Sign in with
Sign up | Sign in
Your question

Hijack This log help?

Last response: in Windows Vista
Share
July 17, 2012 9:41:42 PM

My VM is sending following fraudulent messages

Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:36:27 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:27342) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKaNhh011774 for ; Tue, 10 Jul 2012 22:36:25 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:29:58 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:30:03 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_007D_01C2A9A6.72D6814A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309066
=======================================================

==================== HEADER ===========================
Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:36:26 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:27598) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKaN5N011775 for ; Tue, 10 Jul 2012 22:36:25 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:33:23 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:33:27 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B0_01C2A9A6.6AEE70A8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309065
=======================================================

==================== HEADER ===========================
Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:40:06 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:43475) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKe365011896 for ; Tue, 10 Jul 2012 22:40:04 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:35:14 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:35:18 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_010C_01C2A9A6.71E895E8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309110
=======================================================

I don't know why

Can any body guide me with this log file?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:51:29 PM, on 7/17/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\inetsrv\w3wp.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKLM\..\RunOnce: [Zoom Downloader Uninstall] cmd /C rd /Q /S "C:\Program Files (x86)\Zoom Downloader"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://www.freetrialdownload.com
O15 - ESC Trusted Zone: http://partner.googleadservices.com
O15 - ESC Trusted Zone: http://download.hmailserver.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{802BA47D-C521-459F-ADE2-12B1D43B6EA9}: NameServer = 8.8.8.8
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: DotNetPanel Virtual Machine Configuration Service (DNPVmConfig) - SMB SAAS Systems Inc - C:\Program Files (x86)\Websitepanel\VmConfig\DNP.VmConfig.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SmarterMail Service (MailService) - Unknown owner - C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SmarterMail Web Server (SMWebSvr) - SmarterTools Inc - C:\Program Files (x86)\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-101 (vmicheartbeat) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-201 (vmickvpexchange) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-301 (vmicshutdown) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-401 (vmictimesync) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-501 (vmicvss) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

--
End of file - 4625 bytes

More about : hijack log

a b 8 Security
July 18, 2012 4:05:51 AM


Hello and welcome to Tom's Hardware Forums.

Doesn't look like a fake message to me - just advice that a Spam message from some German source has been blocked.

I've never seen an HJT log like yours with so many entries missing and I've analysed thousands. Run it again and this time, right click the .exe file and go to RunAs Adminstrator. Post back the resuling log.


July 18, 2012 5:02:33 AM

i don't know whether German source has been blocked or not but my hosting company is assuming that i am sending these message from my vm server although i am not sending these message.

there might me some malicious software doing this on my pc

I recreated following HJT log using run as Administrator option

Waiting for you feedback.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:56:26 PM, on 7/17/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\inetsrv\w3wp.exe
C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://www.freetrialdownload.com
O15 - ESC Trusted Zone: http://partner.googleadservices.com
O15 - ESC Trusted Zone: http://download.hmailserver.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{802BA47D-C521-459F-ADE2-12B1D43B6EA9}: NameServer = 8.8.8.8
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: DotNetPanel Virtual Machine Configuration Service (DNPVmConfig) - SMB SAAS Systems Inc - C:\Program Files (x86)\Websitepanel\VmConfig\DNP.VmConfig.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SmarterMail Service (MailService) - Unknown owner - C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SmarterMail Web Server (SMWebSvr) - SmarterTools Inc - C:\Program Files (x86)\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-101 (vmicheartbeat) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-201 (vmickvpexchange) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-301 (vmicshutdown) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-401 (vmictimesync) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-501 (vmicvss) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

--
End of file - 4586 bytes
Related resources
a b 8 Security
July 18, 2012 7:12:08 AM



Again, I'm seeing only a fraction of what would normally appear in a log, even in a VM environment. You have only three Processes running, nothing automatically starting at StartUp and a Winsock entry I would expect to see in your circumstances is also missing.

I clicked on the third link in the 015 entries - the hmailserver one - and got a German language access denied message so I suggest you tick to delete that one then restart and scan again to see if that one is then missing.


July 18, 2012 3:49:23 PM

I have removed following entries

015 entries - the hmailserver one
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) as there were no program.exe file in my pc


no lets see if it works

Thanks for your help
!