Hi there I am posting this on behalf of a friend. The problem is this as soon as his winxp home box is connected to the internet it starts sending emails non stop and continuously. He has norton antivirus and it trys to scan every outgoing email. Eventually norton start giving alerts that the messages could not be sent. This is obviously a virus or trojan and i have dealt with it before, but i cannot remember the name of the virus, or how i fixed it. Scanning with an upto date norton anti-virus and kaspersky antivirus, spyware doctor and ad-aware detects nothing. I've tryed looking for wierd processes running or unknown program starting up in the registry. Looked for suspect files in windiws and windows/system32 but cannot find anything suspicious. He was infected with the spy sherrif spyware, but that has been removed. Please if anyone has any helpfull advice i'm all ears. I seem to remember that i maybe had to format and reload the pc to get rid of this virus/trojan. Thx.
the easiest and thus the first thing u should try: see if u can access an earlier restore point prior to when it the problems arose. the restore only takes a simple restart and i find it very helpful for removing simple viruses/trojans so that i dont need to get down and dirty if i dont have to.
yeah sounds like his ip address has been hijacked and the pc is a dummy mailer for some hacker out there. It will spam continually till your friend contacts his isp and gets a new ip address....after he gets the new ip address show him how to protect it....with multiple firewalls..
I've had a trojan/virus that can not be removed what ever you do, safe mode, restore windows doesn't run the trojan it just can't be deleted grrrr, multiple adware programs and good antivirus it just refuses to delete, best idea sometimes is just to format
Thanks guys just wish i had a name for this virus. Something called hacktool.nuker was detected during th scans but it said that it removed it. It amazing not one program that we have tried can detect it even when its doing its mass mailing. I will try and see if he can get another ip address, but i think he's already on dynamic ip. Thx.
Ok, what scan tools have you tried so far ?? If you haven't done these scans, then just do them again : downlaod from a separate PC, if you have problems downloading from your friends PC 1. Download the latest versions of Spyware Blaster, Adware, and SpyBot S&D. 2. Also update the software with their latest definations. 3. Disable System Restore 4. Enable "All Protection" in Spyware Blaster, and click on the Immunize button in SpyBot S&D, and Immunize all. 5. Re boot in safe mode and run full system scans in Adware, and SpyBot S&D 6. Clean any infections found. 7. Reboot in normal mode, and if you still have problems post a HijackThis log file. And .. btw .. Norton isn't a great AV IMO You can also try with some online AV checks : http://www.hackfix.org/software/oavirus.html (contains a list of free online scanners) http://www.ewido.net/en/onlinescan/ Online Malware scan : http://virusscan.jotti.org/ Online Trojan Scan : http://www.windowsecurity.com/trojanscan/ More info on hacktool.nuker : http://www.symantec.com/avcenter/venc/data/winnuke.trojan.html Open regedit, go to : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run delete the value LoadPowerProfile And try to get your friend another AV other than Norton. NOD32 is a very good AV, and so is Kaspersky !!
Scanned with spyware doctor and adaware. Symantec antivirus and kaspersky antivirus all updated. System restore is disabled. All temp files and temporary interent files have been cleared. He is busy running those online scans but so far they haven't detected anything. He does not have that registry value in his registry. Someone out there must have experienced this mass mailing problem, and knows a fix. Me myself i would just backup and reload, but its not that easy for other ppl to do that.
I removed a trojan virus last month using AVG. Norton couldn't even locate the virus that was on my PC, so I had to download AVG, update it with the latest updates, run a full system scan and it deleted/removed the virus. Heard many peopl saying HijackThis was an excellent anti-virus prog. So can someone provide me with a link to downloading this prog.... Please reply as soon as possible..... Tks.
