Help! Mysterious virus sending thousands of spam e-mails from my PC :(

[bitoclass]

Looks good to me,  the run file would also have given me the running processes

Ah OK - you're probably not missing much there then because I haven't yet re-enabled that Service so the virus isn't actually doing anything at the moment, so I don't think its process is running.

I have to go out for a few hours now but I am going to leave this WinPFind3U running while I'm out (with everything else shut), since ComboFix still hadn't done anything over an hour after I started it.

I'll post my log when I get home later. Thanks very much for your help!

[bitoclass]

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

The file is 101,252 bytes, which would mean it would take 11 posts to put it up here. Instead I have put it online here:

http://www.digitalhome.plus.com/WinPFind3.txt

Hope it is revealing!

Thanks for your help,

Paul

(P.S. As you will see, in this text file I have censored three of the items in my Hosts file, as they reveal personal information I'd rather keep out of a forum - there's nothing suspicious about them, I promise!)

[bitoclass]

Last night I shut down just about every little running thing (including system tray stuff) on my PC and tried running ComboFix again. I didn't so much as hover over the window once it was running, let alone clicking it. This morning it has once again not finished running and does not appear to be doing anything.

There is a folder in my C drive that it has created called ComboFix. It contains 90 objects, of which 18 have modified dates/times of last night when I started running it, and one has a modified time of two minutes later. That last file is called WowErr.cf and contains the following text:

Completed Stage_7

Can anyone tell me why this ComboFix process never finishes, or what Stage 7 is that could make it stall, or anything else helpful? Would it be useful for me to post the contents of any of these other files that were modified when I started running it?

d-delA.cf
DirRoot
attribed.cf
svclist.cf
v-files.cf
suspect_ntfy.cf
ComboFix.txt
errdbg.cf
borlander_folder.cf
borlander_file.cf
Cfolders.cf
Cfiles.cf
whitedir.cf
dll_whitelist.cf
dnd.cf
appdatafolders.cf
setpath.bat

(The 18th item with that same modified date/time is a folder called 'test', which is empty.)

Could my virus/rootkit/whatever be actually blocking ComboFix from working in some way?

Any help with this, or with analysing the WinPFind3 log I posted last night, would be much appreciated!

[MeDIeVaL]

Try this...

1) Go to Start then click Run. 2) Type msconfig. 3) When System Configuration Utility window appear click on Services tab. 4) Check "Hide All Microsoft Services" box. 5) Kill all non-Microsoft services process then run ComboFix or Runscanner.

[bitoclass]

Are you sure you've run ComboFix scan? Seem like you don't. Double click on ComboFix then press 1 and finally enter...

I'm a bit confused - when I run ComboFix.exe I get a Command Prompt window called AutoScan, which has a blue background. It says "Please wait" for a few seconds, then the following:

Scanning for infected files . . .

This typically doesn't take more than 10 minutes

Scan times for badly infected machines may easily double

ComboFix has changed your clock settings.

Do not change it back. It shall be restored later

Then nothing else happens.

At what point should I be typing 1? I'm not prompted to type 1. Am I running the wrong thing? Should I be running something out of the ComboFix folder rather than the ComboFix.exe file that I downloaded?

Sorry if I appear stupid but I'm a bit confused by this software as it never gets past the above text!

[raman]

Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.

If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe

after that Combofix may continue scanning.

Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.

[MeDIeVaL]

I were prompted to press 1 to scan or 2 to cancel. But it was month ago. Dunno if they have added later fixs...

[bitoclass]

Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.
If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe
after that Combofix may continue scanning.
Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.

Thanks - I will try this later - unfortunately I have to go to work now   Really appreciate all this help though!

[MeDIeVaL]

If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware "Process Explorer" offered by Microsoft for download. The tool displays all running processes. Select the "svchost.exe" process. In the details window you can then find all files, indexes and registry entries that are connected with it. With one click on the "Properties" you can find out more details. This also includes the IP address and the port with which the program connects.

[bitoclass]

[font size=4]If you want to know precisely which sub-process and linked Windows services are connected with the program, start the freeware "Process Explorer" offered by Microsoft for download.[/font]

Thanks, but that's actually one of the programs I used early on to isolate the source of the rogue connection attempts. It showed which instance of svchost was the one doing the connecting, and which services were hosted by that svchost, namely Terminal Services and that DCOM one I mentioned before. When I then disabled the DCOM service, the connection attempts ceased.

What I *couldn't* tell from it was anything else using the lists of DLLs and handlers. The vast, vast majority of DLLs were Microsoft ones and the others looked unsuspicious to my relatively untrained eye, while the handlers list just didn't mean a lot to me for the most part (but looked OK in the bits that I could follow). Any advice on what to look for? I wonder if any of it is exportable for pasting onto this forum...?

[bitoclass]

Please redownload Combofix and start it again. It seems that it has some trouble finishing the scan. Maybe due to Malware.
If it still hangs on a "Stage", please start the Taskmanager and kill any of these Tasks: Findstr.exe/sed.exe/swreg.exe
after that Combofix may continue scanning.

Excellent - you were spot on with this - when I killed Findstr.exe after it seemed to have hung, Combifix then carried on to the end.

Also please start catchme.exe in you Windowsfolder. Press scan and let it do its work. After finish the scan you will find a file called catchme.log on your desktop, please post the content of that file.

Right, here are the two logfiles, combofix and catchme:

http://www.digitalhome.plus.com/ComboFix.txt

http://www.digitalhome.plus.com/catchme.log

There is also a file alongside the ComboFix one called ComboFix-quarantined-files.txt. That says the following:

[ code ]
2005-11-02 09:31      45056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\Service.exe.vir


Folder PATH listing for volume Windows XP
Volume serial number is 00090188 C0F8:FD76
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       \---system32
    |               Service.exe.vir
    |               
    \---Registry_backups
[/ code ]
[/tt]

ComboFix.txt mentions C:\WINDOWS\system32\service.exe, and this quarantined files log shows it being got rid of, but I'm pretty sure it's just part of my Dell 3007WFP monitor software - Process Explorer shows it with LCDOSD.exe hanging off it, and now it's been killed I don't get an LCD on-screen display when I change the monitor's brightness. I uploaded service.exe to those online multi-engine virus-checkers earlier and none of them found anything wrong with it.

I notice it also mentions this:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rasrad32]
rasrad32.dll 2004-11-23 02:44 8192 C:\WINDOWS\system32\rasrad32.dll

If this *was* at fault, what could I do to disable it to test if the problem then goes away?

This line looks the most suspicious in the file but I don't really understand what this part of the file is listing so it might be nothing:

*Newly Created Service* - UVKMWMXMIIQI

Surely no legitimate service would have such a ridiculous name, would it? What can I do about that? Can I remove it?

So, over to you geniuses to tell me what to do now! Thanks again!

[essexboy]

Nothing untoward on winpfind and service.exe is prt of Dell

[bitoclass]

Hm, so does anyone else have any advice or is this destined to become the world's most mysterious virus? And, more to the point, am I just going to have to wipe my PC out and start from scratch - perhaps with the more secure Windows Vista rather than XP? Oh dear

[MeDIeVaL]

Hmm... do you've tried Windows OneCare? Maybe the virus lies inside your registry so s'time registry cleaning will help...

[mauserme]

When you have a chance please post a fresh HJT log.