Jump to content


Finding a possible SPAM sender

  • This topic is locked This topic is locked
11 replies to this topic

#1 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 16 September 2005 - 03:39 AM

This is my first post. I've read the FAQ.

I'm not sure where to post this, since it's not a browser hijack or spyware problem. I have received reports, both automated and private, that my computer may be sending out SPAM email without my knowledge, I guess due to an infection by some trojan or similar. I wish to know how to check for such an infection. I've already made a number of scans (see below).

The computer is an old PC with Windows NT 4.0 SP6a, Internet Explorer 5.5 SP1, Outlook Express 5.5. At this time, I don't wish to upgrade the OS or IE, since I also have a modern XP computer with good security that will eventually replace the old computer. I have run Windows Update to install all possible updates, but some of them just won't install.

I consider myself a "power user". I have the following software installed and updated, and have used them to scan the entire computer:
* F-Secure anti-virus
* Ad-Aware SE Professional 1.06
* Spyware Blaster 3.3
* Spybot Search & Destroy 1.3
I've also run HijackThis, but I'm not sure it'll be useful for finding SPAM-sending software?
I do not have a firewall to this computer (my XP machine has).

I understand that my old computer should be upgraded, but I first of all wish to know if you could help me find out *if* I in fact have been infected by a SPAM-sending virus. I would appreciate if you could respect this wish and don't tell me to "just upgrade" or "get a firewall".

Thanks in advance,

#2 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 18 September 2005 - 02:55 AM

Maybe a HJT log will help me get a reply:

Logfile of HijackThis v1.99.1
Scan saved at 13:03:20, on 2005-09-17
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Program Files\F-Secure\Common\FSM32.EXE
D:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
F:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
F:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Outlook Express\msimn.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (disabled by BHODemon)
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [CreateCD50] "D:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [DLPSP] "f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .exe: C:\Program Files\Netscape\Program\PLUGINS\npaudio.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {F5078F19-C551-11D3-89B9-0000F81FE221} (XML Parser) - http://www.bayes.co....lcab/msxml3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comhem.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comhem.se
O23 - Service: Diskeeper - Unknown owner - c:\program files\Diskeeper\DKSERVICE.EXE
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: HPAlert - Hewlett-Packard Corp. - f:\PROGRA~1\DMI\Win32\Bin\HPALERT.EXE
O23 - Service: HPComponent - Hewlett-Packard Corp. - f:\PROGRA~1\DMI\Win32\Bin\HPAUTOM.EXE
O23 - Service: HPLaunch - Hewlett-Packard Corp. - f:\PROGRA~1\DMI\Win32\Bin\HPLaunch.exe
O23 - Service: QuickAccess - Unknown owner - D:\WINNT\system32\mgahk.exe
O23 - Service: WIN32SL - Unknown owner - f:\PROGRA~1\DMI\Win32\Bin\WIN32SL.EXE

#3 jw50


    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 21 September 2005 - 02:06 PM

Hi Michanek,

There isn't anything in your log that looks bad. NT does limit the tools that we can use to look for bad files that don't show in a HijackThis log.

Lets try a few tools and see what they find, assuming that they will run on your system.

Please download SilentRunners from here:
http://www.silentrun...ent Runners.vbs
Save it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

Please download this file:
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.

Download rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.

The quickest way to find out if you have something that is sending e-mails from your system is to download and install the free version of ZoneAlarm (you can uninstall it once it has told you what on your computer is trying to access the internet). You can download it from:


If you do have something that is sending spam then ZoneAlarm can block it until we are able to remove it.

#4 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 24 September 2005 - 08:30 AM

Thanks for your reply. My computer is old and has a peculiar setup in some regards, so I will give some extra info on the steps I performed, in case they could be significant. I normally work logged in with a user account without admin. priveligies, and have to log in as admin. to perform certain installations etc. For some reason, I'm not able to give the user account admin. privilegies...

Running SilentRunners prompted me to install WMI, Windows Management Instrumentation. I was transferred to the Microsoft download page for
WMI for Windows NT 4.0. I was told WMI was only available for "genuine Windows systems" and was forced to "validate" my Windows installation by allowing some Microsoft software to run (an ActiveX control I think). After that, I downloaded "wmint4.exe" and logged in as admin. to install WMI in
Winnt\system32\Vbem. I was prompted to reboot and did so.

