PC is host for email spammers--Logs.part.1

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by twarren, Oct 4, 2007.

  1. twarren

    twarren Private E-2

    My PC has become a host/server for spammers. My ISP notified me of this and said they would have to discontinue my service if I did not get rid of the spammers. They are giving me additional time to try and correct the problem. Please help.

    Per my ISP's instructions, I ran A2Square, which supposedly found and deleted a lot of stuff. Unfortunately, the problem still exists. There is at least one program still listed in the msconf file that I know is a problem. gjvgpoqqpv.exe. I do not know what dnba and kvkwstbu are. There may be other problems as well.

    I have followed your instructions for malware removal and am posting the results.

    Thank you for helping me. I don't want to get shut down!
     

    Attached Files:

    twarren, Oct 4, 2007
    #1
  2. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs.part.2

    Here are more logs.

    I believe this is everything. If you need more, please let me know.

    Anxiously waiting to hear from you. Thank you for helping me.
     

    Attached Files:

    twarren, Oct 4, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Viewpoint Media Player

    Turn off all active anti-virus and anti-spyware while we do the following:
    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to Print Spooler Service
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.

    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste iey5demluwe5o into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.
    * Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKey
    HJT
    Avenger

    Be sure to re-enable your virus programs and tell me how things went.
     
    TimW, Oct 4, 2007
    #3
  4. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs-update

    I completed your instructions and have attached the files. There still seems to be a couple of suspicious files in the msconf.sys. (Could not resist looking.)

    Thank you! Standing by, waiting for further instructions!
     

    Attached Files:

    twarren, Oct 4, 2007
    #4
  5. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs--update

    The rest of the files are attached. Please let me know if you need additional information. Thank you again!
     

    Attached Files:

    twarren, Oct 4, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What did you find when you went into the services? Did you find and stop the Print Spooler Service.....did HJT give you any error messages when you put in "iey5demluwe5o"?

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking fix, exit HJT.
    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKey
    HJT
    Avenger
     
    TimW, Oct 4, 2007
    #6
  7. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs--update 2

    When I went into the services, it was already "stopped." I just had to change the setting to "disabled."

    There were no error messages (that I recall or noticed) from HJT.

    The new logs are attached.

    Thank you so much for helping me. Standing by for further instructions.
     

    Attached Files:

    twarren, Oct 4, 2007
    #7
  8. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs--update 2

    Here are the rest of the requested logs.

    Let me know if additional information is needed. Thank you so much. Standing by for further instructions.
     

    Attached Files:

    twarren, Oct 4, 2007
    #8
  9. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Logs--new info

    Right after I posted the last thread, I looked at the msconfig file. I was closing it when I received a warning from CounterSpy that a file was attempting to change my .ini files (or something like that). The file was grep.exe. I quarantined that file. Is it a legit file or another bad one?

    Again, I appreciate your help and I am standing by for further instructions.
     
    twarren, Oct 4, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    grep.exe. --- a legit file (part of our tools)
    Please boot up with msconfig in normal startup!
    Uninstall Counterspy as we are finished with it and it is only a trial program!

    Open notepad and copy and paste the following text in the quote box into the window:
    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Now:
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach a new log for:
    HJT
    Avenger
    ShowNew
     
    TimW, Oct 5, 2007
    #10
  11. twarren

    twarren Private E-2

    Re: PC is host for email spammers--

    Hi

    I tried unsuccessfuly to access your website last night. After about 5 hours, I gave up for the night. Very scary when your site goes down! Hope your server was just that busy and there were/are no problems.

    I unquaranteened the grep.exe file previously mentioned file from counterspy and then uninstalled counterspy. I didn't realize the file was one of your tools. I restarted the computer with MSCONFIG in normal mode.

    I ran the programs as indicated and am attaching the shownew, avenger, and hjt log files as requested.

    On a side note, I noticed yesterday a file aolupd.exe and girtysmt.exe. I did not see the aolupd.exe file today and McAfee stopped the girtysmt.exe file.

    If there are any files that will start and belong to you, please let me know so that I will not "stop" them when warned by McAfee. Also, should McAfee be turned off each time I apply the fixes?

    If you need additional information, please let me know. I definitely appreciate your help! I am standing by, waiting to hear from you.

    Thank you!
     

    Attached Files:

    twarren, Oct 6, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I wasn't on last night so I don't know about the problem getting on to the site>

    Lets do two more things:
    Open notepad and copy and paste the following text in the quote box into the window:

    sc stop AOLHosts
    sc delete AOLHosts

    Save this as fix.bat
    Choose to save as all files.
    Doubleclick fix.bat and let the program run.
    A small black dos window will flash, this is normal.

    Now use windows explorer to find and delete:
    C:\WINDOWS\Fonts\aolupd.exe

    Attach a new HJT log.
     
    TimW, Oct 6, 2007
    #12
  13. twarren

    twarren Private E-2

    Re: PC is host for email spammers--

    Hi,

    I have followed your instructions and have attached the new hjt log.

    As you know I disconnect from the computer after posting my logs. As I was going online tonight, I noticed McAfee blocking spammer and trojan files. After completing your instructions--I was curious--so I checked the McAfee log. Most of the files it blocked were associated with the aolupd file. There was one file/program located within the system restore points. I went ahead and turned off system restore. I figure it is probably best to leave it cut off until we get this resolved.

    Once again, I really do appreciate your help and I'm standing by, waiting for further instructions. Thanks again!
     

    Attached Files:

    twarren, Oct 6, 2007
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet ....keep your virus definitions up to date...:)

    Your logs look clean. You may uninstall any programs we had you download (including CounterSpy, etc).

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Oct 6, 2007
    #14
  15. twarren

    twarren Private E-2

    Re: PC is host for email spammers--Whew! Thanks!

    Thanks for all of your help! I do keep my virus definitions up-to-date; however, it is possible that one of my kids "allowed" something McAfee was trying to stop. They say they now understand the reason to allow only things they are sure about instead of "allowing" everything that pops up. So far (since I've been working with you to fix the problems), they've been good about asking before allowing. I hope they continue this practice.

    I will be reviewing and enacting the steps to prevent malware as indicated in your link.

    Thank you again for all of your help!
     
    twarren, Oct 8, 2007
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome ...let us know if you need further assistance. :)
     
    TimW, Oct 9, 2007
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds