I am a SPAM Zombie

RangeR

A few weeks ago a work mate installed something on my computer. It contained some form of trojan that seriously messed up my computer.

I can no longer access Control Panel. If I try to double click on the clock in the taskbar, or run ANY *.CPL, I get the message...

This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

It has also messed with my AVG [AVG *should* have blocked this trojan], effectively disabling it.

I was doing some Wireshark stuff yesterday and happened to notice that I'm send buckets of SMTP messages to random email accounts every second.

Help. I can no longer trust my install of AVG. I am going to reformat my PC on Friday if I can't get this resolved, but I'll lose a day of work.

aidan_walsh

Run DSS and paste the logs. In the meantime, pull your ethernet cable to cut the zombie off at the source and save everyones bandwidth.

RangeR

Unfortunately, pulling the cable is not an option. It's a work machine and need access to the network all day.

The soonest I can format my pc is tomorrow but would prefer to do it on Friday.

I do not like being a zombie, for many reasons, but at the moment I have no acceptable choice.

Checking that link now.

aidan_walsh

Look at your Wireshark logs and see what port the zombie is firing off spam on, if its reasonably dumb it might be using the same port all the time and (assuming it doesn't adapt to an open port again) you might be able to change your local firewall rules to block it off.

Cabaal

moved to virus removal etc from windows

RangeR

That was my first thought, but I cannot access Control Panel and cannot access local Firewall. When I try, I always get the restrictions message quoted in first post.

Hijack This. I haven't read throug it yet but am now.

***Removed***

Paddyo

Hi

have a look for this file in google disableregistrytoolsundo.reg

Is the control panel the only think that you cannot access?

Might help

Paddyo

ActorSeeksJob

Hello

Don't use quote boxes for the logs

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.


Also post a new DSS log

RangeR

Cheers. I'll be back in 20 or 30 minutes after I try this.

RangeR

Cheers ASJ,

That seems to have done it. Everything seems to be back where it should be and Wireshark isn't reporting any more traffic than normal on our network.

For posterity, items found were:

======================

Checking Services :

Name:
btstack
runtime

Path:
\??\D:\WINDOWS\system32\btstack.ibs
\??\D:\WINDOWS\System32\drivers\runtime.sys

btstack - Deleted
runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Service NdisWon - Deleted after Reboot

Checking Files :

Trojan Files Found:

\WINDOWS\system32\6_exception.nls - Deleted
\WINDOWS\inf\ultra.inf - Deleted
\WINDOWS\system32\btstack.ibs - Deleted



Folder \Program Files\SystemDefender - Removed
Folder \Program Files\Ultimate Cleaner - Removed
Folder \Program Files\Ultimate Defender - Removed

aidan_walsh

Probably best to post the entire DSS log IrishTLR, so we can be certain that nothing else slipped in the backdoor as well.

ActorSeeksJob

You need to post the SmitfraudFix report and a new DSS log