HELP!

[Ando121]

I have tried everything i no to try and get get rid of this virus , worm or whatever it is. I am sending out 1000's of e-mail and i am getting notice from my ISP that they have suspended me sending anymore. WHich is find I don't even use e-mail on this drive.

Whats happening is i am getting notices flashing up from Avast sayint there warning there are lots of e-mails being sent i have had to turn that off so i can even use the PC.

I have done scans with Avast, Spybot,Spy sweeper etc they are all saying there in no problem.

My ISP suggested i start in Safe Mode and do a scan from there. When i try and start in Safe Mode the PC shuts down and restarts (this has never happened before)

If anyone has any advice on how i might get rid of this thing i would be very greatful

Thanks in advance

[DavidR]

The chances are that this might be hidden by a rootkit and some malware also stops you getting into safe mode for obvious reasons.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

[oldman]

If DavidR's suggestions don't help,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

.
You can attach the logs by using the additional options button on the reply page.

[Ando121]

Thanks for the help lads, i have done a rootkit check with pandasotfware nothing was found.

I have downloaded and run DSS but had problems getting it to sort out hijack this so ran hijackthis on its own. I have attached the log. Hope thats what is required.

Something that is really odd but that maybe you should be aware of, when i try to log into this site to send the log, my system crashes, other sites and loggins are ok, i get a blue screen with " starting memory dump" strange! So i have made a copy of the log and am sending it from a different drive. Its like it knows " worry worry!

If anyone can help with this i would be very greatful as i have tried everything i no.

Thanks in advance.

[DavidR]

I wouldn't just stop at just one tool but move on to the next, like anti-virus programs one might find something where another didn't.

Did you create these ?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/

Fix using HJT:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Suspect:
O20 - Winlogon Notify: crypt - crypts.dll (file missing)
See http://www.castlecops.com/o20list-392.html and http://www.prevx.com/filenames/X633919718175391196-0/CRYPTS.DLL.html.

Check this is legit, e.g. did you install it, etc.
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
See http://www.file.net/process/pnkbstra.exe.html

JAVA is slightly out of date, ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://www.java.com/en/download/index.jsp
Or JRE version 6 update 4 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

Other than that I don't see anything obvious, lets see what oldman says and see if he can get DSS running for you.

[Ando121]

Thanks for the fast reply DavidR,

I will try more of the roottools its difficult to download program as this things has near killed my connection it worse than 56k!

I haven't created anything so what R1 And R0 are i have no idea.

The no name file i looked at as odd (fix it with HJT what is HJT?)

PnKBstrA is legit is the anti cheat for Call of duty games.

I will update java.

Going to wait see if the oldman comes back with anything before i swap onto the dreaded drive.

[Ando121]

  Well on the dodgy drive and upto now i have had not warnings to Avast and all seems well. Lets hope so!

I ran lots of rootkit progs and the problem (Seems) to have stopped after Trend Micro Root Kit Buster.

Thanks so much for your help lads. Very greatful for all your help.

Ando

P.S i can now log in to these forums on this drive also so i think it must have been connected.

[DavidR]

HJT is short for HiJackThis, run it again and put a tick in the box to fix opposite the entry (ensure you have other windows closed).

If you don't want msn as your search page (I prefer google) or you don't want msn as your home page, then fix those entries.

I have to live with less than 56Kb, being a dial-up user, but it is worth your perseverance in downloading the other anti-rootkit tools.

Welcome to the forums.

[oldman]

Hi Ando121

The DSS log would have been useful to show what else is going on. But if you can't get it to run we will use another scanner.

Download ComboFix from Here or Here to your Desktop.

Do not run it yet. First rename combofix.exe to bugout.exe

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer "yes"
click tools
click resident
uncheck resident "teatimer" and SDHelper if installed
click allow change
reboot



Double click bugout.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.