AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Notices

Reply
 
Thread Tools
Old 2009-05-11, 11:59   Link #1
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
Question Internet company warning me about so proclaimed porn spam I should be mailing

I got an email from Ziggo today, this is my internet hook on company that provides me with this yummy internet hate machine and they stated that they received a number of complaints that we were mailing about emails containing pornographic spam etc.

Now I was very confused by this, my mom was hysterical like the little tech caveman she is and she was talking to me that it was something about child porn so I went lol what ?! (lost the game lol)

Anyway here's where it gets fishy, we have 2 computers in our house and for as far as I know my pc is clean but more on that later. Both pc's have Avast installed together with Comodo and the only thing my mom/dad do on their pc is either play patience or world of warcraft, my dad plays that and my mom the standard games, they both don't visit any other sites than the ones they know and so this left me with the conclusion that it might be my pc that is causing the problem. (also scanned it and it is clean of anythign fishy)

Now here is the thing, if you scroll back a page (or 4) you can see these topics, I had a horrible virus problem going on several weeks back, in late April I think it was. Something with CSRCS.EXE and several other suddenly spawned files that messed up my pc so badly that it generally thought the only device that was inserted was my DVD burner. This was all caused thanks to a virus on our school computers and later that week @ school we had some porn problems as well, you'd be following class and shazam random porn pop up shows up (I didn't have this going on on ym pc though), I re installed windows several days after all this trouble started, but I would like to hear your opinion about this, could the so proclaimed porn emailing spam have happened when my computer was entirely infected beyond repair? It is after all less than a month ago when this happens and I don't know how long it takes before they decide to send you a warning, also for spam to be send you'd get a trojan on virus on your computer right? or be stupid enough to fill your email address on some random website.. I have Avast in this pc including the website protection and email protection function and we also have this downstairs so I should be protected right? I don't do anything stupid like open random emails from people I don't know or download random files from the web.

So Asuki what do you think about this
-KarumA- is offline   Reply With Quote
Old 2009-05-11, 12:32   Link #2
Jinto
Asuki-tan Kairin ↓
 
 
Join Date: Feb 2004
Location: Fürth (GER)
Age: 34
You either infected the 2nd PC with your old problem or this is the aftermath of your old problem. Those two scenarios are the more likely ones.
Jinto is offline   Reply With Quote
Old 2009-05-11, 13:03   Link #3
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 57
Did they say it was emanating from your home network (actually your assigned IP address) or was it someone forging mail using your email address?

If it was the former, then as Jinto says, you've got (or had) a "bot in the house" and you need to exorcise both of your computers - take them off the internet til they're clean. It may be that all the complaints derive from that period when your computer was "pwn3d" and that your installations are fine *now* - but I'd recheck them both anyway.

If the problem is forged email though ... there's really not a damn thing you can do about someone else on the planet illegally forging your address. All you can do is dispute the complaint and suggest they analyze the offending mail headers more closely since the From: and Reply-to: are forged.

Avast is a good decent tool --- but no AVG out there is perfect protection. You might also want to run spybot periodically. http://www.safer-networking.org/index2.html

You should also write back to Ziggo and explain that you discovered your systems had become "bot infected" but you've cleaned up all the machines at your house. That mitigates the potential for the "think of the children" witchburning police to knock at your door.
__________________
Vexx is offline   Reply With Quote
Old 2009-05-11, 14:19   Link #4
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
I called Ziggo right after reading the email and had told them that it could've been because of what happened, however the person I had on the phone was one of those dull call receivers, I told him that if he could check those dates that he would probably see that the spamming has now stopped, he never mentioned anything about IP addresses (it blew my mind completely as well until after the call), he couldn't give me any information whatever except for what I've just written: that it was merely a warning and that in worse cases the connection will be cut and that if I don't receive any more warnings that the problem was solved, I asked him if this was about only spam email and he answered yes, it wasn't about malware or anything (it wasn't about child porn lol I asked him about that)

