Zombie PC?
KilJaeden
USA
I am positive that there is something on my computer sending out emails. I have ran ad-aware and it found nothing.
What can I do?
What can I do?
0
Comments
also, why do you think this?
I think mine has been zombied because I have been recieving mailer demons and whatnot. I haven't sent an email from my main account for a long time.
Get the latest virus defs for your virus scanner and run a full system scan to see what it comes up with. Try doing it in safe mode if you can.
Scan saved at 9:51:30 PM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Casual Use\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.pittsburghpenguins.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7bea8f78-98b7-4de4-87a2-f72e5d72a5c8} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/172a57c7a5756cd3cc00/netzip/RdxIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37898.9919212963
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
I am going to let norton finnish now.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pittsburghpenguins.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.pittsburghpenguins.com
You are definitely going to want to get rid of those and change them to the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detroitredwings.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.detroitredwings.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.detroitredwings.com
O2 - BHO: (no name) - {7bea8f78-98b7-4de4-87a2-f72e5d72a5c8} - (no file)
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
That second one looks fishy to me. I'd make sure there isn't a file on your C: drive called "install.cab" - if there is, get rid of it.
Like I said, HJT, SpyBot, and AdAware are not antivirus programs. I see you have norton. I would make sure to update it to the latest defs and run a full system scan in safe mode.
On an unrelated note, you CAN get rid of the following to help improve performance:
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
ha ha ha I am a pens fan and proud of it.
Dexter...
Off the top of my head I didn't see anything too suspicious. Somethings possibly could be hardened but your NAT'd so it's not as big of a deal.
Also it looks like you use "Hotmail", is that correct? And you had at least a couple of browser windows open when you ran the "netstat"?
In the past I've seen some workstations have SMTP (port 25) opened up on them so they become SPAM relays. That doesn't appear to be the case here.
If you're looking to provide further information, you could look to run an FPORT (foundstone.com) to map the systems processes to ports.
One last thing... You mention that you KNOW the system is sending out mail. I'm sure you covered this already and I missed it but how do you know? Sorry to have to ask.
Somebody that you know (somebody that has your email address in their address book) is infected with a virus that has a remailer, such as Netsky. When they send out their hundreds of emails to everybody else on their address book, they spoof their own email address using other addresses from their book (such as yours)... So when a mailserver gets an email to a dead address, and it is spoofed to look as if it's coming from you, you will get the rejection notice. Sounds like that's what is happening here.
Prime is dead on with this one... Here at the college we get numerous calls from faculty and staff saying the exact same thing.... "I received an e-mail stating that I sent so-and-so a message that contained a virus when I know I didn't even send them anything." Despite numerous messages from myself explaining how "forged headers" work with mass-mailing worms, we still get quite a few calls.
If all you are recieving is NDRs or other related type mail, then I'll bet 10-1 that's the culprit.
You can find some great information on mass-mailing worms at symantec's web site.
Dexter...
(Image edited to remove your e-mail address - Dexter...)
There's no easy cure for this, unless you can figure out which friend / relative / stranger has your address and the virus
You could set up an e-mail filter to send anything with "w32.netsky" in it directly to your trash folder, so that you don't have to deal with them as much.
Dexter...
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@mm.removal.tool.html Hoping that the right one.
By the way. This thread is awesome, it's got the flaming red folder (Thread popularity icon) which is pretty cool. And if you run a virus scan on your system, it'll only be able to quarantine the viruses. But you can possibly get up to 200-1000 of these punks tracked by your virus scan. I don't know if this is how it usually works, but it's how it proceeded on my system.