I was then able to run SilentRunners. It gave a dialog asking if it should run supplementary searches, but then continued on its own. The created log file is included below.

I then run RootkitRevealer (as admin.) During the scan, I received a message from SKUFZEQGQ.exe that a file is corrupt, please run Chkdsk (I did not do that).
When the scan was complete, I saved it, after which SKUFZEQGQ.exe crashed...
The log file seems to be saved OK, but it's no less than 4 Megabytes in size... It seems to lists every single file, including all my personal documents, mail files, favorites, cookies, temporary internet files, etc. Do you really wish to go through this, or could I extract what lines may be of interest?

Regarding running rkfiles, I must admit I've never rebooted this computer into safe mode before. I tried using F8 during the entire boot process, but was never able to get into safe mode. I used F2 to enter BIOS setup, but found nothing about safe mode there. So I haven't run rkfiles.bat.

I also tried to install ZoneAlarm, but the installer told me that Windows NT was not a supported OS...

Thank you for any further advice.

#5 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 24 September 2005 - 08:33 AM

Sorry, forgot the SilentRunners log:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows NT 4.0
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"F-Secure Manager" = ""C:\Program Files\F-Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"CreateCD50" = ""D:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"SystemTray" = "SysTray.Exe" [MS]
"DLPSP" = ""f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"" ["Dell Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\(Default) = "Microsoft NetMeeting 2.1"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection D:\WINNT\INF\msnetmtg.inf,NetMtg.Remove.PerUser.NT" [MS]
{44BBA844-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Chat 2.1"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection D:\WINNT\INF\CChat21.inf,PerUserRemove" [MS]
{58A00AC3-777B-11CF-827D-0020AFF5FF72}\(Default) = "VDOLive Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection D:\WINNT\INF\vdolive.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "__BHODemonDisabled" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINDOW~1\WINDOW~1\mlshext.dll" [file not found]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]
"{D76FDCA0-592A-11D0-B7FD-00C04FD706EC}" = "BMP Thumbnail Extractor"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\thumbvw.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSOffice\Office\olkfstub.dll" [MS]
"{cd414060-282d-11d1-804c-0020af224e6e}" = "Profiles Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Eicon\DIVA Terminal Adapters\PRFSHELL.DLL" [file not found]
"{5e261720-22b3-11d1-804c-0020af224e6e}" = "ELM Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Eicon\DIVA Terminal Adapters\ELMSHELL.DLL" [file not found]
"{13709620-C279-11CE-A49E-444553540000}" = "Shell Automation Service"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" = "Shell Automation Folder View"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}" = "Microsoft SendTo Service"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}" = "Microsoft New Object Service"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}" = "Start Menu DeskBar"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{57651662-CE3E-11D0-8D77-00C04FC99D61}" = "CmdFileIcon"
-> {CLSID}\InProcServer32\(Default) = "shdocvw.dll" [MS]
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}" = "MIME File Types Hook"
-> {CLSID}\InProcServer32\(Default) = "url.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "F:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]

INFECTION WARNING! "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = "URL Exec Hook" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "url.dll" [MS]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "E:\Zip\WinZip\wzshlext.dll" [null data]

System Policies [Description]:

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

Startup items in "tmi" & "All Users" startup folders:

D:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "F:\Program Files\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
%SystemRoot%\system32\msafd.dll [MS], 1 - 9

Running Services (Display Name, Service Name, Path {Service DLL}):

