Can't stop a Zombie EMailer

[JP]

I am assuming I am on the right Group.
I have discovered a Zombie Emailer running on XP Home.
It is sending enough email to bring down the LAN. Using CurrPorts
(cports.exe) I can watch it connect to an IP address on port 80 (probably
picking up the day's email) then connect to another IP Address (close to the
first one) on Port 25.

After a few seconds, all hell breaks loose, and the computer starts spewing
email at a great rate...stopped by pulling the Network cable.
I have watched this, in CurrPorts, and in Process Explorer from
Sysinternals, and it appears to be running from Services.exe PID 688, but
from where after that is the real question.
I have used 3 different Virus Scanners, and 2 different Rootkit finders.
Nothing.

I further checked it with HiJackThis, and with Autoruns. Seems that it is
not something that normally shows up as an "evil doer". I am not sure if
they have hijacked a service, or just what.
Any suggestions.

 

[Paul Zak]

What software was used? Have you tried Trojan Remover, Spybot, AVG &
AVG-AS, as well as AVG-RK? Also try superantispyware . . .


"JP" <JP@discussions.microsoft.com> wrote in message
news01A399C-59E6-4B0E-B133-6072EA7A2082@microsoft.com...
> I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80 (probably
> picking up the day's email) then connect to another IP Address (close to
the
> first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
spewing
> email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688, but
> from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit finders.
> Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that it is
> not something that normally shows up as an "evil doer". I am not sure if
> they have hijacked a service, or just what.
> Any suggestions.

 

[Milo \(MSPSS\)]

Block the said ports from the firewall as an option

"JP" <JP@discussions.microsoft.com> wrote in message
news01A399C-59E6-4B0E-B133-6072EA7A2082@microsoft.com...
>I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80 (probably
> picking up the day's email) then connect to another IP Address (close to
> the
> first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
> spewing
> email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688, but
> from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit finders.
> Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that it is
> not something that normally shows up as an "evil doer". I am not sure if
> they have hijacked a service, or just what.
> Any suggestions.

 

[Dustin Cook]

=?Utf-8?B?SlA=?= <JP@discussions.microsoft.com> wrote in
news01A399C-59E6-4B0E-B133-6072EA7A2082@microsoft.com:

> I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80
> (probably picking up the day's email) then connect to another IP
> Address (close to the first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
> spewing email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688,
> but from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit
> finders. Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that
> it is not something that normally shows up as an "evil doer". I am
> not sure if they have hijacked a service, or just what.
> Any suggestions.
>

I've seen this before. In my case, The rootkit itself modified a few
windows key system files. Trojanized them basically. It took a bit of
hunting to find the modified executables and replace them. I'd start by
doing a dir /o-d (date sorted) and replace the newest system dlls with
ones from a known clean backup.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[Dustin Cook]

"Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:

> Block the said ports from the firewall as an option

Doesn't remove the problem, just keeps it from talking on the internet.
Better to clean the box, imho.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[Milo \(MSPSS\)]

Actually thats the first step cut off the bits/data supporting the code from
within... then after such the system would be stable enough and (non
replicating since the source has been block ).

And for further identification use a proper tool for the removal or so I
would recommend to call Microsoft Security US/CANADA ( 866 727 2338 ) for
added asssistance

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns999CB3F8FBD68HHI2948AJD832@69.28.186.121...
> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
> news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:
>
>> Block the said ports from the firewall as an option
>
> Doesn't remove the problem, just keeps it from talking on the internet.
> Better to clean the box, imho.
>
>
> --
> ####################################################
> Dustin Cook
> Author of BugHunter - MalWare Removal Tool - v2.2c
> Email: bughunter.dustin@gmail.com
> Web..: http://bughunter.it-mate.co.uk
> Pad..: http://bughunter.it-mate.co.uk/pad.xml
> ####################################################

 

[BoaterDave]

Hello Milo Are you a Microsoft employee?

I hope you won't object to me asking (like some folk do). TIA

David

***********************************************************
"Milo (MSPSS)" <V-4jpaca@mssupport.microsoft.com> wrote in message
news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com...
> Actually thats the first step cut off the bits/data supporting the code
> from within... then after such the system would be stable enough and (non
> replicating since the source has been block ).
>
> And for further identification use a proper tool for the removal or so I
> would recommend to call Microsoft Security US/CANADA ( 866 727 2338 ) for
> added asssistance
>
> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns999CB3F8FBD68HHI2948AJD832@69.28.186.121...
>> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
>> news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:
>>
>>> Block the said ports from the firewall as an option
>>
>> Doesn't remove the problem, just keeps it from talking on the internet.
>> Better to clean the box, imho.
>>
>>
>> --
>> ####################################################
>> Dustin Cook
>> Author of BugHunter - MalWare Removal Tool - v2.2c
>> Email: bughunter.dustin@gmail.com
>> Web..: http://bughunter.it-mate.co.uk
>> Pad..: http://bughunter.it-mate.co.uk/pad.xml
>> ####################################################
>

