Something trying to mass email from my PC

Discussion in 'Malware Help (A Specialist Will Reply)' started by kbolin, Mar 10, 2008.

  1. kbolin

    kbolin Private E-2

    Hello,

    I have browsed through this board and tried to find a solution to the problem I'm having, but while I did find a cpl of messages that sounded similar, I never seen a solution.

    Earlier today, my machine on my wife's side, started attempting to mass mail random messages out to the world! Norton's was going nuts with pop ups filling the screen scanning them. To my knowledge, nothing was being sent out though, error messages were also appearing, stating that it couldn't connect to my mail server.

    I've seen this once before on my son's machine and made a slight attempt to clean it, but opted for a format instead as his machine was due for one anyway.

    I recently formatted this one and while I know that is the easy way out (depends on how you look at it, wife has every title of sims2 grrrr) I'd rather not format if I don't need too.

    I left her logged on and logged into my name and attempted to find something, but it was too slow, so I rebooted to safe. I didn't find anything out of the ordinary, so went back to normal boot. I logged into my name this time instead of my wife's and it started doing it again..

    I had to kill my norton's to do anything as it was slowing me down big time, I used the Norton's utility I found on here to totally remove it.

    I then followed the guide you have here, but instead of posting anything here, made the mistake of assuming that it was clean and reinstalled Nortons...it started going nuts again attempting to mail crap out again...grrrr...

    This is a last resort for me prior to a format, I'm fairly pc literate and have don't hesitate digging into the registry if I need too, but that's only if I know what I'm looking for too...LOL


    So I've now repeated all the steps and have the log files you request, they are attached...

    Thanks for any help you can provide for me

    Keith

    Ps. I haven't reinstalled Nortons yet...
     

    Attached Files:

    kbolin, Mar 10, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your MGlogs.zip file is incomplete. Did you forget to click Accept when the popup window from TrendMicro's HijackThis appeared? Please try again and make sure you accept the agreement. Also watch for any error messages.

    Did you have your Symantec Firewall disabled when you ran MGtools? It looks like it based on the logs?

    Also did you notice at the end of the runkeys.txt log (see the MGlogs.zip file) there are a ton of TCP connections? Do any of these look valid?
    Or are these what Symantec was complaining about?
    Was it Symantec's firewall that was complaining or was it the AV?
    Did you tell it to block all of these attempts and to always take the same action?
    If you do now open any broswers, do these attempts still occur?

    I see the below trying to load at startup. Do you know what this is?
    "zzzHPSETUP"="F:\\Setup.exe"

    Do you know what the below ini file is for? What about the below two folders?
    Code:
     D:\WINDOWS\system32\rncypfvq.ini
 
2008-03-08 18:58 . 2008-03-08 18:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2008-03-08 18:56 . 2008-03-08 19:41 <DIR> d-------- D:\Documents and Settings\Dad\Application Data\GameHouse
    I also see a strange service that is saying the file is for somekind of cursor. Does the below seem familiar?
    Code:
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\werasqlp]
"ImagePath"="\??\D:\WINDOWS\Cursors\werasqlp.cur"
     
    chaslang, Mar 11, 2008
    #2
  3. kbolin

    kbolin Private E-2

    Hello and thanks for getting back to me!

    I didn't get a window to accept the Hijack this program, I have it and use it occasionally, perhaps that is why?

    Don't know why it didn't run though, the only error message comes when I start MGtools, it starts and I get the following message before it starts.

    >>>>Microsoft Windows XP [Version 5.1.2600]
    updating: GetUnKey.txt (188 bytes security) (deflated 89%)
    The system cannot find the path specified.<<<<<<<<<<<<

    It then continues and tells me to hit any key to close window, but never goes to the hijack program for some reason, so I have ran it manually from the MGtools folder and added the log to the zip file.

    OK...let me try to answer some of your questions better now...

    I had Norton's Antivirus installed. Out of the blue, it started scanning email as though I was sending a mail to someone, but it was doing mass amounts at once. None of these went through though, my email server never allowed it to connect I guess, so I'd also get the same number of pop up windows from Nortons' telling me that too..I can open browsers fine.

    I haven't tried to reinstall Norton's yet, I'm afraid that it'll go nuts again, but I'll try here in a bit...Internet is very slow to do anything right now, so something still isn't right....

    WOW on the TCP connections!!! Didn't see them, there are a cpl that appear to be normal. The insightbb is my mail of course, there are also a cpl of IPs of my son's computers, but many of them are foreign to me...

    How do I remove them?

    That F:\\Setup.exe that was trying to load was connected to my wife's sims2 disk in the dvd drive..or so it says anyway...

    Very interesting .ini file though....

    I checked both folders and 1 was very strange and had another .ini file in it with the following in it.

    >>>>>>[netsock]
    netapi.dll-IB3V8KZEZXMDL-75b=4915989
    netapi.dll-HA2URTO1M2KC184-86a=8848169<<<<<

    The Gamehouse folder had an icon in it related to a game on here...

    I removed both folders and the ini files as well...

    The cursor file is very strange too!!

    The date on it is the same day that I started having problems, I tried to delete it, but I'm going to have to go to safe mode to remove, it won't let me.

    I did notice a line in the hijack this log that had "braviax" in it, but I didn't see the file on my system.

    Anyway, I've attached the file again, hope it's right this time.


    Thanks a bunch for your help!!

    Keith
     

    Attached Files:

    kbolin, Mar 11, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Per step 1 of the READ & RUN ME, you must put your system into Normal Startup mode with MSconfig. Then I will need a new MGlogs.zip file which you can get by doing the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Mar 12, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds