[SOLVED] Mass Spamming Virus

JeKyL · 07-31-2009, 01:53 PM

Hey all,

I got a problem. I have a hard drive that I have cloned and there is a virus on it.
Not sure where it is though. I have ran malwarebytes' anti-malware and it found nothing and I ran Norton Symantec AV and that did not find anything either.

As soon as I plug the original drive back in the main system, which I cannot access now and that is why I cloned it, it starts sending mass spam emails.

I have the exact clone, which was done with Norton Ghost, and I have it as a slave drive but I keep scanning and scanning with different programs and they don't find anything.
I'm really curious to what the virus is and wondering if you guys have any suggestions on how to find it.

Thanks in advace,

JeKyL

JeKyL · 08-03-2009, 11:07 AM

bump please

Ried · 08-03-2009, 10:29 PM

Hi JeKyL,

We can't possibly guess at what infection it might be. Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help. Run the tools on that cloned hdd and post the requested logs in your next reply.

JeKyL · 08-04-2009, 12:23 PM

Hey,

Thanks for your reply Ried.

I will try that out in a minute and post them on here as soon as I can.

JeKyL

P.S. Thanks in advance

JeKyL · 08-04-2009, 12:57 PM

Will it pose a problem since the Cloned HDD is slaved?
Cause it seems like dds.scr is scanning the c: drive and the same for GMER even though I unchecked the C: and checked the G: drive (which is the infected drive).

I will still post them if you want. They are almost complete.

JeKyL

Ried · 08-04-2009, 02:12 PM

The tools cannot scan a slaved drive, from the booted OS. You'll need to load the Operating System from that slaved drive, download the tools to that drive and run them.

JeKyL · 08-04-2009, 04:19 PM

Ahh thats what I figured. I wish there was a way to boot the slave up, but the computer I have it in is a different chipset.

I appreciate your time and help with this matter. If there is any other method you can think of please let me know. Otherwise, I will mark this thread as solved.

Thanks again,

JeKyL

Ried · 08-04-2009, 09:36 PM

Quote:

As soon as I plug the original drive back in the main system, which I cannot access now and that is why I cloned it, it starts sending mass spam emails.

Please explain that statement. You cannot access the drive at all?

JeKyL · 08-07-2009, 11:19 AM

Sorry for the delay.

So, when the main hdd is connected as master drive to the PC it was originally installed in (with that computers chipset), which is a friends computer that I no longer have access too. We wiped that hdd clean so his computer is fine now, but before doing so I made an exact clone of his hdd b/c I wanted to figure out what this virus, malware, etc was.

We took the infected hdd before cloning and ran Malwarebytes Anti-Malware, Symantec AV and GMER. They never found anything and said there was no threat on the hdd.

So, we plugged it back into the original computer after knowing this and what happens...the mass spamming started again. So, thats when we were like ok...there is something hiding somewhere deep in this HDD's jungle of sectors.

Thats why I have a clone. I was just trying to find out what this nasty threat is for my own knowledge, but had no luck finding it. Since the chipset on that cloned drive is for my buddies computer I cannot boot to this hdd without getting BSOD for chipset error...wrong chipset.

And sorry to answer your question I can connect it up to my computer as a slave disconnected from the network, but when I run scans on it, it finds nothing.

Sorry for typing a book out dude.

JeKyL

Ried · 08-07-2009, 11:59 AM

No need to apologize, it's better to have more detail than not enough.

I understand commercial apps are not finding anything so you would need our tools to take a look for you. If you can find a way to connect that drive as a master, you can then run the 2 tools in our pre-posting topic. With those, I might be able to help you locate the culprit.

JeKyL · 08-07-2009, 01:13 PM

I will definitely see what I can do!

Thanks for all your help Ried.

JeKyL

Ried · 08-07-2009, 07:46 PM

I'll leave this thread open for a few more days in case you find a way.

JeKyL · 08-13-2009, 01:47 PM

Hey thanks for leaving this open, but I tried and tried to boot to the drive. But its not working.

Thanks again for your help.