 

[Dustin Cook]

"Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com:

> Actually thats the first step cut off the bits/data supporting the
> code from within... then after such the system would be stable enough
> and (non replicating since the source has been block ).

stable enough? Perhaps you misunderstood the authors post then. The
program he had is a variant of gaobot, and while it's resident, your not
going to find the executable. Btw, the author has already resolved the
issue he had. Your advice didn't help, but mine did.

Bart PE comes in handy for situations like that, and I doubt microsoft
would recommend it. I've already recieved the executable and determined
what it'll do and what it will not do. While I appreciate your efforts,
malware isn't something you seem to specialize in.

> And for further identification use a proper tool for the removal or so
> I would recommend to call Microsoft Security US/CANADA ( 866 727 2338
> ) for added asssistance

And again, gaobot is stealthing, while it's running it makes an effort to
hide the executable. If the malware has control of the machine, the
scanning utility is it's bitch. That's just how things are. As I said,
your method would prevent it from mass mailing, but would not do anything
to fix the issue.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[Dustin Cook]

What's in a Name? <maxpro4u@nomail.afraid.org> wrote in
news:fb96ol$d6s$1@aioe.org:

> On 8/29/2007 3:10 PM, JP after much thought,came up with this jewel:
>> I have discovered a Zombie Emailer running on XP Home.
>> It is sending enough email to bring down the LAN. After a few
>> seconds, all hell breaks loose I have used 3 different Virus
>> Scanners, and 2 different Rootkit finders. Nothing. I further
>> checked it with HiJackThis, and with Autoruns. Any suggestions.
>
> Flatten/restore clean image(you do have one,right?)
> Buy a bigger rubber. What do you use now,if I may be so bold to
> ask?(so I know which one I should stay away from)
> max

He had a gaobot variant. We both know how annoying those are, and they
stealth fairly well too.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[---Fitz---]

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message
news:eJeo%23u86HHA.4476@TK2MSFTNGP06.phx.gbl...
> Hello Milo Are you a Microsoft employee?
>
> I hope you won't object to me asking (like some folk do). TIA
>
> David
>
> ***********************************************************
> "Milo (MSPSS)" <V-4jpaca@mssupport.microsoft.com> wrote in message
> news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com...
>> Actually thats the first step cut off the bits/data supporting the code
>> from within... then after such the system would be stable enough and (non
>> replicating since the source has been block ).
>>
>> And for further identification use a proper tool for the removal or so I
>> would recommend to call Microsoft Security US/CANADA ( 866 727 2338 ) for
>> added asssistance
>>
>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>> news:Xns999CB3F8FBD68HHI2948AJD832@69.28.186.121...
>>> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
>>> news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:
>>>
>>>> Block the said ports from the firewall as an option
>>>
>>> Doesn't remove the problem, just keeps it from talking on the internet.
>>> Better to clean the box, imho.
>>>
>>>
>>> --
>>> ####################################################
>>> Dustin Cook
>>> Author of BugHunter - MalWare Removal Tool - v2.2c
>>> Email: bughunter.dustin@gmail.com
>>> Web..: http://bughunter.it-mate.co.uk
>>> Pad..: http://bughunter.it-mate.co.uk/pad.xml
>>> ####################################################
>>
>
>

Dave,

Since July 23rd, you've posted 117 messages to just this
newsgroup...microsoft.public.security.virus. None of your messages or
replies have anything to do with a virus or even mention the word virus.
Your messages seem to be about social networking, who to trust on
newsgroups, who is really who on newsgroups and who are various users of
other newsgroups. None of this has anything to do with a virus which is
what this group is about. According to your statements, you are new at
using newsgroups and want to learn. I've found that if I have to hunt down
the answer to a question, the answer is far more likely to stick with me
rather than asking or relying upon strangers to give me the answer. Perhaps
a little research on your part (books, articles, magazines, how-to
tutorials, etc) would be of more benefit to you than all these posts to the
wrong newsgroup.

 

[BoaterDave]

"Since July 23rd, you've posted 117 messages to just this
newsgroup...microsoft.public.security.virus."

How on earth do you know that? I've no idea how to check.