Dell Printer Status Database, DLSDB, "f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE" ["Dell Inc."]
Dell Printer Status Watcher, DLPWD, "f:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE" ["Dell Inc."]
Diskeeper, Diskeeper, ""c:\program files\Diskeeper\DKSERVICE.EXE"" [null data]
F-Secure Gatekeeper Handler Starter, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."]
F-Secure Management Agent, FSMA, ""C:\Program Files\F-Secure\Common\FSMA32.EXE"" ["F-Secure Corporation"]
F-Secure Network Request Broker, F-Secure Network Request Broker, ""C:\Program Files\F-Secure\Common\FNRB32.EXE"" ["F-Secure Corporation"]
HPAlert, HPAlert, "f:\PROGRA~1\DMI\Win32\Bin\HPALERT.EXE" ["Hewlett-Packard Corp."]
HPComponent, HPComponent, "f:\PROGRA~1\DMI\Win32\Bin\HPAUTOM.EXE" ["Hewlett-Packard Corp."]
HPLaunch, HPLaunch, "f:\PROGRA~1\DMI\Win32\Bin\HPLaunch.exe" ["Hewlett-Packard Corp."]
QuickAccess, QuickAccess, "D:\WINNT\system32\mgahk.exe" [null data]
WIN32SL, WIN32SL, "f:\PROGRA~1\DMI\Win32\Bin\WIN32SL.EXE" [empty string]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 160 seconds, including 18 seconds for message boxes)

#6 jw50


    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 24 September 2005 - 01:17 PM

Hi Michanek,

Go ahead and edit out the RootkitRevealer entries that you know are good entries.

Please do a search for SKUFZEQGQ.exe and see if you can find it. If you can would you please submit it to this online scanner?


And post the log from the online scan.

Apparently there is no "Safe mode" in NT4, it is called VGA mode.

Reboot the computer.

Choose Windows NT 4.00 [VGA mode] when you see the message Please select the operating system to start....

Press Enter.

#7 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 24 September 2005 - 04:20 PM

> Go ahead and edit out the RootkitRevealer entries that you know are good entries.

And what constitutes a "good entry"? There are literally thousands of files listed, all of them seemingly saying "Hidden from Windows API." Even if I were to delete all entries for my personal files, the log will still be megabytes.

Regarding SKUFZEQGQ.exe, it's apparently a temporary copy of RootkitRevealer.exe. The online scanner says:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

But is says the same for RootkitRevealer.exe.

I rebooted into VGA mode and run rkfiles.bat. The log file contains only this:
ECHO is off.

Now what?

#8 jw50


    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 24 September 2005 - 05:02 PM

Hi Thomas,

Sygate Personal Firewall will run on NT 4.0, you can download it from here:


Don't worry about the RootkitRevealer log, it sounds like it doesn't like NT4.

Lets try some online scans and see if they find anything bad:

Housecall<<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan<<<Accept default settings
eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful

Hopefully at least one of them will run on NT4.

#9 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 25 September 2005 - 10:56 AM

> Lets try some online scans and see if they find anything bad:
> Housecall<<<Put on 'Autoclean' and delete what it can't clean.

I couldn't find any Autoclean option, but selected a "Complete scan". During the scan, a Housecall message popped up all the time:
"Trend ActiveUpdate did not update succesfully. Error code: 24
ActiveUpdate was unable to unzip the downloaded patch packages. The zip file may be corrupted. Do you want to retry?"
The scan didn't progress past 99%, and when I finally Cancelled the message, IE with all open windows crashed hard! Housecall left a trainload of folders and files behind in the system folder, so I had to spend some time cleaning that mess up...

> Panda ActiveScan<<<Accept default settings

The ActiveScan requires a 8 MB ActiveX download, which takes forever and is aborted every time I try. (I have an 8 Mbit broadband connection)

> eTrust Antivirus Web Scan<<<'Cure' whatever is found, then delete if unsuccessful

Finally, this one run without problems:
Scan Results: Scan Completed. 30224 files scanned. No viruses found.

BTW, what about that rkfiles log?

Any more ideas, or should I believe my system is "clean"?

#10 jw50


    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 25 September 2005 - 01:27 PM

Hi Thomas,

rkfiles didn't find anything.

The virus scans have a much better chance of finding anything that is sending spam than the other tools do so I think that if F-Secure and eTrust both don't find anything then you are most likely clean. Expecially if you install a software firewall and it doesn't report anything suspicious trying to access the internet.

#11 Michanek



  • Full Member
  • Pip
  • 7 posts

Posted 25 September 2005 - 01:47 PM

Thanks a lot for your help and time!

I suspect that the people who have contacted me about sending SPAM are simply looking at forged From or Received headers. But I will consider adding a firewall too.

I regard this thread as closed now :-)

#12 jw50


    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 18,969 posts

Posted 25 September 2005 - 02:16 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Member of UNITE
Support SpywareInfo Forum - click the button