pages after searching I get redirected to some random add page, I've had this several times before this weekend and right now it happened again I searched Avast email scanner and pressed the first link to their faq ont heir website and I got redirected to some "win a BMW car!" website if I go back and press ont he link I get redirected to a google website something about www.google.nl/undefined and if I then go back again and click it is able to load edit3: Spybot indeed detected some bad entries, I deleted all of them afterwards however it started giving me the message that a registry key that was important has changed its value and if I would allow it or not, files were command.com and cmd.exe (which is for dos if I remember correctly) however the change name was so weird I ended up denying both was like letters like 20 or 25 followed by dll old which I found weird, every time I would allow it would come back again anyway Last edited by -KarumA-; 2009-05-11 at 14:49. |
|
|
|
|
2009-05-11, 14:58
|
Link #5 |
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
After rebooting I found that I have 4 screens opening and closing of command.exe, something I normally wouldn't have. I checked the forums on spybot but I am confussed about their explanation which was something going on and needing removal in the registry which I do not want to do out of the blue without getting proper guidance to whether or not this is the solution
|
|
|
|
|
2009-05-11, 16:08
|
Link #6 |
|
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
You need to stop trying to fix the problem via spyware removal and do a fresh installation of Windows on both machines. Or switch to something safer like Linux. Until you do this, you need to take both computers off the Internet.
My recollection is that you've been trying to fix this problem for weeks now. A complete reinstallation of Windows would have probably taken less time than you've spent trying to clean things up. To paraphrase Ms. Ripley, "Nuke the computer from orbit; it's the only way to be sure." Like Vexx says, anyone can forge anyone's email address, but I'm guessing that's not what's happening here.
__________________
|
|
|
|
|
2009-05-11, 16:32
|
Link #7 |
|
Senior Member
Join Date: Sep 2008
|
I second SeijiSensei's recommendation to do a full reformat and Windows/Linux install since it looks like the malware's managed to gain a very strong foothold on your computer/s. I'd also like to add that if you're going to reinstall Windows, make sure to download all of the system updates available and then install and fully update your antivirus/antimalware software of choice before transferring all of your old data to the new Windows installation so you can see if any malicious programs are piggybacking on your personal files.
|
|
|
|
|
2009-05-11, 16:53
|
Link #8 |
|
ひきこもりアイドル
IT Support
Join Date: Feb 2009
Location: Pennsylvania , United States
Age: 34
 |
Another thing you should consider after reinstalling is creating a limited user account so it can prevent malware installation on your computer due to the administrative privileges. Most of the time, administrative privileges are rarely used unless you change the system settings or install software.
Also, disabling Autoplay will prevent USB drive malware from installing on your computer. Autorun can be disabled in the control panel in Vista, but in XP, you need to follow this tutorial If you really want to jump in and switch to Linux, I suggest familiarizing yourself with a livecd before installing on your computer. If you still feel the need for Windows and not planning on gaming, you can install VirtualBox on Linux and install Windows in a virtual machine.
__________________
Last edited by chikorita157; 2009-05-11 at 17:06. |
|
|
|
|
2009-05-11, 18:15
|
Link #10 |
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Thing is I did a complete reinstall less than 3 weeks ago (it was the only way to fix the problem I had then and it did), I didn't have any problems afterward (up until today when I decided to routinely check things)
Let alone I really hate fixing my computer for 5 days straight re installing everything all over again like before, the google problem is now gone and removed a trojan with avast after scanning. It is the command.exe that I am wondering about atm edit: command.exe problem has been fixed do not know how exactly, I had restored a part of my registry with registry booster, had avast scanning which removed a trojan and now it is all back to working bussiness will call Ziggo tomorow though and see if I can get some more info as to when this spamming was happening etc. Last edited by -KarumA-; 2009-05-11 at 18:26. |
|
|
|
|
2009-05-11, 19:02
|
Link #11 |
|
Gregory House
IT Support
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 35
 |
This is by no means a fix to your virus issues, but you can at the very least prevent malware from logging into SMTP servers by blocking outbound connections to port 25 (the default smtp port) on your router, if you have one (otherwise you're screwed--software firewalls on an infected computer can't be trusted).
Of course, this doesn't stop the botter if he or she has set up an SMTP server listening on a random port, but it's at least worth a try (though it's likely that if your ISP has already detected the spam they have already blocked it). Otherwise, I fully support the idea of migrating to Linux 
__________________
|
|
|
|
|
2009-05-11, 19:03
|
Link #12 |
|
Senior Member
Join Date: Dec 2007
Location: England
Age: 37
|
Close any apps that would normally connect to the internet and wait a couple of minutes.
Open a command prompt and run netstat -bn 3, which will list any open connections aswell as their originating app. You could also try tcpview if you'd prefer a nice GUI instead. If there are any suspicious connections even with nothing running, then it'll be likely that you still have some kind of malware running. Otherwise, that email is probably something of the past. |
|
|
|
|
2009-05-11, 19:28
|
Link #13 | |
|
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Quote:
__________________
|
|
|
|
|
|
2009-05-12, 00:31
|
Link #15 |
|
Founder, Sprocket Hole
Fansubber
Join Date: Apr 2004
Location: Fresno or Sacramento, CA
Age: 55
|
command.exe? That doesn't sound right. If you're talking about Windows' command processor, the right one is called "cmd.exe". If you are getting a file called "command.exe", I'd likely call "smoke" on that one, because where there's smoke, there's (usually) fire. At that point, it's a matter of which retardant to put on it.