BD

 

[Peter Foldes]

Right click on the newsgroup itself and select Find. Type in BoaterDave into the From field and you got it

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message news:%23C6bK6A7HHA.5212@TK2MSFTNGP04.phx.gbl...
> "Since July 23rd, you've posted 117 messages to just this
> newsgroup...microsoft.public.security.virus."
>
> How on earth do you know that? I've no idea how to check.
>
> BD
>
>

 

[BoaterDave]

Thank you Peter.

Have you taken me off your 'killfile' list?

BD
**************************************************
"Peter Foldes" <okf22@hotmail.com> wrote in message
news:eW1I9RB7HHA.1212@TK2MSFTNGP05.phx.gbl...
Right click on the newsgroup itself and select Find. Type in BoaterDave into
the From field and you got it

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message
news:%23C6bK6A7HHA.5212@TK2MSFTNGP04.phx.gbl...
> "Since July 23rd, you've posted 117 messages to just this
> newsgroup...microsoft.public.security.virus."
>
> How on earth do you know that? I've no idea how to check.
>
> BD
>
>

 

[BoaterDave]

Thanks for your comments and advice, Fitz.

As you have probably surmised, there is a reason. Ask K.Dee why she's here
monitoring my posts.

You could ask Troll_Lady the same question too. She can remove my posts on
'her' newsgroups, but not from here.

I did rely on strangers once, but not any more! <g>

BD

PS Please forgive the 'top posting'. Still awaiting a response from Milo.


************************************************************
"---Fitz---" <---fitz---@invalid.com> wrote in message
news:46d86e45$0$28839$4c368faf@roadrunner.com...
> "BoaterDave" <BoaterDave@nospam.invalid> wrote in message
> news:eJeo%23u86HHA.4476@TK2MSFTNGP06.phx.gbl...
>> Hello Milo Are you a Microsoft employee?
>>
>> I hope you won't object to me asking (like some folk do). TIA
>>
>> David
>>
>> ***********************************************************
>> "Milo (MSPSS)" <V-4jpaca@mssupport.microsoft.com> wrote in message
>> news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com...
>>> Actually thats the first step cut off the bits/data supporting the code
>>> from within... then after such the system would be stable enough and
>>> (non replicating since the source has been block ).
>>>
>>> And for further identification use a proper tool for the removal or so I
>>> would recommend to call Microsoft Security US/CANADA ( 866 727 2338 )
>>> for added asssistance
>>>
>>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>> news:Xns999CB3F8FBD68HHI2948AJD832@69.28.186.121...
>>>> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
>>>> news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:
>>>>
>>>>> Block the said ports from the firewall as an option
>>>>
>>>> Doesn't remove the problem, just keeps it from talking on the internet.
>>>> Better to clean the box, imho.
>>>>
>>>>
>>>> --
>>>> ####################################################
>>>> Dustin Cook
>>>> Author of BugHunter - MalWare Removal Tool - v2.2c
>>>> Email: bughunter.dustin@gmail.com
>>>> Web..: http://bughunter.it-mate.co.uk
>>>> Pad..: http://bughunter.it-mate.co.uk/pad.xml
>>>> ####################################################
>>>
>>
>>
>
> Dave,
>
> Since July 23rd, you've posted 117 messages to just this
> newsgroup...microsoft.public.security.virus. None of your messages or
> replies have anything to do with a virus or even mention the word virus.
> Your messages seem to be about social networking, who to trust on
> newsgroups, who is really who on newsgroups and who are various users of
> other newsgroups. None of this has anything to do with a virus which is
> what this group is about. According to your statements, you are new at
> using newsgroups and want to learn. I've found that if I have to hunt
> down the answer to a question, the answer is far more likely to stick with
> me rather than asking or relying upon strangers to give me the answer.
> Perhaps a little research on your part (books, articles, magazines, how-to
> tutorials, etc) would be of more benefit to you than all these posts to
> the wrong newsgroup.

