Help I've been infected!!!

Discussion in 'Operating Systems' started by Slapdash, Jul 8, 2006.

  1. Slapdash

    Slapdash Member

    Messages:
    18
    Likes Received:
    0
    GPU:
    XFX 7900GT 256MB@560MHz-1612MHz
    Hi there

    I am posting this on behalf of a friend.
    The problem is this as soon as his winxp home box is connected to the internet it starts sending emails non stop and continuously. He has norton antivirus and it trys to scan every outgoing email. Eventually norton start giving alerts that the messages could not be sent. This is obviously a virus or trojan and i have dealt with it before, but i cannot remember the name of the virus, or how i fixed it. Scanning with an upto date norton anti-virus and kaspersky antivirus, spyware doctor and ad-aware detects nothing.

    I've tryed looking for wierd processes running or unknown program starting up in the registry. Looked for suspect files in windiws and windows/system32 but cannot find anything suspicious. He was infected with the spy sherrif spyware, but that has been removed.

    Please if anyone has any helpfull advice i'm all ears.
    I seem to remember that i maybe had to format and reload the pc to get rid of this virus/trojan.

    Thx.
     
  2. Loki91

    Loki91 Maha Guru

    Messages:
    1,474
    Likes Received:
    0
    GPU:
    nVIDIA 8800GTS 512MB @670
    the easiest and thus the first thing u should try: see if u can access an earlier restore point prior to when it the problems arose. the restore only takes a simple restart and i find it very helpful for removing simple viruses/trojans so that i dont need to get down and dirty if i dont have to.
     
  3. dominant1

    dominant1 Ancient Guru

    Messages:
    2,625
    Likes Received:
    4
    GPU:
    Evga Gtx1070 Superclocked
    yeah sounds like his ip address has been hijacked and the pc is a dummy mailer for some hacker out there. It will spam continually till your friend contacts his isp and gets a new ip address....after he gets the new ip address show him how to protect it....with multiple firewalls..
     
  4. Luvabud

    Luvabud Master Guru

    Messages:
    918
    Likes Received:
    0
    GPU:
    1060 6GB
    I've had a trojan/virus that can not be removed what ever you do, safe mode, restore windows doesn't run the trojan it just can't be deleted grrrr, multiple adware programs and good antivirus it just refuses to delete, best idea sometimes is just to format
     

  5. Slapdash

    Slapdash Member

    Messages:
    18
    Likes Received:
    0
    GPU:
    XFX 7900GT 256MB@560MHz-1612MHz
    Thanks guys just wish i had a name for this virus. Something called hacktool.nuker was detected during th scans but it said that it removed it. It amazing not one program that we have tried can detect it even when its doing its mass mailing. I will try and see if he can get another ip address, but i think he's already on dynamic ip. Thx.
     
  6. bakuryu

    bakuryu Ancient Guru

    Messages:
    3,270
    Likes Received:
    1
    GPU:
    XFX GeForce 6600LE @ 430/490
    Ok, what scan tools have you tried so far ??

    If you haven't done these scans, then just do them again : downlaod from a separate PC, if you have problems downloading from your friends PC

    1. Download the latest versions of Spyware Blaster, Adware, and SpyBot S&D.
    2. Also update the software with their latest definations.
    3. Disable System Restore
    4. Enable "All Protection" in Spyware Blaster, and click on the Immunize button in SpyBot S&D, and Immunize all.
    5. Re boot in safe mode and run full system scans in Adware, and SpyBot S&D
    6. Clean any infections found.
    7. Reboot in normal mode, and if you still have problems post a HijackThis log file.

    And .. btw .. Norton isn't a great AV IMO :p

    You can also try with some online AV checks :
    http://www.hackfix.org/software/oavirus.html (contains a list of free online scanners)
    http://www.ewido.net/en/onlinescan/

    Online Malware scan : http://virusscan.jotti.org/
    Online Trojan Scan : http://www.windowsecurity.com/trojanscan/

    More info on hacktool.nuker : http://www.symantec.com/avcenter/venc/data/winnuke.trojan.html

    Open regedit, go to : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    delete the value
    LoadPowerProfile


    And try to get your friend another AV other than Norton. NOD32 is a very good AV, and so is Kaspersky !!
     
