Help! Mysterious virus sending thousands of spam e-mails from my PC :(

[bitoclass]

When you have a chance please post a fresh HJT log.

OK, just ran it and got a new log:

http://www.digitalhome.plus.com/hijackthis3.log

By the way, I think the stuff I said before about disabling the DCOM service stopping the virus might not be entirely true - the virus still tries several connection attempts when the computer first gets into Windows, for the first five minutes or so, but after that it stops trying until the next reboot.

[mauserme]

Your first HJT log from 18 August shows a single instance of C:\WINDOWS\system32\cmd.exe in the running processes, and the log from 19 August shows 2 instances running.  The most recent log shows none.

Do  you recall having command windows open when you ran the first 2 scans?  Was there email activity the first 2 times but none this time?

What version of WINVnc do you have?

[bitoclass]

Your first HJT log from 18 August shows a single instance of C:\WINDOWS\system32\cmd.exe in the running processes, and the log from 19 August shows 2 instances running.  The most recent log shows none.
Do  you recall having command windows open when you ran the first 2 scans?  Was there email activity the first 2 times but none this time?

Hi, yes, that's a red herring I'm afraid: I did indeed have some command windows open on those first scans and none this time. (Also, it's definitely svchost.exe which is trying to make the connections rather than cmd.exe.) And there was no e-mail activity when I was doing any of those scans because I had blocked it with a firewall the first time and tried with partial success to disable the relevant service (as well as keeping the firewall in place) the second and third times.

What version of WINVnc do you have?

It's UltraVNC, whatever the latest stable release is (not the new beta that supports Vista).

Thanks.

[mauserme]

This brings me to

O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

also. 

Tech, DavidR, Essexboy mentioned it and I see it as very suspicious too.

You could try renaming the file rasrad32.dll to rasrad32.old followed by a reboot.  Do the symptoms subside?

[bitoclass]

This brings me to

O20 - Winlogon Notify: rasrad32 - C:\WINDOWS\SYSTEM32\rasrad32.dll

also. 

Tech, DavidR, Essexboy mentioned it and I see it as very suspicious too.

You could try renaming the file rasrad32.dll to rasrad32.old followed by a reboot.  Do the symptoms subside?

OK, will do, thanks - you're the first person to tell me it's suspicious *and* what to do about it. I was a bit worried that renaming/deleting it might make the PC not boot or something if the registry was looking for it, because I don't really understand what Winlogon Notify means/how integral it is to the startup process.

So tonight when I get home I will indeed try renaming this and seeing what happens and I'll let you know - thanks again!

[bitoclass]

I don't speak much French, but babelfish.altavista.com does, and I think I may finally have found the one other person in the entire world who has this same malware!

http://forum.malekal.com/ftopic4508.php

That's the French original page as there doesn't seem to be a way to link to the translation.

In summary, it looks rather like this person has a suspect item in their Winlogon Notify, and that it is a DLL file which ends with 32.dll! Sound familiar?

It looks like the French person fixed it by pasting the line from their HJT log into the HJT 'fix' box, so you can guess what I'm going to try when I get home! Something tells me this is going to be a good evening at last!

[DavidR]

Well you can try this link, http://babelfish......forum.malekal.com%2Fftopic4508.php

I have a firefox extension, Translator 1.0.4.3, this allows you to open the original page and then using translator select the from and to languages and it opens a new page with the translation and I just copied the path to this translation.

[mauserme]

It looks like the French person fixed it by pasting the line from their HJT log into the HJT 'fix' box, so you can guess what I'm going to try when I get home! Something tells me this is going to be a good evening at last!

That's fine if you would like to do that.

I was suggesting a slightly more conservative approach to testing this but the action you suggest will remove the registry entry from your startups but should leave the file intact.  If this alleviates the problem please upload a sample of the file to avast! before deleting it.


EDIT:  Well, translated or not that French thread is about something different than you have (probably Vundo plus something else over there).  Your 020 is suspicious but there really isn't any direct correlation to what you saw there.

[bitoclass]

Well, translated or not that French thread is about something different than you have (probably Vundo plus something else over there).  Your 020 is suspicious but there really isn't any direct correlation to what you saw there.

What makes you say that? What's different about the French person's problem from mine? It sounds identical to me. No anti-virus products would pick mine up, nor that one; it was a DLL in system32, set up in Winlogon Notify, which had the same name as a valid system DLL but with '32' appended; and the symptoms - connecting to a range of remote sites including leapcash.com and hostlife.net - were also identical. I can't understand why you're sure it's different. (Not saying you don't have your reasons, but I'd like to hear them as that French case just seems so similar to mine!)

Anyway, the upshot is that the fix on that forum did indeed work. Sorry if it seemed like a criticism of your suggested fix - no criticism intended but since that fix was for what I'm still sure is my problem and had been seen to work by someone else with it I thought I might as well try that first - of course I'd still have tried your fix if that hadn't worked, and I still very much appreciated your suggestion!