Not to HijackThis thread...lol but. Just to make it clear to all, HijackThis is not a AV. It's a tool used for manual clean up (i.e. the user decides what is to be removed) of start/run commands and browser related settings etc. It started out as a homepage hijack detector but it's capabilities has been expanded and is very useful to those who know how to investigate the logs. But it's not very helpful if you don't know how to interpret the log. However some nice people has made log checkers which can help both experienced hijack log checkers cut down on the time spend looking at logs. And for people new to HijackThis it can also be a big help...NOTE however you should NEVER blindly trust the auto checks and ALWAYS double check, best is using threads found on the net where other experienced hijack log checkers are removing the same stuff. But again they to can make mistakes and will very often remove things not spyware related such as unneeded run commands and Activex components. Quick times boot check being a classic example. Auto log checkers http://hjt.networktechs.com/ http://www.hijackthis.de/ HijackThis Log Tutorials http://www.merijn.org/htlogtutorial.html http://aumha.org/a/hjttutor.php http://tomcoyote.com/hjt/ (in case you did not find it ) Sticky has HijackThis http://forums.guru3d.com/showthread.php?p=1449607#post1449607
To the original poster. An HijackThis log may indeed help so please post one if possible. ---- There is a few things to look at. 1. The mail client. Is it Outlook ? 2. The mail service. Web-mail and/or mail service provided by the ISP ? (Remember he may also be receiving infested mail.) 3. How is he connected and who is the provider ? Mass-mailer worms are becoming a thing of the past as the email security has been beefed up a lot. 4. The AV. Something is not OK with his scanner if it did not protect against the infestation of WinNuke.Trojan, as that thing is old as hell (1998). Did it protect against the infestation or just pick it up in a scan ? Do you know where it was found, use the logging. WinNuke.Trojan is used to crash systems but will not work if the system have the appropriate security patches http://www.symantec.com/avcenter/venc/data/winnuke.trojan.html Did you install Kaspersky ? (what version if 5 try 6 instead). If NO active protection or scans are finding anything, including from a installed Kaspersky, i'd suspect something may have creped in and compromised the system. Maybe even Norton, possibly giving elevated privileges and access. Symantec Client Security and Symantec AntiVirus Elevation of Privilege http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html 5. The lack of a firewall. Install one ! 6. P2P and IRC programs installed. Many P2P and IRC worms, trojans, use mails. 7. Solutions. Make sure XP is 100% updated. Installing a new mail client like Thunderbird and making it the default client, start by keeping it empty i.e. no mail services or contacts. If it still launches the "old" mail client clean it out of contacts, or remove the mail service, or rename the .exe of the "old" mail client. Then i would install a firewall and possibly some HIPS/IDS as well. Then i would uninstall Norton and install either NOD32, Kaspersky 6 or Bitdefender 9 (update and scan using the strongest settings they have). Then i'd look for rootkits (often hard to tell). Firewall: Comodo is good at stoping leaks and is still pretty user friendly but you will need a clean PC as you have to use an e-mail to get the activation code. http://www.personalfirewall.comodo.com/ Software firewalls should stop a Mass-mailer worms. http://www.firewallleaktester.com/software.htm http://www.wilderssecurity.com/showthread.php?t=57655 Rootkits: http://www.pcsupportadvisor.com/rootkits.htm http://www.viruslist.com/en/analysis?pubid=168740859 Sticky malware info http://forums.guru3d.com/showthread.php?p=1449607#post1449607 Infomations: search: mass-mailer worms http://search.symantec.com/custom/u...s&nh=10&hitsceil=100&st=1&context=gbh&x=6&y=3 http://www.viruslist.com/en/virusesdescribed?chapter=153311664 Latest Email-Worm "Email-Worm.Win32.Bagle.fy" http://www.viruslist.com/en/viruses/alerts?alertid=189337140
This was the first time i've scaned my PC using HijackThis and I'm not sure about deleting the following files from the PC since a warning message, "this might cause some problems in the future...." popped up. So just wanted to ask some experts to look if I could delete the following stuff..... Here's the log: [EDIT] : The log has been moved to the Slow boot topic Please reply as soon as possible.... Tks......
2Pac, please make new thread and post the log again (you might want to remove your log from this thread. It's just to avoid clutter and confusion). But for one it looks like you have a worm W32.Alcra.B O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto W32.Alcra.B worm http://www.symantec.com/avcenter/venc/data/w32.alcra.b.html Your log file http://www.hijackthis.de/logfiles/e4caa7eb2229de376ae486ed62d420cc.html Virus and Spyware Help (get tools and follow the removal guides) http://forums.guru3d.com/showthread.php?p=1449607#post1449607
Thx for all the replies guys. I am not impressed with symantec/nortons detection rate. Gonna Switch to Kasperky. I lost contact with my friend who i was trying to help online due to this virus rendering his pc unusable, but he has just come back online today. He is following the tips in a link i sent him http://forums.majorgeeks.com/showthread.php?t=35407 and so far has removed a whole lot of trojans and virused that where not deteced in initial scans. Btw the virus that was causing the mass mailing is called Trojan Mailbot(SpamTool.Win32.Mailbot.ap (Kaspersky) SPR/Spam.Mailbot.AP Thanks for the welcoming ultimate360 and to everyone else for their helpfull tips.
O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.e xe -r:4 -x:1 whats this looks suspect ???
As i suspected it's using rootkit functionality and it's own SMTP engine. Nasty. Make sure it did not install this: a-squared has detection for it as well. http://www.emsisoft.com/en/software/download/ Just as info, it should/would likely have shown up on a HijackThis log.
i had this exact trojan (if thats what it is). it infected my restore files so i could use system restore. the only way i ended up getting rid of was to do format, which really sucked (and yes i tried every AV software i could find).