  7. Slapdash

    Slapdash Member

    Messages:
    18
    Likes Received:
    0
    GPU:
    XFX 7900GT 256MB@560MHz-1612MHz
    Scanned with spyware doctor and adaware.
    Symantec antivirus and kaspersky antivirus all updated.
    System restore is disabled.
    All temp files and temporary interent files have been cleared.

    He is busy running those online scans but so far they haven't detected anything.

    He does not have that registry value in his registry.

    Someone out there must have experienced this mass mailing problem, and knows a fix. Me myself i would just backup and reload, but its not that easy for other ppl to do that.
     
  8. bakuryu

    bakuryu Ancient Guru

    Messages:
    3,270
    Likes Received:
    1
    GPU:
    XFX GeForce 6600LE @ 430/490
    Post a HijackThis log file.
     
  9. ultimate360

    ultimate360 Master Guru

    Messages:
    871
    Likes Received:
    0
    GPU:
    eVGA 7900GT KO 256MB
    A fresh reinstall of the OS will work.

    Oh. And welcome to Guru3d forums! Slapdash
     
    Last edited: Jul 9, 2006
  10. SL-spirit

    SL-spirit Master Guru

    Messages:
    256
    Likes Received:
    0
    GPU:
    1GB Sparkle 9800GT
    I removed a trojan virus last month using AVG. Norton couldn't even locate the virus that was on my PC, so I had to download AVG, update it with the latest updates, run a full system scan and it deleted/removed the virus. Heard many peopl saying HijackThis was an excellent anti-virus prog. So can someone provide me with a link to downloading this prog.... Please reply as soon as possible..... Tks.
     

  11. kenace0

    kenace0 Master Guru

    Messages:
    399
    Likes Received:
    0
    GPU:
    xfx geforce 9600 gt
  12. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    Not to HijackThis thread...lol but.
    Just to make it clear to all, HijackThis is not a AV.

    It's a tool used for manual clean up (i.e. the user decides what is to be removed) of start/run commands and browser related settings etc. It started out as a homepage hijack detector but it's capabilities has been expanded and is very useful to those who know how to investigate the logs. But it's not very helpful if you don't know how to interpret the log. However some nice people has made log checkers which can help both experienced hijack log checkers cut down on the time spend looking at logs. And for people new to HijackThis it can also be a big help...NOTE however you should NEVER blindly trust the auto checks and ALWAYS double check, best is using threads found on the net where other experienced hijack log checkers are removing the same stuff. But again they to can make mistakes and will very often remove things not spyware related such as unneeded run commands and Activex components. Quick times boot check being a classic example.
    Auto log checkers
    http://hjt.networktechs.com/
    http://www.hijackthis.de/

    HijackThis Log Tutorials
    http://www.merijn.org/htlogtutorial.html
    http://aumha.org/a/hjttutor.php
    http://tomcoyote.com/hjt/ (in case you did not find it ;))

    Sticky has HijackThis
    http://forums.guru3d.com/showthread.php?p=1449607#post1449607
     
  13. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    To the original poster. An HijackThis log may indeed help so please post one if possible.

    ----

    There is a few things to look at.

    1. The mail client. Is it Outlook ?

    2. The mail service. Web-mail and/or mail service provided by the ISP ?

    (Remember he may also be receiving infested mail.)


    3. How is he connected and who is the provider ?

    Mass-mailer worms are becoming a thing of the past as the email security has been beefed up a lot.


    4. The AV.

    Something is not OK with his scanner if it did not protect against the infestation of WinNuke.Trojan, as that thing is old as hell (1998).

    Did it protect against the infestation or just pick it up in a scan ?
    Do you know where it was found, use the logging.

    WinNuke.Trojan is used to crash systems but will not work if the system have the appropriate security patches http://www.symantec.com/avcenter/venc/data/winnuke.trojan.html


    Did you install Kaspersky ? (what version if 5 try 6 instead).

    If NO active protection or scans are finding anything, including from a installed Kaspersky, i'd suspect something may have creped in and compromised the system. Maybe even Norton, possibly giving elevated privileges and access.

    Symantec Client Security and Symantec AntiVirus Elevation of Privilege
    http://securityresponse.symantec.com/avcenter/security/Content/2006.05.25.html


    5. The lack of a firewall.

    Install one !


    6. P2P and IRC programs installed.

    Many P2P and IRC worms, trojans, use mails.



    7. Solutions.


    Make sure XP is 100% updated.

