Help! junkmail from my computer! UGRENT

Killa_ken · 15 Nov 2006 at 13:38

Hey,

had a call about 5 minutes ago to say that theres been junkmail/spam being sent from our Internet account, they said its being bounced back to tech support and its been causing them problems all night.

they say if i dont fix it then our account will be suspended

im currently running AVG 7 and spybot search and destroy as well as Zonealarm professional and Adaware

i dont really know how to use AVG7 so what else would you guys recomend?

help

The_KiD · 15 Nov 2006 at 13:43

What email account do you use?

Raumarik · 15 Nov 2006 at 13:50

Run mcafee's stinger, it'll get rid of any of the 40-50 most common viruses:

http://download.nai.com/products/mcafee-avert/stng260.exe

RUN IT, REBOOT, then RUN IT AGAIN!

Next get a decent AV software installed and up to date, I use mcafee although it does slow down systems quite a bit. NOD is meant to be fairly good as is kapernasky (can never spell it!)

modo77 · 15 Nov 2006 at 14:01

Kami said:
Snip..
kaspersky

The_KiD · 15 Nov 2006 at 14:02

Firstly, Stinger is good, but it is only for a specifuc set of viruses, if you have you AV up to date and windows up to date with latest patches, then it is unlikely to find anything.

Secondly AVG 7 is great AV product and you have no need to change it, especially when running it alongside spybot & zonealarm.

Thirdly, I am guessing that what be happening is that your email domain is being spammed with viruses, but they are being rejected by the mail server which is then sending back "mail undeliverable" messages which is being seen as large amounts of spam.

Killa_ken · 15 Nov 2006 at 14:04

The_KiD said:
Firstly, Stinger is good, but it is only for a specifuc set of viruses, if you have you AV up to date and windows up to date with latest patches, then it is unlikely to find anything.

Secondly AVG 7 is great AV product and you have no need to change it, especially when running it alongside spybot & zonealarm.

Thirdly, I am guessing that what be happening is that your email domain is being spammed with viruses, but they are being rejected by the mail server which is then sending back "mail undeliverable" messages which is being seen as large amounts of spam.

ok great post

so how do i stop this, we really cant afford to have our account suspended especially as we just paid the $80 joining fee!

bitslice · 15 Nov 2006 at 14:05

whose tech support are we talking about ?
your companies ? your ISP ?

are they sure they are not just seeing someone fake your domain name ?

more info please
.

Killa_ken · 15 Nov 2006 at 14:07

bitslice said:
whose tech support are we talking about ?
your companies ? your ISP ?

are they sure they are not just seeing someone fake your domain name ?

more info please
.

its our ISPs tech support, they said its coming from our account, i was a little shocked to be honest. they guy just said run a virus scan and get it sorted basically.

bitslice · 15 Nov 2006 at 14:10

if running some more AV scanners doesn't fix it, then post your "hijack this" log, and we'll see if we can spot anything
http://www.spywareinfo.com/~merijn/programs.php

Podfather · 15 Nov 2006 at 14:15

Kapersky anyone?

Killa_ken · 15 Nov 2006 at 14:16

this is what i have:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:56, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
e:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\System32\svchost.exe
e:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\AGRSMMSG.exe
E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\TomTom HOME\TomTomHOME.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
E:\Program Files\Logitech\QuickCam10\QuickCam10.exe
E:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
E:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
E:\Program Files\Logitech\QuickCam10\COCIManager.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\WINDOWS\system32\svchost.exe
E:\Documents and Settings\Nishil1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - E:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] E:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "E:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "E:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "E:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "E:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "E:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - e:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - E:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - E:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - e:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - E:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Uhtred · 15 Nov 2006 at 14:17

how many computers share the connection...could anyone be using your wireless network?

Killa_ken · 15 Nov 2006 at 14:24

theres only 5 of my room mates that share the connection 3 are girls and they rarely use their computers and i have set a scheduled virus and spyware scan every friday on their laptops. My other room mate always cleans his computer as i always see it running. i asked him and he's also virus scanning his computer etc.

our wireless network is Wep secured and only certain mac addresses can use it

bitslice · 15 Nov 2006 at 14:25

thanks for the log,
nothing is standing out as trojan (unless I'm blind) :confused:

get the date and times of the spam from the ISP, and see if you can match it with someone using a PC.

check the activity lights of the router when each PC is booted in turn, and see if one causes it to go mad

does your router have a syslog function that you can use to log port usage

.

Poolybit · 15 Nov 2006 at 14:26

Killa_ken said:
our wireless network is Wep secured and only certain mac addresses can use it

Doesn't rule it out at all, does your router have a list of DHCP clients in it?

Killa_ken · 15 Nov 2006 at 14:28

Poolybit said:
Doesn't rule it out at all, does your router have a list of DHCP clients in it?

just had a look and cant find any?

Poolybit · 15 Nov 2006 at 14:29

Some do, some don't. See if the tech at your ISP will give you any more information..

Killa_ken · 15 Nov 2006 at 14:46

ok thanks guuys, just about to give them a ring!

Uhtred · 15 Nov 2006 at 15:32

they won't be able to tell you anything other than there have been emails coming from your IP.

One of the computers on the network must have a virus, if you look at all of them can you see and processes that are taking up an abnormal amount of CPU time?