Hijack This log help?

My VM is sending following fraudulent messages

Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:36:27 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:27342) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKaNhh011774 for ; Tue, 10 Jul 2012 22:36:25 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:29:58 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:30:03 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_007D_01C2A9A6.72D6814A"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309066
=======================================================

==================== HEADER ===========================
Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:36:26 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:27598) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKaN5N011775 for ; Tue, 10 Jul 2012 22:36:25 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:33:23 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:33:27 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00B0_01C2A9A6.6AEE70A8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309065
=======================================================

==================== HEADER ===========================
Received: by blacklist.woody.ch Spamtrap. Please stand by for parsing this Header
From info@maisontofani.com Tue Jul 10 22:40:06 2012
Return-Path:
Received: from Perfetto3 (unknown.ord.scnet.net [204.93.168.13] (may be forged) Port:43475) by gintonic.woody.ch (8.14.3/8.14.3/blacklist.woody.ch Spamtrap) with ESMTP id q6AKe365011896 for ; Tue, 10 Jul 2012 22:40:04 +0200
Received: from User (ip609.vpzzo.net [178.33.252.86]) by Perfetto3 with SMTP;
Tue, 10 Jul 2012 13:35:14 -0700
From: "Loteria"
Subject: Sie haben gewonnen
Date: Tue, 10 Jul 2012 20:35:18 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_010C_01C2A9A6.71E895E8"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

==================== BODY =============================
http://blacklist.woody.ch/rblevidence.php?id=18309110
=======================================================

I don't know why

Can any body guide me with this log file?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:51:29 PM, on 7/17/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\SysWOW64\inetsrv\w3wp.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O4 - HKLM\..\RunOnce: [Zoom Downloader Uninstall] cmd /C rd /Q /S "C:\Program Files (x86)\Zoom Downloader"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://www.freetrialdownload.com
O15 - ESC Trusted Zone: http://partner.googleadservices.com
O15 - ESC Trusted Zone: http://download.hmailserver.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{802BA47D-C521-459F-ADE2-12B1D43B6EA9}: NameServer = 8.8.8.8
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: DotNetPanel Virtual Machine Configuration Service (DNPVmConfig) - SMB SAAS Systems Inc - C:\Program Files (x86)\Websitepanel\VmConfig\DNP.VmConfig.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SmarterMail Service (MailService) - Unknown owner - C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: SmarterMail Web Server (SMWebSvr) - SmarterTools Inc - C:\Program Files (x86)\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-101 (vmicheartbeat) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-201 (vmickvpexchange) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-301 (vmicshutdown) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-401 (vmictimesync) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vmicres.dll,-501 (vmicvss) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

--
End of file - 4625 bytes
4 answers Last reply
More about hijack help

  1. Hello and welcome to Tom's Hardware Forums.

    Doesn't look like a fake message to me - just advice that a Spam message from some German source has been blocked.

    I've never seen an HJT log like yours with so many entries missing and I've analysed thousands. Run it again and this time, right click the .exe file and go to RunAs Adminstrator. Post back the resuling log.

  2. i don't know whether German source has been blocked or not but my hosting company is assuming that i am sending these message from my vm server although i am not sending these message.

    there might me some malicious software doing this on my pc

    I recreated following HJT log using run as Administrator option

    Waiting for you feedback.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:56:26 PM, on 7/17/2012
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v9.00 (9.00.8112.16447)
    Boot mode: Normal

    Running processes:
    C:\Windows\SysWOW64\inetsrv\w3wp.exe
    C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O15 - ESC Trusted Zone: http://www.freetrialdownload.com
    O15 - ESC Trusted Zone: http://partner.googleadservices.com
    O15 - ESC Trusted Zone: http://download.hmailserver.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{802BA47D-C521-459F-ADE2-12B1D43B6EA9}: NameServer = 8.8.8.8
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: DotNetPanel Virtual Machine Configuration Service (DNPVmConfig) - SMB SAAS Systems Inc - C:\Program Files (x86)\Websitepanel\VmConfig\DNP.VmConfig.exe
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - C:\Windows\system32\inetsrv\inetinfo.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: SmarterMail Service (MailService) - Unknown owner - C:\Program Files (x86)\SmarterTools\SmarterMail\Service\MailService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @gpapi.dll,-114 (RSoPProv) - Unknown owner - C:\Windows\system32\RSoPProv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: SmarterMail Web Server (SMWebSvr) - SmarterTools Inc - C:\Program Files (x86)\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vmicres.dll,-101 (vmicheartbeat) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vmicres.dll,-201 (vmickvpexchange) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vmicres.dll,-301 (vmicshutdown) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vmicres.dll,-401 (vmictimesync) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vmicres.dll,-501 (vmicvss) - Unknown owner - C:\Windows\system32\vmicsvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - C:\Windows\system32\inetsrv\wmsvc.exe (file missing)

    --
    End of file - 4586 bytes


  3. Again, I'm seeing only a fraction of what would normally appear in a log, even in a VM environment. You have only three Processes running, nothing automatically starting at StartUp and a Winsock entry I would expect to see in your circumstances is also missing.

    I clicked on the third link in the 015 entries - the hmailserver one - and got a German language access denied message so I suggest you tick to delete that one then restart and scan again to see if that one is then missing.

  4. I have removed following entries

    015 entries - the hmailserver one
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing) as there were no program.exe file in my pc


    no lets see if it works

    Thanks for your help
Ask a new question

Read More

Security Microsoft Outlook Hijack Windows Vista