can anyone help me please

Viruses and worms
1

Hi people

i have just joined as i am at a loss as to what to do next yesterday i recieved a letter from my internet provider stating that they had noticed a large ammount of spam/junk emails being sent from my internet connection and that i was probably infected with a virus they included a step by step to hopefully resolving the problem things like using windows update , disabling sytem restore ,downloading trojan hunter and trying online virus scans after i had done this and then installing anti virus software avg , avast etc. in tried what they had suggested and basically the following happened

windows update only 1 of the 4 updates was sucessfull
i managed to disable system restore
downloaded trojan hunter (but i get a message trojanhunter is not a valid win32 application)
tried bit defender and trend micro and both programs just appeared to hang and report back nothing
avg is refusing to work same message as trojan hunter
avast is also giving the same message (avast is not a valid win32 application)

i phoned my isp security section (number was on the letter) and they told me i was was number 5 in their top 100 in britain sending out junk mail and i should carry out the measures mentioned in the letter or i may be disconnected once i have carried out the measures i should call them back

i have tried running safe mode but get a blue screen and then go no further

can anyone help me please i have some computer knowledge but not in this field

i am runnning windows xp home with service pack 2

Thanks

2

“i was was number 5 in their top 100 in britain sending out junk mail and i should carry out the measures mentioned in the letter or i may be disconnected.” :o lol…that is aweful.

You most likely have an infection that turns ur computer into a “bot” or “zomby” that sends out tons of spam mails or infects other computers. You also most likely have other malware preventing security programs from running.

I would see if you could get Superantispyware to at least scan for you. Here is the link:
http://www.superantispyware.com/

You should also see if you can run a program from Trend Micro called Hijackthis. You can find it here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

See if you can get either of these programs to run. If you can get SAS to run, run a full scan and tell us what it quarantines. If you can get Hijackthis to run, run a scan and post ur log (don’t fix anything yet)

3

hi philly thanks for the reply

i downloaded the supaer anti spy which worked until it started scanning the files then ai got a blue screen including the words srosa.sys followed bye B0D9ec8D base at B0D9B000 date stamp 47a85d5a

i tried the other program hijack this but i got the same message that i get with avast

4

:slight_smile: Hi :

Based on your experience with both “SUPERAntiSpyware” & 'HijackThis", it
appears your computer is so “compromised” that the only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

5

i realise that may be my only option

can i do that a retain all my settings email passwords etc

:cry:

6

I consider a reformat a last option.

Try this, after you have downloaded this program, rename combofix.exe to bugout.exe

Then run it from safe mode.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

7

thanks oldman

i managed to run combofix and hijack this by changing the names

enclosed are the logs

8

sorry here is the other log

9

Got em. Will look and post back after work.

10

Off to work now. >:( I will go over the logs and post back.

There’s a couple of things you can do in the meantime, that will have to be done later anyway.

  • Update your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

*Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

.

11

thanks oldman

i have done what you suggested regarding java and downloading clean up

12

Hi, just sneaking this in. Let me how things are on your end. You still spamming?

Submit this file to www.virustotal.com and please post the results.

C:\WINDOWS\system32\2550DFAD0F.sys

Thanks

13

hi oldman
just tried that here is the result

also i dont know wether i am still spamming as i have not rung my isp provider yet

Thanks

File 2550DFAD0F.sys received on 02.15.2008 02:30:35 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 41 and 59 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.10 2008.02.14 -
AntiVir 7.6.0.65 2008.02.14 -
Authentium 4.93.8 2008.02.14 -
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.14 -
BitDefender 7.2 2008.02.15 -
CAT-QuickHeal None 2008.02.14 -
ClamAV 0.92.1 2008.02.15 -
DrWeb 4.44.0.09170 2008.02.14 -
eSafe 7.0.15.0 2008.02.14 -
eTrust-Vet 31.3.5538 2008.02.14 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.15 -
Fortinet 3.14.0.0 2008.02.15 -
F-Prot 4.4.2.54 2008.02.14 -
F-Secure 6.70.13260.0 2008.02.14 -
Ikarus T3.1.1.20 2008.02.15 -
Kaspersky 7.0.0.125 2008.02.15 -
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 -
NOD32v2 2876 2008.02.14 -
Norman 5.80.02 2008.02.14 -
Panda 9.0.0.4 2008.02.14 -
Prevx1 V2 2008.02.15 -
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.14 -
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.15 -
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.14 -
Additional information
File size: 56 bytes
MD5: cb7c701bfd94dccb47a500bbc13381b0
SHA1: 06de87022ce4bbbbb6b6c53d6ecdf23d4a148009
PEiD: -

