Cannot fix this virus?

Viruses and worms
1

I apoligize to the moderator this email appears also in th “General Topic”, I haven’t seen early enough this category for help

Hi
I have every 2 or 3 seconds an Avast window opening with the mention “Suspicious Message!” and the following text:

"There are too many identical e-mails in appointed time

Sender: “Tawfiq Dimmitt” taw@oh.com
Recipient: pamandchris@sympatico.ca
Subject: Re: Paruamcy newsThere are too many identical e-mails in appointed time

Sender: “Brandi Hice” hiceebra@rymex.com
Recipient: pamandchris@sympatico.ca; pamandbutch@charter.net
Subject: Re: Paruamcy news"

The emails are every time differents

I have also many dialogue windows with:

Avasta: connection timeout
internet connection timeout elapsed. Continue waiting?
(49exmodulap.exe → *.mail9.psmtp.com:25)
YES NO

here also the internet adress is different from one window to the other
for ex:

(49exmodulap.exe → *.mta-v20.mail.yahoo.com:25)
(49exmodulap.exe → *.smtp.ponte.com:25)
etc.

I’ve updated and run avast but it didn’t find anything
Thanks for any help

Estyl

2

You appear to have an emailer-bot or spambot trojan installed on your system ‘49exmodulap.exe’ as a temporary measure ensure that your firewall blocks access to this program. Whatever you do don’t answer YES.

The fact that google doesn’t return any information on this program/file name only confirms my suspicion.

What is your OS ?
What is your firewall ?

Get the program that matches your OS, install, update it and run it from safe mode. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.

You can Modify your original Thread in the General forum, just delete the text and replace with intentional deletion or something like that. This will stop anyone responding to it, unfortunately you can’t delete the topic only modify the text.

3

Thanks,

My OS is XP home edition and it’s running his own firewall (firewall is now activated)

4

XP’s firewall is better than none at all but it doesn’t provide outbound protection and it can’t block this connection. I would advise you get a firewall that provides this protection, Zone Alarm free (zonelabs.com) works fine with avast and it has a relatively friendly user interface.

First get Ewido which is fine with XP and run it as I mentioned above, then schedule a boot-time scan from within avast.
Then you should consider the ZA firewall otherwise you could be fighting an uphill battle as any undetected malware could download more of the same.

Then download and run the other programs I mentioned.

5

I’ve just made Ewido running here is the report, Adaware found just a few cookies and Spybot is still updating, but so far the emailer continues to appear.

ewido anti-malware - Scan report

  • Created on: 9:36:49 PM, 3/8/2006

  • Report-Checksum: 8166B930

  • Scan result:

    [1024] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [1272] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [1900] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2316] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2380] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2772] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [2784] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    [3460] C:\WINDOWS\system32\netf.dll → Backdoor.IRCBot.nw : Error during cleaning
    C:\WINDOWS\system32__delete_on_reboot__netf.dll → Backdoor.IRCBot.nw : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@adtech[2].txt → TrackingCookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt → TrackingCookie.Doubleclick : Cleaned with backup

::Report End

6

Spybot didn’t find any problem :-\

7

here is the Spybot report:

— Report generated: 2006-03-08 22:01 —

Congratulations!: No immediate threats were found. ()

— Spybot - Search & Destroy version: 1.4 (build: 20050523) —

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-08 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-03 Includes\Cookies.sbi
2006-03-03 Includes\Dialer.sbi
2006-03-03 Includes\Hijackers.sbi
2006-03-03 Includes\Keyloggers.sbi
2006-03-03 Includes\Malware.sbi
2006-03-03 Includes\PUPS.sbi
2006-03-03 Includes\Revision.sbi
2006-03-03 Includes\Security.sbi
2006-03-03 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-03-03 Includes\Trojans.sbi

8

OK a I have just installed ZoneAlarm, and its working :wink:

“93exmodulap.exe” which seems to be the emailer-bot is blocked and cannot send anything anymore. (see ZA’s report)
But it’s still here do i have any chance to kick it out?
Why when i make a research with “93exmodulap.exe” windows doesn’t find it?

(a part of the ZA’s report)

ACCESS,2006/03/08,22:49:48 +1:00 GMT,93exmodulap.exe was temporarily blocked from connecting to the Internet (66.98.252.36:DNS).,N/A,N/A
ACCESS,2006/03/08,22:49:48 +1:00 GMT,93exmodulap.exe was temporarily blocked from connecting to the Internet (195.34.133.22:DNS).,N/A,N/A
ACCESS,2006/03/08,22:49:48 +1:00 GMT,93exmodulap.exe was temporarily blocked from sending data to the Internet (195.34.133.22:DNS).,N/A,N/A
ACCESS,2006/03/08,22:49:50 +1:00 GMT,93exmodulap.exe was temporarily blocked from connecting to the Internet (195.34.133.21:DNS).,N/A,N/A
ACCESS,2006/03/08,22:49:52 +1:00 GMT,93exmodulap.exe was temporarily blocked from sending data to the Internet (195.34.133.21:DNS).,N/A,N/A
FWIN,2006/03/08,22:50:04 +1:00 GMT,221.208.208.3:58020,84.115.153.146:1027,UDP
FWIN,2006/03/08,22:50:34 +1:00 GMT,84.115.65.60:4318,84.115.153.146:445,TCP (flags:S)
ACCESS,2006/03/08,22:50:48 +1:00 GMT,93exmodulap.exe was temporarily blocked from sending data to the Internet (195.34.133.22:DNS).,N/A,N/A
ACCESS,2006/03/08,22:50:50 +1:00 GMT,93exmodulap.exe was temporarily blocked from connecting to the Internet (195.34.133.21:DNS).,N/A,N/A
FWIN,2006/03/08,22:50:50 +1:00 GMT,88.218.13.47:56686,84.115.153.146:47308,UDP
ACCESS,2006/03/08,22:50:52 +1:00 GMT,93exmodulap.exe was temporarily blocked from connecting to the Internet (195.34.133.22:DNS).,N/A,N/A

Thanks

9
[1024] C:\WINDOWS\system32\netf.dll -> Backdoor.IRCBot.nw : Error during cleaning
Re. this error, try running ewido from safe mode, reboot and keep pecking away at the F8 key whilst the system boots, you should get the option to boot into safe mode. Running ewido from safe mode may get past those errors. In safe mode your monitor resolution may well revert to 800X600.
ACCESS,2006/03/08,22:50:48 +1:00 GMT,93exmodulap.exe was temporarily blocked from sending data to the Internet (195.34.133.22:DNS).,N/A,N/A
Rather than temporarily block the make it permanent in Zone Alarm, by ticking remember this (not sure of the terminology, I haven't use ZA in many years).

If running ewido from safe mode doesn’t get this bot, there is another tool in the armoury. Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Or you can paste the contents of the log file here, but try to see what the on-line analysis shows and check any nasty, possibly nasty or unknown entries, either google the filenames or upload the file for scanning using the paper-clip icon in the analysis.

I’m just about to call it a night, 1:15 a.m here, goodnight.