Strangely this site was no longer working in Internet Explorer (wouldn't keep me logged in long enough to post - I checked cookie settings etc. but to no avail) but now I'm virus-free I've gone back to Opera so I'm able to post here again - that's why I've been silent on the matter since it was fixed, sorry for keeping people in suspense!

Now, about uploading the infected file to Avast - where can I do this? I'm very disturbed that still no online virus scanners, nor Avast, are picking this file up as problematic: there could be thousands of people out there infected with this and they wouldn't know about it! I can't see anything on the Avast site about uploading virus samples for Avast's records - can anyone point me in the right direction?

Thanks very much to everyone for your help with this. I'm so glad I got to the bottom of it in the end! Now I just want to help anti-virus vendors get this virus tracked and make sure no-one else has to go through all this!

[mauserme]

I'm not saying they are no similarities because there certainly are.  Here's how I see it:

Indications Common to Many Types of Malware
AntiVirus products will not pick them up (or will not control them).

They run as a DLL in c:\windows\system32.

They  run from the winlgogon notify reg key.

The file name tries to mimic a valid system file.

Because these are so common they cannot be used to unquestionably correlate one infection to another.


Similarities Between Your Logs and His
Connections to some of the same web sites.

A suspicious file that has a similar name structure loading from the same folder.


Differences Between the Logs
The file names are not the same.

He had yaywxus.dll loading form the winlogon_notify key in addition to ddeml32.dll, while you loaded a single file. 

yaywxus.dll looks like Vundo to me, while I see no indication of Vundo in your logs (this appears to have been cleaned prior to his staring the thread but may have contributed, or may have been a result of another infection).

You mention outgoing email while he mentions only "Connections (whereas nothing is launched) worms of the equivocal sites:" without mentioning any outgoing email.

Your only ComboFix deletion, service.exe, is probably a false positive.  His only ComboFix deletion, c:\autorun.inf, is absent in your logs and might indicate removable media as the infection vector.


From my point of view, trying to help someone I've never met fix his computer, I cannot make assumptions that might break things.  There are enough differences in important areas that I will call it different even though the same fix (deleting the registry loading point and then deleting the file) is the same for a great many forms of malware.

[Now, about uploading the infected file to Avast - where can I do this?

Where is the file?  Still in system32, in the chest, or deleted?

[bitoclass]

Hi again,

I see your point, but the list of sites his was connecting to was basically identical to the list that mine was, which is why I was so convinced it was the same problem. I just assumed he had more than one problem on his PC, since his symptoms were a superset of mine. It sounds like parts of his problems which didn't match mine were already known about enough to have been given a name (Vundo), whereas the main part of his problem and the entire part of mine were not known/named.

[Now, about uploading the infected file to Avast - where can I do this?

Where is the file?  Still in system32, in the chest, or deleted?

I took a copy of it into a folder, along with an export of the relevant part of the registry (Winlogon Notify), so I could supply the two items to any anti-virus vendors who were interested.

Thanks!

[oldman]

To send a sample to avast, simply send a password protected zipped attachment to virus at avast.com

In the body of the email, include the password, the vps and program version of avast, a description of the files/symptoms and a link to this thread.

[bitoclass]

To send a sample to avast, simply send a password protected zipped attachment to virus at avast.com

In the body of the email, include the password, the vps and program version of avast, a description of the files/symptoms and a link to this thread.

Great, thanks, will do!

[lad from leigh]

Hi.
I have been reading all the process you have undergone as i have the same problem and have had for some time, it is really getting me down. I have tried to make sense of the solution but i´m afraid my knowledge and experience are very poor (and my french even poorer)! Is there any any chance you could tell me in layman terms how i can fix the problem. This is the only place i have found where someone has managed to solve the problem and is therefore my only hope. Sorry for sounding a bit desperate, but i´m desperate.!
Thanks.

[bitoclass]

I have been reading all the process you have undergone as i have the same problem and have had for some time, it is really getting me down. I have tried to make sense of the solution but i´m afraid my knowledge and experience are very poor (and my french even poorer)! Is there any any chance you could tell me in layman terms how i can fix the problem. This is the only place i have found where someone has managed to solve the problem and is therefore my only hope. Sorry for sounding a bit desperate, but i´m desperate.!

Sure. Download Hijack This and run it. In the resultant list, look for an item about "Winlogon Notify", referencing a DLL in System32. Tick this in the list and click Fix selected. (I am doing this from memory so excuse me if the names of buttons etc. are not quite exactly right!) Reboot, then delete the DLL that was referenced from the System32 folder (in C:\Windows or C:\Winnt). That should be it, sorted, but you might want to reinstall your PC anyway to be on the safe side - that's my plan but then I am extra-cautious!

Best of luck!