Malicious Program Sending Spam Emails From My PC !!!

[dai]

it loads the files into ram and when it tries to hand over to the h/d is when chkdsk is invoked
that's why i suggested running the diognostic on the drives,as i feel this may indicate a problem with one of the drives

[ruthy]

Thanks dai for your interest but I thought what you said earlier was that if RAID WAS NOT involved you suspected a hdd error. RAID is most definately involved here and I'm kinda getting used to it. I assumed what you said is that you don't suspect a hdd problem - I don't, believe me! Sometimes though BSOD's put the RAID out and I have to delete it and then recreate (ctrl-f) and hey presto it comes back online with no problems at all. But how do I run a utility for hdd errors on a RAID anyway? - do I simply run a standard Maxtor utility (that's the make of the drives) on the RAID partition(s) or do I first have to split the RAID?

Surely to goodness there is some way to get into the registry from a boot disc is there not?

Ruth

[ruthy]

What's worse here, is that f: is my "spare" partition - there is literally nothing on it. I could delete it but how? Then I would have more unpartitoned space which maybe I could repartition - all this without involving c: What do you think - could I somehow get into a utility to muck about with my partions? I am thinking out loud here - I will run Partion magic's utility on our laptop and create some boot disks and see what I can do on my pc with them. Going to have some tea now and watch some footy with my husband - if someone could let me know their thoughts about what I am saying and help me with some utilities, that would be fantastic.

Ruth XXXX

[dai]

if you can get into the recovery console type help and it will list the commands available,and look for reg edit
i know nothing of raid and non of the team are online at the moment,as they log on i pm them

[koala]

I'm not sure if this will work with a raid setup, but it should disable chkdsk at startup.

Boot with a boot disk and at the command prompt type
fsutil dirty query c: [enter]
chkntfs /x c: [enter] (/x prevents chkdsk from running on c:)
Remove the bootdisk and reboot.
chkdsk /f/r c: [enter] (/f to fix errors, /r to find bad sectors and recover data)

[ruthy]

Thanks - I have already said that the regedit, regedt32 and chkntfs commands are not present from the Recovery Console. I'm assuming fsutil dirty query isn't either. So how can I create a boot disk which has these commands and even more important, how can I accomodate the Promise Fastrak drivers in it so that when I boot from the disk(s), the system can see my RAID - fwiw the drivers are the Promise 376/378 which are on a separate floppy and which I use in a F6 install on a Windows setup.

I need to create a boot disk set or a cd which can heve these drivers automayically installed as well as a dos prog of some kind which can invoke the regedit, regedt32, chkntfs and fsutil dirty querycommands.

Can some kind person help me here please.

Ruth XXXX

[dai]

make an xp disk with these drivers incorporated into it,use nlite
http://www.nliteos.com/
tutorial
http://unattended.msfn.org/

[ruthy]

Ok - I have created a Partition Magic set of boot disks from our laptop and for some "strange reason", my pc has booted from them and seen my RAID - How's That? lol! I have proceeded to delete the f; partition and tried to get my second repair install to continue. The brilliant news is that chkdsk is now not invoked! but I have to undertake another (my third) Repair Install as windows just kept trying to restart the second one and rebooting in a continual loop!

I have therefore invoked the third Repair Install and the files are currently being copied. I will post some more once I know what happens.

Ruth

[ruthy]

Thanks dai lol! - we both replied together! I will persue your suggestions once I know the outcome of the third repair install - since the above, it has smoothly proceeded to the installation stage which is fantastic news. What I aim to do then is hope that the BSOD does not invoke for long enough to transfer all my files and settings to my hubby's pc. Yes I know he will go up the wall but such is life and he maybe impressed with me that I have managed to get this far. One things for sure - if I see the BSOD again I will write everything down again. I do not intend to update the windows setup this time because after my second reapir install, everything went ok until I tried to update the os. By the way as well as deleting f: , I asked partition magic to check the other partitions as well as c: - no problems were found, but the prog said all were unmounted incorrectly - is that something to do with my RAID or what?

Keep checking in - going to crack this baby tonight and I will sleep only when my music has been backed up.

Ruth

[ruthy]

The 3rd Repair Install went perfectly although we are now debating whether to reformat or try again to update Windows and hope no further recurrence of the BSOD's. Last night I managed to backup my music and before attempting to update windows I am going to backup other stuff and my settings/history etc etc. Thanks for all your help - still not sure how Partition Magic saw my volumes lol!

Ruth XXXX

[ruthy]

Well spoke too soon - the email sends have restarted which is sucking my bandwidth to the point now that I can no longer back anything up to a remote pc, via the router. What is confusing is that everything was fine after the third repair yesterday and I was able to back everything up fine. I shut the pc down last night so I asume the worm or whatever it is that is causing these emails being sent was triggered upon restart. There is no blasted way I can stop them! If I pull the plug to the router then I cannot back up - any suggestions?

