Author Topic: email virus sending tons of emails  (Read 15973 times)

0 Members and 1 Guest are viewing this topic.

ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #15 on: March 12, 2008, 01:23:57 PM »
Hi I'm new to this forum stuff.  I wass getting help from oldman do you guys work together I don't want to get anyone upset.  But I really would like to fix this problem if possible.  How does that work?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: email virus sending tons of emails
« Reply #16 on: March 12, 2008, 01:55:15 PM »
Some malware is protected from uploading resulting in this 0 byte size, I have seen it in the forums before. So when oldman gets on the case again he may be able to catch what is stopping it being uploaded.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: email virus sending tons of emails
« Reply #17 on: March 12, 2008, 02:09:43 PM »
Hi I'm new to this forum stuff.  I wass getting help from oldman do you guys work together I don't want to get anyone upset.  But I really would like to fix this problem if possible.  How does that work?

Normally it is a collaboration as the internet never sleeps, but the problem here is the tools that are being used there are only a few that are familiar with them, reading their logs, etc. it is therefore usual to stick with the same person helping, but not exclusive.

Having run combofix it is entirely possible that what may have been protecting the file you tried to upload to virustotal. Whilst I'm not entirely familiar with the combofix log, there have been a number of deletions, so I would suggest trying to upload that file (rwtatpl.lid) again if it still exists for scanning. There is actually reference to rwtatpl.lid in the combofix log, though I don't fully understand what it means.
Quote
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rwtatpl]
"ImagePath"="\??\C:\WINDOWS\Cursors\rwtatpl.lid"
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Abraxas

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 730
  • Perseverance Furthers...
    • PCLinuxOS-Forums
Re: email virus sending tons of emails
« Reply #18 on: March 12, 2008, 02:23:55 PM »
ccaj:
Quote
" I wass getting help from oldman do you guys work together I don't want to get anyone upset.  But I really would like to fix this problem if possible. "
ccaj it probably would be wise to wait for oldman before doing anything , as he should be able to analyse your problem and help you . He has prepared a lot of tests for you so far , it is a delicate situation . If possible it would be best to wait till oldman gets on the case again .

ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #19 on: March 12, 2008, 02:37:47 PM »
Thanks for all your input I'll wait for oldman to return from his slumber.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: email virus sending tons of emails
« Reply #20 on: March 12, 2008, 05:46:06 PM »
Hi  ccaj

Don't be concerned about the 0 bytes. It does tell us the file is being protected, at least in the case of rwtatpl.lid.

I have to ask if you did try to find rwtatpl in safe mode? At least you confirmed the file was there.

We'll go after it now.We'll try combofix first, if that doesn't work we have other tool available.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
KillAll::

File::
C:\WINDOWS\Cursors\rwtatpl.lid

Rootkit::
C:\WINDOWS\Cursors\rwtatpl.lid

Driver::
rwtatpl


This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.




ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #21 on: March 12, 2008, 07:22:08 PM »
Good morning I hope you had a good rest.  I have attached the combofix log. I don't know what a DSS log is.
Sorry.  On a positive point it seams to have stopped sending emails

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: email virus sending tons of emails
« Reply #22 on: March 12, 2008, 07:59:02 PM »
Sorry about the DSS part, it wasn't supposed to be there.  :-[

Looks like we got it that time. Just a little tidying up of some old stuff.

Please follow all previous instructions regarding security programs.


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.


Quote
KillAll::

File::
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\yanskobl.pup
C:\WINDOWS\System32\Winkpxj.exe

Rootkit::
C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\yanskobl.pup
C:\WINDOWS\System32\Winkpxj.exe

Driver::
grande48
YANSKOBL
Winkpxj



This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Thanks

ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #23 on: March 12, 2008, 08:34:33 PM »
Here you go.  One problem when mail tries to down load messages it gets a server timed out error.  also "this folder is being processed please wait for processing to be complete to get your messages
Any thoughts?
Thanks

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: email virus sending tons of emails
« Reply #24 on: March 12, 2008, 09:02:02 PM »
That looks good. If you have installed the third party firewall like I asked, the mail problem lies there.

Depending on what you did per my instructions, you will have to unblock ports 25 and 110, if you blocked them. And you will have to allow ashmaisv.exe internet access.

I meant to ask for a new HJT log. Sorry, could you please post one.

Thanks

ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #25 on: March 12, 2008, 09:15:09 PM »
here you go thanks for your help

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: email virus sending tons of emails
« Reply #26 on: March 12, 2008, 09:22:14 PM »
Looks okay. Did you get the mail to work?

ccaj

  • Guest
Re: email virus sending tons of emails
« Reply #27 on: March 13, 2008, 12:54:35 AM »
Yes I did.   Once again thank you for all your time and help.  I hope I never have this problem again.  If I do I now who to call.  Your a genius.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: email virus sending tons of emails
« Reply #28 on: March 13, 2008, 04:02:59 AM »
Now the time you have been waiting for. Clean up time.

* Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u


* Please download
 OTMoveIt2 by OldTimer.



Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


* Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 5...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.


* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml



* Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


* Check if you have insecure applications with Secunia Software Inspector


Take care and keep safe.