I'm going to run spybot on this computer first, tommorow I'll do another full system scan with both Avast and Spybot on our other computer

edit:

there is however one thing I have discovered with firefox, the scan is still running so far no hits
but on google sometimes when I go to one of the listed pages after searching I get redirected to some random add page, I've had this several times before this weekend and right now it happened again I searched Avast email scanner and pressed the first link to their faq ont heir website and I got redirected to some "win a BMW car!" website
if I go back and press ont he link I get redirected to a google website something about www.google.nl/undefined and if I then go back again and click it is able to load

edit3:
Spybot indeed detected some bad entries, I deleted all of them afterwards however it started giving me the message that a registry key that was important has changed its value and if I would allow it or not, files were command.com and cmd.exe (which is for dos if I remember correctly) however the change name was so weird I ended up denying both was like letters like 20 or 25 followed by dll old which I found weird, every time I would allow it would come back again anyway

Last edited by -KarumA-; 2009-05-11 at 14:49.
-KarumA- is offline   Reply With Quote
Old 2009-05-11, 14:58   Link #5
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
After rebooting I found that I have 4 screens opening and closing of command.exe, something I normally wouldn't have. I checked the forums on spybot but I am confussed about their explanation which was something going on and needing removal in the registry which I do not want to do out of the blue without getting proper guidance to whether or not this is the solution
-KarumA- is offline   Reply With Quote
Old 2009-05-11, 16:08   Link #6
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Plimoth
Age: 65
You need to stop trying to fix the problem via spyware removal and do a fresh installation of Windows on both machines. Or switch to something safer like Linux. Until you do this, you need to take both computers off the Internet.

My recollection is that you've been trying to fix this problem for weeks now. A complete reinstallation of Windows would have probably taken less time than you've spent trying to clean things up. To paraphrase Ms. Ripley, "Nuke the computer from orbit; it's the only way to be sure."

Like Vexx says, anyone can forge anyone's email address, but I'm guessing that's not what's happening here.
__________________
SeijiSensei is offline   Reply With Quote
Old 2009-05-11, 16:32   Link #7
mechabao
Senior Member
 
Join Date: Sep 2008
I second SeijiSensei's recommendation to do a full reformat and Windows/Linux install since it looks like the malware's managed to gain a very strong foothold on your computer/s. I'd also like to add that if you're going to reinstall Windows, make sure to download all of the system updates available and then install and fully update your antivirus/antimalware software of choice before transferring all of your old data to the new Windows installation so you can see if any malicious programs are piggybacking on your personal files.
mechabao is offline   Reply With Quote
Old 2009-05-11, 16:53   Link #8
chikorita157
ひきこもりアイドル
*IT Support
 
 
Join Date: Feb 2009
Location: New Jersey, United States
Age: 25
Send a message via Skype™ to chikorita157
Another thing you should consider after reinstalling is creating a limited user account so it can prevent malware installation on your computer due to the administrative privileges. Most of the time, administrative privileges are rarely used unless you change the system settings or install software.

Also, disabling Autoplay will prevent USB drive malware from installing on your computer. Autorun can be disabled in the control panel in Vista, but in XP, you need to follow this tutorial

If you really want to jump in and switch to Linux, I suggest familiarizing yourself with a livecd before installing on your computer. If you still feel the need for Windows and not planning on gaming, you can install VirtualBox on Linux and install Windows in a virtual machine.
__________________

Last edited by chikorita157; 2009-05-11 at 17:06.
chikorita157 is offline   Reply With Quote
Old 2009-05-11, 17:03   Link #9
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 57
I'll third the recommendation to re-install after your cmd window popping remarks and the spybot registry warnings....
__________________
Vexx is offline   Reply With Quote
Old 2009-05-11, 18:15   Link #10
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
Thing is I did a complete reinstall less than 3 weeks ago (it was the only way to fix the problem I had then and it did), I didn't have any problems afterward (up until today when I decided to routinely check things)
Let alone I really hate fixing my computer for 5 days straight re installing everything all over again like before, the google problem is now gone and removed a trojan with avast after scanning. It is the command.exe that I am wondering about atm

edit:

command.exe problem has been fixed
do not know how exactly, I had restored a part of my registry with registry booster, had avast scanning which removed a trojan and now it is all back to working bussiness
will call Ziggo tomorow though and see if I can get some more info as to when this spamming was happening etc.

Last edited by -KarumA-; 2009-05-11 at 18:26.
-KarumA- is offline   Reply With Quote
Old 2009-05-11, 19:02   Link #11
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 25
Send a message via MSN to WanderingKnight
This is by no means a fix to your virus issues, but you can at the very least prevent malware from logging into SMTP servers by blocking outbound connections to port 25 (the default smtp port) on your router, if you have one (otherwise you're screwed--software firewalls on an infected computer can't be trusted).

Of course, this doesn't stop the botter if he or she has set up an SMTP server listening on a random port, but it's at least worth a try (though it's likely that if your ISP has already detected the spam they have already blocked it).

Otherwise, I fully support the idea of migrating to Linux
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2009-05-11, 19:03   Link #12
Doughnuts
Senior Member
 
 
Join Date: Dec 2007
Location: England
Age: 28
Close any apps that would normally connect to the internet and wait a couple of minutes.

Open a command prompt and run netstat -bn 3, which will list any open connections aswell as their originating app. You could also try tcpview if you'd prefer a nice GUI instead.

If there are any suspicious connections even with nothing running, then it'll be likely that you still have some kind of malware running. Otherwise, that email is probably something of the past.
Doughnuts is offline   Reply With Quote
Old 2009-05-11, 19:28   Link #13
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Plimoth
Age: 65
Quote:
Originally Posted by -KarumA- View Post
Thing is I did a complete reinstall less than 3 weeks ago
On both computers? If not, then it's pretty easy for one to reinfect the other if they're both networked together behind a router.
__________________
SeijiSensei is offline   Reply With Quote
Old 2009-05-11, 23:07   Link #14
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 57
.... at least you only have two computers to deal with. Though that's small consolation at the moment.
__________________
Vexx is offline   Reply With Quote
Old 2009-05-12, 00:31   Link #15
IRJustman
Founder, Sprocket Hole
*Fansubber
 
 
Join Date: Apr 2004
Location: Fresno or Sacramento, CA
Age: 46
command.exe? That doesn't sound right. If you're talking about Windows' command processor, the right one is called "cmd.exe". If you are getting a file called "command.exe", I'd likely call "smoke" on that one, because where there's smoke, there's (usually) fire. At that point, it's a matter of which retardant to put on it.

--Ian.
IRJustman is offline   Reply With Quote
Old 2009-05-12, 03:19   Link #16
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
Quote:
Originally Posted by IRJustman View Post
command.exe? That doesn't sound right. If you're talking about Windows' command processor, the right one is called "cmd.exe". If you are getting a file called "command.exe", I'd likely call "smoke" on that one, because where there's smoke, there's (usually) fire. At that point, it's a matter of which retardant to put on it.

--Ian.
I don't have any file concerning this though and avast seemed to have solved this
yesterday my entire system was fried again, going to run some tests today as well
as for blocking port 25 how do I do this with comodo?
I ran ad aware yesterday but the entire program was buggered up, asked if it could reboot I said yes then the darned thing ignores its given order and decides to update instead, pc was not amused and rebooted instantly with blue screen because the commands were clashing. After that ad aware ran rampant and i reinstalled it but services.exe kept on shutting itself down so I had a count down going and everything, tried to uninstall ad aware but because the setup was cut short apparently it had to reinstall first, well quickly done and rebooted auto. Every time that follows services.exe stopped and initiated the auto countdown, so I was in utter panic with the mission to kick boot ad aware for starting this mess, eventually I had to reinstall in another language to get the uninstall going otherwise it would keep on complaining that it had to reinstall first, so installed the dutch version and ran the dutch uninstall which did its job, ran registry booster and recovered and replaced registry parts to some I had backed up from last week. Rebooted again and made a hijack this log etc. posted it on their forums, still waiting for reply from them with their analysis could include it in this post as well. Anyway eventually I figured I couldn't do anything and went to bed (3AM and had asked a friend if he could reformat it for me again) and this morning when I booted up things were normal again, not sure for how long I'm scared that if I reboot again that services.exe will freeze up again

Spoiler for log:


Quote:
Originally Posted by Doughnuts View Post
Close any apps that would normally connect to the internet and wait a couple of minutes.