 

[---Fitz---]

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message
news:ueWfSrB7HHA.3528@TK2MSFTNGP04.phx.gbl...
> Thanks for your comments and advice, Fitz.
>
> As you have probably surmised, there is a reason. Ask K.Dee why she's here
> monitoring my posts.
>
> You could ask Troll_Lady the same question too. She can remove my posts on
> 'her' newsgroups, but not from here.
>
> I did rely on strangers once, but not any more! <g>
>
> BD
>
> PS Please forgive the 'top posting'. Still awaiting a response from Milo.
>
>
> ************************************************************
> "---Fitz---" <---fitz---@invalid.com> wrote in message
> news:46d86e45$0$28839$4c368faf@roadrunner.com...
>> "BoaterDave" <BoaterDave@nospam.invalid> wrote in message
>> news:eJeo%23u86HHA.4476@TK2MSFTNGP06.phx.gbl...
>>> Hello Milo Are you a Microsoft employee?
>>>
>>> I hope you won't object to me asking (like some folk do). TIA
>>>
>>> David
>>>
>>> ***********************************************************
>>> "Milo (MSPSS)" <V-4jpaca@mssupport.microsoft.com> wrote in message
>>> news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com...
>>>> Actually thats the first step cut off the bits/data supporting the code
>>>> from within... then after such the system would be stable enough and
>>>> (non replicating since the source has been block ).
>>>>
>>>> And for further identification use a proper tool for the removal or so
>>>> I would recommend to call Microsoft Security US/CANADA ( 866 727 2338 )
>>>> for added asssistance
>>>>
>>>> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
>>>> news:Xns999CB3F8FBD68HHI2948AJD832@69.28.186.121...
>>>>> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
>>>>> news:40029B0D-5B30-48FA-A64A-31FA0F69A53D@microsoft.com:
>>>>>
>>>>>> Block the said ports from the firewall as an option
>>>>>
>>>>> Doesn't remove the problem, just keeps it from talking on the
>>>>> internet.
>>>>> Better to clean the box, imho.
>>>>>
>>>>>
>>>>> --
>>>>> ####################################################
>>>>> Dustin Cook
>>>>> Author of BugHunter - MalWare Removal Tool - v2.2c
>>>>> Email: bughunter.dustin@gmail.com
>>>>> Web..: http://bughunter.it-mate.co.uk
>>>>> Pad..: http://bughunter.it-mate.co.uk/pad.xml
>>>>> ####################################################
>>>>
>>>
>>>
>>
>> Dave,
>>
>> Since July 23rd, you've posted 117 messages to just this
>> newsgroup...microsoft.public.security.virus. None of your messages or
>> replies have anything to do with a virus or even mention the word virus.
>> Your messages seem to be about social networking, who to trust on
>> newsgroups, who is really who on newsgroups and who are various users of
>> other newsgroups. None of this has anything to do with a virus which is
>> what this group is about. According to your statements, you are new at
>> using newsgroups and want to learn. I've found that if I have to hunt
>> down the answer to a question, the answer is far more likely to stick
>> with me rather than asking or relying upon strangers to give me the
>> answer. Perhaps a little research on your part (books, articles,
>> magazines, how-to tutorials, etc) would be of more benefit to you than
>> all these posts to the wrong newsgroup.
>
>

Sorry Dave...you're still off topic for this newsgroup. This is a newsgroup
for discussions about VIRUS.

 

[BoaterDave]

> Sorry Dave...you're still off topic for this newsgroup. This is a
> newsgroup
> for discussions about VIRUS.

I am fully aware that I'm not following 'the rules' Fitz - but it is in a
good cause, I assure you.

I'd also bet that at least 99% of 'visitors' to the Microsoft newsgroups,
this one included, will click on a link provided by another poster (helper)
rather than copying and pasting into their browser. It appears to me (and I
suppose I may be wrong) that no-one from Microsoft itself actually
monitors/polices the groups. No-one is responsible for checking that each
and every link takes one to the 'right' destination.

Perhaps you have never even considered the possibility that some posters
here may not be honest, law abiding, citizens Even those wearing the MVP
badge.

There really is no way of knowing ................ is there? )

Dave

 

[Milo \(MSPSS\)]

Points taken, also just so to make it clear im but of no competition to
anyone or you in such matters -
Im just here to help add to such i dont use tools quite often to assist
someone with malware, virus or so rootkit concerns, perhaps in detection but
in removal i rather do it manually to identify the strand origin and
functions. But recently they cant keep up with the changes and modification
of some droppers and rootkits that you or I have to identify. I did by
purpose refer him/her to the support
not only for removal but as well as identification, removal ( possibility of
return ) and preventive measure and possibly if it would be allowed extract
some sample which will help others, but then again thank you for helping
him/her directly - bottom line he/she got a good assistance.