--Ian. |
|
|
|
|
2009-05-12, 03:19
|
Link #16 | ||
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
Quote:
yesterday my entire system was fried again, going to run some tests today as well as for blocking port 25 how do I do this with comodo? I ran ad aware yesterday but the entire program was buggered up, asked if it could reboot I said yes then the darned thing ignores its given order and decides to update instead, pc was not amused and rebooted instantly with blue screen because the commands were clashing. After that ad aware ran rampant and i reinstalled it but services.exe kept on shutting itself down so I had a count down going and everything, tried to uninstall ad aware but because the setup was cut short apparently it had to reinstall first, well quickly done and rebooted auto. Every time that follows services.exe stopped and initiated the auto countdown, so I was in utter panic with the mission to kick boot ad aware for starting this mess, eventually I had to reinstall in another language to get the uninstall going otherwise it would keep on complaining that it had to reinstall first, so installed the dutch version and ran the dutch uninstall which did its job, ran registry booster and recovered and replaced registry parts to some I had backed up from last week. Rebooted again and made a hijack this log etc. posted it on their forums, still waiting for reply from them with their analysis could include it in this post as well. Anyway eventually I figured I couldn't do anything and went to bed (3AM and had asked a friend if he could reformat it for me again) and this morning when I booted up things were normal again, not sure for how long I'm scared that if I reboot again that services.exe will freeze up again Spoiler for log:
Quote:
mswsock.dll WS2_32.dll svchost.exe kerne132.dll checked them, all are windows processes, nothing strange about them edit: my friend came over and we decided to first uninstall everything one program at a time to see if perhaps something was clashing and was the cause of my trouble, it seems like it has worked and it seems to have found the possible spam spreader but it is still an ass to delete: malwarebytes found it but it says it will delete it on boot up the only problem is the trojan comes back again afterwards the trojan i wan talking about is the following: atmf.dll Last edited by -KarumA-; 2009-05-12 at 06:31. |
||
|
|
|
|
2009-05-12, 06:52
|
Link #17 |
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
another update I have found what caused services.exe to run rampant
apperantly it was comodo causing this services.exe fail followed by countdown and reboot, when I didn't have it installed it would boot up fine but when I installed it just now I had another services.exe problem that caused a reboot, after several tries I uninstalled it and now it works fine again so I have no idea what is wrong with it but does anyone know any other good firewall besides comodo and zonealarm |
|
|
|
|
2009-05-12, 07:48
|
Link #18 | |
|
Senior Member
Join Date: Dec 2007
Location: England
Age: 37
|
zonealarm is fine. Even the free version allows you to properly manage what applications access the internet. Provided you're not always clicking allow for everything, it should keep you secure. As a general rule, you should never let a program act a server unless you specifically need to. I've never used comodo, so can't comment on it.
As for your restarting problem. You can temporarily disable that feature while installing things if necessary. The service is "Remote procedure call", and you just need to change it's settings to do nothing rather than restart the machine. (although, you shouldn't keep it that way after you have your software working). Anyway, looking at yout hijickthis log, I can't see anything that appears to be malware. However, that log doesn't take into account that applications may have been modified. zonealarm will warn you when applications have been modified in future. Quote:
Just because an application is a microsoft product, don't be too confident about it connecting to the internet. If you're the least bit concerned about data exfiltration, you should be jumping up at anything connecting to the internet without your explicit permission. So, winsock and ws2_32 are required by any windows application to connect to the internet, but they still shouldn't be sending anything unless told to. In your netstat -bn output, there should be no connections when you're not running anything. (in TCP view, disable the "show unconnected endpoints" option). I'd assume the connections you say were still there were unconnected endpoints. If any are connected to a remote address, you should be wary. svchost.exe is responsible for those services listed as O23 in your HJT log. They may not always be trustworthy, so just because svchost.exe itself is a microsoft app, don't ignore it. |
|
|
|
|
|
2009-05-12, 08:43
|
Link #19 |
|
Obey the Darkly Cute ...
Author
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 66
|
If you delete a trojan at boot time and then it re-appears, that means some other legitimate Microsoft file has been hijacked but all its original interface left alone... it just has a parasite piggybacked within it whose sole task is to regenerate the malware if it vanishes. Those are messy to get rid of -- either you need to have some sort of hash check tool to verify all the OS files are 'legit' or have an AVG that can spot such parasites within the legitimate file, quarantine it and be able to replace it with a copy of the uninfected file.
__________________
|
|
|
|
|
2009-05-12, 09:04
|
Link #20 |
|
(。☉౪ ⊙。)
Author
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 36
|
I managed to get all viruses deleted for so far as I know
I found a good step to step scanning list which I followed I ran the following programs, malwarebytes, cobofix, cc cleaner and pt a log up on their site for them to check, combofix managed to delete the trojan and had found a rootkit which it then deleted because it was infected, could anyone tell me what a rootkit is? |
|
|
|
 |
|
|