JeKyL

07-31-2009, 01:53 PM	#1 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	[SOLVED] Mass Spamming Virus Hey all, I got a problem. I have a hard drive that I have cloned and there is a virus on it. Not sure where it is though. I have ran malwarebytes' anti-malware and it found nothing and I ran Norton Symantec AV and that did not find anything either. As soon as I plug the original drive back in the main system, which I cannot access now and that is why I cloned it, it starts sending mass spam emails. I have the exact clone, which was done with Norton Ghost, and I have it as a slave drive but I keep scanning and scanning with different programs and they don't find anything. I'm really curious to what the virus is and wondering if you guys have any suggestions on how to find it. Thanks in advace, JeKyL

08-03-2009, 11:07 AM	#2 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus bump please

08-03-2009, 10:29 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,953 OS: WinXP and Vista	Re: Mass Spamming Virus Hi JeKyL, We can't possibly guess at what infection it might be. Please follow the instructions in our sticky topic New Instructions - Read This Before Posting for Malware Removal Help. Run the tools on that cloned hdd and post the requested logs in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-04-2009, 12:23 PM	#4 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus Hey, Thanks for your reply Ried. I will try that out in a minute and post them on here as soon as I can. JeKyL P.S. Thanks in advance

08-04-2009, 12:57 PM	#5 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus Will it pose a problem since the Cloned HDD is slaved? Cause it seems like dds.scr is scanning the c: drive and the same for GMER even though I unchecked the C: and checked the G: drive (which is the infected drive). I will still post them if you want. They are almost complete. JeKyL

08-04-2009, 02:12 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,953 OS: WinXP and Vista	Re: Mass Spamming Virus The tools cannot scan a slaved drive, from the booted OS. You'll need to load the Operating System from that slaved drive, download the tools to that drive and run them. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-04-2009, 04:19 PM	#7 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus Ahh thats what I figured. I wish there was a way to boot the slave up, but the computer I have it in is a different chipset. I appreciate your time and help with this matter. If there is any other method you can think of please let me know. Otherwise, I will mark this thread as solved. Thanks again, JeKyL

08-07-2009, 11:19 AM	#9 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus Sorry for the delay. So, when the main hdd is connected as master drive to the PC it was originally installed in (with that computers chipset), which is a friends computer that I no longer have access too. We wiped that hdd clean so his computer is fine now, but before doing so I made an exact clone of his hdd b/c I wanted to figure out what this virus, malware, etc was. We took the infected hdd before cloning and ran Malwarebytes Anti-Malware, Symantec AV and GMER. They never found anything and said there was no threat on the hdd. So, we plugged it back into the original computer after knowing this and what happens...the mass spamming started again. So, thats when we were like ok...there is something hiding somewhere deep in this HDD's jungle of sectors. Thats why I have a clone. I was just trying to find out what this nasty threat is for my own knowledge, but had no luck finding it. Since the chipset on that cloned drive is for my buddies computer I cannot boot to this hdd without getting BSOD for chipset error...wrong chipset. And sorry to answer your question I can connect it up to my computer as a slave disconnected from the network, but when I run scans on it, it finds nothing. Sorry for typing a book out dude. JeKyL

08-07-2009, 11:59 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,953 OS: WinXP and Vista	Re: Mass Spamming Virus No need to apologize, it's better to have more detail than not enough. I understand commercial apps are not finding anything so you would need our tools to take a look for you. If you can find a way to connect that drive as a master, you can then run the 2 tools in our pre-posting topic. With those, I might be able to help you locate the culprit. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-07-2009, 01:13 PM	#11 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus I will definitely see what I can do! Thanks for all your help Ried. JeKyL

08-07-2009, 07:46 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,953 OS: WinXP and Vista	Re: Mass Spamming Virus I'll leave this thread open for a few more days in case you find a way. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-13-2009, 01:47 PM	#13 (permalink)
JeKyL Registered User Join Date: Mar 2009 Location: New York / Virginia Posts: 211 OS: Vista SP2, Win7 RC, Ubuntu 9.04 & 9.10, XP SP3	Re: Mass Spamming Virus Hey thanks for leaving this open, but I tried and tried to boot to the drive. But its not working. Thanks again for your help. JeKyL