Virus sending mass emails.

Discussion in 'Malware Help (A Specialist Will Reply)' started by varunmalhotra21, Mar 13, 2009.

  1. varunmalhotra21

    varunmalhotra21 Private E-2

    My case is very much like
    http://icrontic.com/forum/showthread.php?t=50076

    I did try everything mentioned here

    The final solution to this was Running SDFIX
    the log is as follows

    SDFix: Version 1.240
    Run by varun malhotra on Thu 03/12/2009 at 04:45 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\Documents and Settings\varun malhotra\My Documents\Downloads\SDFix\SDFix

    Checking Services :

    Name :
    FCI

    Path :
    C:\WINDOWS\system32\svchost.exe:ext.exe

    FCI - Deleted

    Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting

    Checking Files :

    Trojan Files Found:

    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp12.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp19.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp54.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp5A.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp7.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp8.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmp9.tmp - Deleted
    C:\DOCUME~1\VARUNM~1\LOCALS~1\Temp\tmpE.tmp - Deleted
    C:\WINDOWS\Temp\temp.dat - Deleted

    Removing Temp Files

    ADS Check :


    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-12 16:48:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    disk error: C:\WINDOWS\system32\config\system, 0
    scanning hidden registry entries ...

    disk error: C:\WINDOWS\system32\config\software, 0
    disk error: C:\Documents and Settings\varun malhotra\ntuser.dat, 0
    scanning hidden files ...

    disk error: C:\WINDOWS\

    please note that you need administrator rights to perform deep scan

    Remaining Services :

    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fir ewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xp sp2res.dll,-22019"
    "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\fir ewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xp sp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\DOCUME~1\VARUNM~1\MYDOCU~1\DOWNLO~1\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Wed 25 Feb 2009 952 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

    Finished!


    I manually deleted "C:\WINDOWS\system32\KGyGaAvL.sys" by using avenger.

    But did not work.
    As soon as i connect to the internet the within a minute i start getting these scanning messages window by the hundred. The only way to clearing up the screen is by shutting down CCAPP

    below is my HJT log
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:23:46 PM, on 3/12/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.
     
    Last edited by a moderator: Mar 15, 2009
    varunmalhotra21, Mar 13, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You should not be trying to delete files on your own. C:\WINDOWS\system32\KGyGaAvL.sys is not a problem. It is for DivX.


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Mar 15, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds