Malicious Program Sending Spam Emails From My PC !!!

[ruthy]

Hmmmmmmmmmmm did that but nothing I think: -

________________________________________________________________
HAXFIX logfile - by Marckie
______________
version 3.01
18/06/2006 14:28:57.37

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
Aspi32

checking for matching safeboot services....
matching safeboot services found
drtw6a.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found


Finished
________________________________________________________________

So ok tell me you thought that lol! But now for your strategy as mine don't seem to work haha! Tell me what order to things and I will go for it!

Ruth XXX

[ruthy]

Ohhhhhhhhhhh I just notice that there are some matching services and matching safeboot services !!! Must put my glasses on in the future!! - what does this mean?

Ruth XXX

[sUBs]

drtw6a.sys - It did find something. Let's work on that for the moment. Considering what happened yesterday, I'm more inclined to tread carefully


Download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter drtw6a.sys & click "Ok".
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply

[ruthy]

Ok done that here is the results: -
__________________________________________________________

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18/06/2006 14:53:10 for strings:
; 'drtw6a.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\drtw6a.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\drtw6a.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Minimal\drtw6a.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Network\drtw6a.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\drtw6a.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\drtw6a.sys]

; End Of The Log...
________________________________________________________________

But what about the other - Aspi32 ??

Ruth

[sUBs]

Ruth,

I've attached a batch file to this post.
Double click on it & it shall remove those reg entries you posted.
It shall also produce a log on your Desktop - report.txt

Please post the contents of that log.

[ruthy]

Sorry sUBs but I transferred the file to my desktop - no report was produced after double clicking it and when running it again I think I detected that it was unable to find the entries!

Help!

Ruth

[ruthy]

Just wondering.... it seemed to be checking my desktop for the entries - I thought it should be checking the registry?

Ruth

[sUBs]

Sorry about that. If you look at the contents of the batch, you would see that I made a minor error with the variable userprofile. It should be %userprofile%.

No worry though, that wouldnt delete any files.
Please do another Regsearch & let me know if those drtw6a.sys still exist.

[ruthy]

Ok done that and from the following, I don't think it exists anymore, whatever it deleted lol!
_______________________________________________________________

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18/06/2006 16:01:01 for strings:
; 'drtw6a.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
_______________________________________________________________

I don't know anything about batch files I'm afraid, so I haven't done anything with it I'm afraid.

So what's next? - do we assume the Haxdoor vaiant has been destroyed now and hopefully I won't get the BSOD's? - we could always try running gmer again to see if that invokes a crash again, but I'm going to wait for you now, I'm in your hands now lol! XX

Ruth

[sUBs]

Okay...that removed the Haxdoor entry.

Please reboot once so that the reg deletions may take effect.
Then try gmer again

Dont get your hopes too high though. Haxdoor isnt known to be a mailbot

[ruthy]

I know that but maybe the BSOD's might be fixed lol! - I'm hoping...................... Ruth

[ruthy]

Nahhhhhhhhhhh BSOD kicked in again lol! : -

0x0000008E OxC000005 0xB8224CF0 0x000000

Rebooted and waiting for you

Ruth

[ruthy]

Thing is with this fault, I don't understand why it's saying check my disc space - there's plenty, it also suggests to check my drivers - no exclamation marks in Device Manager and it also suggest checking my BIOS - it's up to date to, I think.

Ruth

[sUBs]

It looks likely that we have to use the gmer game plan. But let's give it one more chance & try out another rootkit scanner.

Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

[sUBs]

Quote:

Originally Posted by ruthy

Thing is with this fault, I don't understand why it's saying check my disc space - there's plenty, it also suggests to check my drivers - no exclamation marks in Device Manager and it also suggest checking my BIOS - it's up to date to, I think.

Ruth

That's just a standard Window's checklist. Is your machine set to reboot automatically when the BSOD occurs? If so, you can configure it to do differently....

Go to Start > Run - type in control sysdm.cpl & click OK

In the new window, under 'Startup & Recovery', click 'Settings'

Untick 'Automatically Restart' & click OK

That should give you plenty of time to read the entire message.

[ruthy]

Yes the program cannot get the required priviledges to run. It says it could be that these have been altered maliciously. Can you advise what to do to change them back if at all? - under User Accounts in control-panel, it shows Ruth and Administrator - and Ruth has administrator rights!

Ruth XX

[sUBs]

Please show me the complete error message. Does it say something about SeDeBug Privileges?

[ruthy]

Quote:

Originally Posted by sUBs

Go to Start > Run - type in control sysdm.cpl & click OK

In the new window, under 'Startup & Recovery', click 'Settings'

Untick 'Automatically Restart' & click OK

That should give you plenty of time to read the entire message.

No when I type that all that comes up is the system properties dialogue, which you get if you right click My Computer and click properties !

Ruth

[sUBs]

Yes..that's what I wanted.

I left out the part where I wanted you to click the 'Advanced' tab.

[ruthy]

yes it says it could not acquire necessary privileges[SeDebugPrivilege]

Ruth