    Installing a new mail client like Thunderbird and making it the default client, start by keeping it empty i.e. no mail services or contacts. If it still launches the "old" mail client clean it out of contacts, or remove the mail service, or rename the .exe of the "old" mail client.

    Then i would install a firewall and possibly some HIPS/IDS as well.

    Then i would uninstall Norton and install either NOD32, Kaspersky 6 or Bitdefender 9 (update and scan using the strongest settings they have).

    Then i'd look for rootkits (often hard to tell).



    Firewall:

    Comodo is good at stoping leaks and is still pretty user friendly but you will need a clean PC as you have to use an e-mail to get the activation code. http://www.personalfirewall.comodo.com/

    Software firewalls should stop a Mass-mailer worms.
    http://www.firewallleaktester.com/software.htm
    http://www.wilderssecurity.com/showthread.php?t=57655


    Rootkits:

    http://www.pcsupportadvisor.com/rootkits.htm
    http://www.viruslist.com/en/analysis?pubid=168740859

    Sticky malware info
    http://forums.guru3d.com/showthread.php?p=1449607#post1449607


    Infomations:

    search: mass-mailer worms
    http://search.symantec.com/custom/u...s&nh=10&hitsceil=100&st=1&context=gbh&x=6&y=3
    http://www.viruslist.com/en/virusesdescribed?chapter=153311664

    Latest Email-Worm "Email-Worm.Win32.Bagle.fy"
    http://www.viruslist.com/en/viruses/alerts?alertid=189337140
     
  14. SL-spirit

    SL-spirit Master Guru

    Messages:
    256
    Likes Received:
    0
    GPU:
    1GB Sparkle 9800GT
    This was the first time i've scaned my PC using HijackThis and I'm not sure about deleting the following files from the PC since a warning message, "this might cause some problems in the future...." popped up. So just wanted to ask some experts to look if I could delete the following stuff..... Here's the log:

    [EDIT] : The log has been moved to the Slow boot topic

    Please reply as soon as possible.... Tks......
     
    Last edited: Jul 12, 2006
  15. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    2Pac, please make new thread and post the log again (you might want to remove your log from this thread. It's just to avoid clutter and confusion).

    But for one it looks like you have a worm W32.Alcra.B

    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

    W32.Alcra.B worm
    http://www.symantec.com/avcenter/venc/data/w32.alcra.b.html

    Your log file
    http://www.hijackthis.de/logfiles/e4caa7eb2229de376ae486ed62d420cc.html

    Virus and Spyware Help (get tools and follow the removal guides)
    http://forums.guru3d.com/showthread.php?p=1449607#post1449607
     

  16. Slapdash

    Slapdash Member

    Messages:
    18
    Likes Received:
    0
    GPU:
    XFX 7900GT 256MB@560MHz-1612MHz
    Thx for all the replies guys. I am not impressed with symantec/nortons detection rate. Gonna Switch to Kasperky. I lost contact with my friend who i was trying to help online due to this virus rendering his pc unusable, but he has just come back online today. He is following the tips in a link i sent him http://forums.majorgeeks.com/showthread.php?t=35407 and so far has removed a whole lot of trojans and virused that where not deteced in initial scans.

    Btw the virus that was causing the mass mailing is called Trojan Mailbot(SpamTool.Win32.Mailbot.ap (Kaspersky) SPR/Spam.Mailbot.AP

    Thanks for the welcoming ultimate360 and to everyone else for their helpfull tips.
     
  17. kenace0

    kenace0 Master Guru

    Messages:
    399
    Likes Received:
    0
    GPU:
    xfx geforce 9600 gt
    O4 - HKCU\..\Run: [Tukati:4] C:\Program Files\Tukati\Redistributor\4\TukatiRedistributor.e xe -r:4 -x:1
    whats this looks suspect ???
     
  18. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    As i suspected it's using rootkit functionality and it's own SMTP engine. Nasty.

    Make sure it did not install this:
    a-squared has detection for it as well.
    http://www.emsisoft.com/en/software/download/


    Just as info, it should/would likely have shown up on a HijackThis log.
     
  19. dB

    dB Ancient Guru

    Messages:
    2,448
    Likes Received:
    0
    GPU:
    88GTS 512M@830/2050/2.2g
    i had this exact trojan (if thats what it is). it infected my restore files so i could use system restore. the only way i ended up getting rid of was to do format, which really sucked (and yes i tried every AV software i could find).
     

Share This Page