14

I’m not really seeing anything right now. But we can look deeper.

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in.

Make the settings look like this except set the time to 60 Days and include the additional scans as indicated above.

http://forum.avast.com/index.php?topic=31261.msg260811#msg260811

15

hi oldman have just run the program here is the log

i am off to bed in a min it’s 4am here

thanks for all your help

16

Not much there.

One more for virustotal

C:\Windows\System32\0FADDF5025.sys

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls] [Registry - Non-Microsoft Only] < Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] [Files/Folders - Created Within 60 days] YY -> sed.exe -> %SystemRoot%\System32\sed.exe YY -> wrlzma.dll -> %SystemRoot%\System32\wrlzma.dll [Files/Folders - Modified Within 60 days] NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp YY -> wrlzma.dll -> %SystemRoot%\System32\wrlzma.dll YY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat YY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat [Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer

17

Hi oldman here is the result of the virustotal scan

File 0FADDF5025.sys received on 02.15.2008 11:56:23 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.2.15.11 2008.02.15 -
AntiVir 7.6.0.65 2008.02.15 -
Authentium 4.93.8 2008.02.15 -
Avast 4.7.1098.0 2008.02.14 -
AVG 7.5.0.516 2008.02.15 -
BitDefender 7.2 2008.02.15 -
CAT-QuickHeal None 2008.02.14 -
ClamAV 0.92.1 2008.02.15 -
DrWeb 4.44.0.09170 2008.02.15 -
eSafe 7.0.15.0 2008.02.14 -
eTrust-Vet 31.3.5539 2008.02.15 -
Ewido 4.0 2008.02.14 -
FileAdvisor 1 2008.02.15 -
Fortinet 3.14.0.0 2008.02.15 -
F-Prot 4.4.2.54 2008.02.14 -
F-Secure 6.70.13260.0 2008.02.15 -
Ikarus T3.1.1.20 2008.02.15 -
Kaspersky 7.0.0.125 2008.02.15 -
McAfee 5230 2008.02.14 -
Microsoft 1.3204 2008.02.14 -
NOD32v2 2878 2008.02.15 -
Norman 5.80.02 2008.02.14 -
Panda 9.0.0.4 2008.02.15 -
Prevx1 V2 2008.02.15 -
Rising 20.31.30.00 2008.02.14 -
Sophos 4.26.0 2008.02.15 -
Sunbelt 2.2.907.0 2008.02.14 -
Symantec 10 2008.02.15 -
TheHacker 6.2.9.220 2008.02.14 -
VBA32 3.12.6.1 2008.02.14 -
VirusBuster 4.3.26:9 2008.02.14 -
Webwasher-Gateway 6.6.2 2008.02.15 -

Additional information
File size: 248 bytes
MD5: 7f7797f06e81c1c2c74f77bd5e0fa1b9
SHA1: 0557f13e316a11b3c53904dca92cc7943c68d8d2
PEiD: -

18

Good, do the last fix and we’ll clean up the tools.

19

hi oldman ,

safe mode i now working so i tried reinstalling avast and managed to get that working i have alos downloaded and installed comdo fire wall and that appears to be working fine.

i was also going to switch to opera as my browser

i now have the following installed webroot spysweeper , super antispyware , avast, do you think i should

uninstall webroot and super antispyware and just retain avast

also i did not understand your last post “do the last fix and we’ll clean up the tools”

thanks

20

you may want to get rid of webroot, but i would keep SAS (superantispyware). The “last fix” oldman is referring to is the fix he wrote out at the top of the second page (this page).