Ruth

[sUBs]

The worm is a rootkited mailbot. That's the most likely culprit behind the failed repairs.
Let's see if we can flush it out

Download gmer from http://www.gmer.net

Save it somewhere safe & unzip it to desktop

Double click the gmer.exe to run it and select the rootkit tab, press scan & when it has finished press save & copy the log back here

[ruthy]

Thanks sUBs - did that but guess what? before the prog can finish scanning I have the dreaed BSOD again!!!!!!! Ok this time I wrote down as much as I could - took 3 scans and 3 BSOD's to get this lot lol but unfortuneately I could not detect exactly where the prog caused the BSOD in the scan process as the scan moves too quickly: -

0x0000008E 0xC0000005 0x00300030 0xEB6A9CF0 0x000000

the dialogue that goes with it is something like Windows has detected a problem and has shut down to prevent damage etc etc. If this is the first time blah blah blah, consider checking that you have enough disk space (I HACE !!) and check drivers etc etc.

Any further thoughts? Me thinks you are probably right in what you think the problem to be and it seems the BDOD's are being caused by our attempte to root the problem out?

Look forward to hearing some more from you please

Ruth XXX

[sUBs]

Looks like we have a really nasty little bugger on our hands. We'll have to be a bit more aggressive.

Before we start, I like to exercise a little caution. We'll try to avoid getting caught out by a damaged Windows like before.

Please download & install - ERUNT (This is a utility that'll replicate a copy of your Registry)

1. Start ERUNT, confirm the Welcome message.
   
   
2. Next, select the backup options:
   
   
   • System registry
   • Current User Registry
   • Other open user registry
   
   
3. Click "OK" and wait until the backup process is complete. (Note that depending on your system configuration this may take some time, and that the first bar is NOT a progress bar, just an indicator that the program is still running.)

# Note: To ensure proper operation of ERUNT, you should be logged in as a system administrator.

If Window crashes again, we can use ERUNT to restore your registry


* * * * *


Now run Gmer again.

Under the 'Processes' tab, select Safe. This will cause Gmer to reboot into Safe Mode

Once there, gmer wil re-open. Select 'Processes' again & then select 'Kill All'
That shall leave a minimal amount of processes running. This ensures that we get a clean enviroment for our rootkit scan

Select the rootkit tab, press scan & when it has finished press save & copy the log back here

< edit/

Gmer does not have an option to save a log. You need to click the 'copy' button to copy the data to memory. After that, this data needs to be pasted onto a text editor (eg Notepad).

Unfortunately, during the Safe Mode, you do not have the luxury of a Desktop. Getting the data to Notepad would be difficult.

To get around this, go to the 'Processes' tab again & locate the little box where it says 'Command'.




Type Notepad into the box & click the 'Run' button. That will bring up Notepad for your use.

** Do not save the file to Desktop. Save it at the root of Drive C. ** /edit >

Note: You shall need to go back to the 'Processes' tab to click 'Restart' to return to Normal Mode.

[sUBs]

ERUNT's backup is located at C:\WINDOWS\ERDNT

It's advisable to make a copy of it & store it on another machine

For more detailed information regarding ERUNT, plese click here

[ruthy]

Thanks sUBs - before I do what you suggest here, could I just mention that the BSOD's I've experienced today are as a direct result of running the gmer prog. I am not getting BSOD's like during the past few days when they triggered as soon as Windows loaded. For example after the 3rd run of gmer and the 3rd BSOD today, the system has been up and running for about 1 hour with no BSOD's. Not sure if this changes anything, but what I think you are suggesting is that if we get a repeat of yesterday with continued BSOD's, we can restore the registry without doing a reapair install - is that correct? And have you any idea what is causing the BSOD's from the info I provided?

I will wait for your further responses before embarking on the latest proposal.

Ruth XX

[sUBs]

Yes, unlike yesterday, we will have a way to restore the registry. ERUNT's backup can be manipulated but it's highly complex & requires additonal equipment. There's no way to go into the registry if Windows isn't running. Only method is to do it via an indirect method.

I'm not speculating that we will experience a repeat of yesterday but I will also not dismiss the possibility.

I have some additonal info for you regarding the BSOD messages. Microsoft has a kb article about it but the information within isnt complete. Nonetheless. please have a read

http://support.microsoft.com/?scid=kb;en-us;903251

[sUBs]

Ruth,

If you do decide to pursue the gmer method, please let me know before embarking upon it. I have some additional info to add to it.

[ruthy]

sUBs - I am really indebted to you for your support - you seem to be narrowing down my problems. No I don't want to rerun the gmer prog just yet - but is it worth having a look to see if I can fix the BSOD from the Microsoft's very helpful article? You see I may be infected with the Haxdoor Virus or a variant, which could be triggering the BSOD's? After I have had lunch I will check things, but I will not modify anything until you have read the article yourself and recommend what I should do. My thoughts are to persue this first, rerun the gmer, to see if it crashes the pc, if not then at least the BSOD's are cured. Then if the email sends are still causing problems then we can fix these too - what do you think? - please suggest a strategy for me so I know what order to do things - that would be most helpful. This morning, by the way, I re-ran a Norton Antivirus scan which showed nothing (prog fully up to date with latest defs).

Ruth XXXXX

[sUBs]

We have a dedicated tool for Haxdoor. Let's try that.
It wont crash your machine (just yet) but it can check if Haxdoor is present

Download & install - HaxFix.EXE.
During installation, please select these options:

• Create a desktop icon
• Launch HaxFix

When Haxfix starts, a red DOS window will open.
Select the option to - Make logfile - Type 1 & press`Enter'.
Haxfix will produce a log for you to post back here.