Open a command prompt and run netstat -bn 3, which will list any open connections aswell as their originating app. You could also try tcpview if you'd prefer a nice GUI instead.

If there are any suspicious connections even with nothing running, then it'll be likely that you still have some kind of malware running. Otherwise, that email is probably something of the past.
Did what you asked these were the other connection I had running next to avast

mswsock.dll
WS2_32.dll
svchost.exe
kerne132.dll

checked them, all are windows processes, nothing strange about them

edit:

my friend came over and we decided to first uninstall everything one program at a time to see if perhaps something was clashing and was the cause of my trouble, it seems like it has worked and it seems to have found the possible spam spreader but it is still an ass to delete:
malwarebytes found it but it says it will delete it on boot up the only problem is the trojan comes back again afterwards
the trojan i wan talking about is the following: atmf.dll

Last edited by -KarumA-; 2009-05-12 at 06:31.
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 06:52   Link #17
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
another update I have found what caused services.exe to run rampant
apperantly it was comodo causing this services.exe fail followed by countdown and reboot, when I didn't have it installed it would boot up fine but when I installed it just now I had another services.exe problem that caused a reboot, after several tries I uninstalled it and now it works fine again so I have no idea what is wrong with it

but does anyone know any other good firewall besides comodo and zonealarm
-KarumA- is offline   Reply With Quote
Old 2009-05-12, 07:48   Link #18
Doughnuts
Senior Member
 
 
Join Date: Dec 2007
Location: England
Age: 28
zonealarm is fine. Even the free version allows you to properly manage what applications access the internet. Provided you're not always clicking allow for everything, it should keep you secure. As a general rule, you should never let a program act a server unless you specifically need to. I've never used comodo, so can't comment on it.

As for your restarting problem. You can temporarily disable that feature while installing things if necessary. The service is "Remote procedure call", and you just need to change it's settings to do nothing rather than restart the machine. (although, you shouldn't keep it that way after you have your software working).

Anyway, looking at yout hijickthis log, I can't see anything that appears to be malware. However, that log doesn't take into account that applications may have been modified. zonealarm will warn you when applications have been modified in future.

Quote:
Originally Posted by -KarumA- View Post
kerne132.dll
I hope that's a typo made by you, and not copy pasted.

Just because an application is a microsoft product, don't be too confident about it connecting to the internet. If you're the least bit concerned about data exfiltration, you should be jumping up at anything connecting to the internet without your explicit permission.

So, winsock and ws2_32 are required by any windows application to connect to the internet, but they still shouldn't be sending anything unless told to. In your netstat -bn output, there should be no connections when you're not running anything. (in TCP view, disable the "show unconnected endpoints" option). I'd assume the connections you say were still there were unconnected endpoints. If any are connected to a remote address, you should be wary.

svchost.exe is responsible for those services listed as O23 in your HJT log. They may not always be trustworthy, so just because svchost.exe itself is a microsoft app, don't ignore it.
Doughnuts is offline   Reply With Quote
Old 2009-05-12, 08:43   Link #19
Vexx
Obey the Darkly Cute ...
*Author
 
 
Join Date: Dec 2005
Location: On the whole, I'd rather be in Kyoto ...
Age: 57
If you delete a trojan at boot time and then it re-appears, that means some other legitimate Microsoft file has been hijacked but all its original interface left alone... it just has a parasite piggybacked within it whose sole task is to regenerate the malware if it vanishes. Those are messy to get rid of -- either you need to have some sort of hash check tool to verify all the OS files are 'legit' or have an AVG that can spot such parasites within the legitimate file, quarantine it and be able to replace it with a copy of the uninfected file.
__________________
Vexx is offline   Reply With Quote
Old 2009-05-12, 09:04   Link #20
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 27
I managed to get all viruses deleted for so far as I know
I found a good step to step scanning list which I followed

I ran the following programs, malwarebytes, cobofix, cc cleaner
and pt a log up on their site for them to check, combofix managed to delete the trojan and had found a rootkit which it then deleted because it was infected, could anyone tell me what a rootkit is?
-KarumA- is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 03:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
We use Silk.