"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns999D6AA00C384HHI2948AJD832@69.28.186.121...
> "Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
> news:7323FEB8-1CBF-4C10-9F21-DA54AE7BC545@microsoft.com:
>
>> Actually thats the first step cut off the bits/data supporting the
>> code from within... then after such the system would be stable enough
>> and (non replicating since the source has been block ).
>
> stable enough? Perhaps you misunderstood the authors post then. The
> program he had is a variant of gaobot, and while it's resident, your not
> going to find the executable. Btw, the author has already resolved the
> issue he had. Your advice didn't help, but mine did.
>
> Bart PE comes in handy for situations like that, and I doubt microsoft
> would recommend it. I've already recieved the executable and determined
> what it'll do and what it will not do. While I appreciate your efforts,
> malware isn't something you seem to specialize in.
>
>> And for further identification use a proper tool for the removal or so
>> I would recommend to call Microsoft Security US/CANADA ( 866 727 2338
>> ) for added asssistance
>
> And again, gaobot is stealthing, while it's running it makes an effort to
> hide the executable. If the malware has control of the machine, the
> scanning utility is it's bitch. That's just how things are. As I said,
> your method would prevent it from mass mailing, but would not do anything
> to fix the issue.
>
>
> --
> ####################################################
> Dustin Cook
> Author of BugHunter - MalWare Removal Tool - v2.2c
> Email: bughunter.dustin@gmail.com
> Web..: http://bughunter.it-mate.co.uk
> Pad..: http://bughunter.it-mate.co.uk/pad.xml
> ####################################################

 

[Dustin Cook]

What's in a Name? <maxpro4u@nomail.afraid.org> wrote in news:fb9b33$s3h$1
@aioe.org:

> On 8/31/2007 9:24 AM, Dustin Cook after much thought,came up with this
> jewel:
>> What's in a Name? <maxpro4u@nomail.afraid.org> wrote in
>> news:fb96ol$d6s$1@aioe.org:
>>
>>> On 8/29/2007 3:10 PM, JP after much thought,came up with this jewel:
>>>> I have discovered a Zombie Emailer running on XP Home.
>>>> It is sending enough email to bring down the LAN. After a few
>>>> seconds, all hell breaks loose I have used 3 different Virus
>>>> Scanners, and 2 different Rootkit finders. Nothing. I further
>>>> checked it with HiJackThis, and with Autoruns. Any suggestions.
>>> Flatten/restore clean image(you do have one,right?)
>>> Buy a bigger rubber. What do you use now,if I may be so bold to
>>> ask?(so I know which one I should stay away from)
>>> max
>>
>> He had a gaobot variant. We both know how annoying those are, and they
>> stealth fairly well too.
>>
> That's why I said flatten/restore clean image. Some cleaning can take
> hours if not days of headaches. Better spending an hour or so looking
> for those restore disks!

It just depends on the situation. If they're just workstations and don't
contain too much customized configuration data, I'd agree. But his issue
wasn't really too big of a deal. He was already half way there to finding
the little pest anyhow He just needed a way to be able to see what was
going on without the pest rerouting some functions and hiding.

Home computers are usually different, usually best to clean them, make
sure they are clean as best as your abilities allow for, and keep an eye
on the machine. If you have the right software (a utility similiar to
bughunter for example can tell me which if any windows main files aren't
what they should be. It'll also have information on common legitimate
installed software. The utility isn't ready for general public use yet,
but it's coming soon). I believe it'll go a long ways towards detecting
modifications made to key windows system files that allows some malware
to come back the moment a live internet connection is discovered.




--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[Dustin Cook]

"Milo \(MSPSS\)" <V-4jpaca@mssupport.microsoft.com> wrote in
news:6E677E8C-CDD0-4693-AB2C-AD4A40C34AF8@microsoft.com:

> Points taken, also just so to make it clear im but of no competition
> to anyone or you in such matters -

Hi Milo. After re-reading my post, I detected a bit of arrogance in my
tone and wish to apologize for it.

> Im just here to help add to such i dont use tools quite often to
> assist someone with malware, virus or so rootkit concerns, perhaps in
> detection but in removal i rather do it manually to identify the
> strand origin and functions. But recently they cant keep up with the
> changes and modification of some droppers and rootkits that you or I


I completely understand where you are coming from sir, and I do find that
your very helpful in most cases. If at all possible, would you be willing
to send samples you get from your day to day encounters to myself as well
as the others you already send to? If this is something you'd be willing
to do, shoot me an email and I'll provide the specific file submission
details.

> would be allowed extract some sample which will help others, but then
> again thank you for helping him/her directly - bottom line he/she got
> a good assistance.

It's no problem. I like helping people when I can. And again, I apologize
for my arrogant tone I took with you previously.

--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

 

[---Fitz---]

"BoaterDave" <BoaterDave@nospam.invalid> wrote in message
news:OONNdMG7HHA.5984@TK2MSFTNGP04.phx.gbl...
>
>> Sorry Dave...you're still off topic for this newsgroup. This is a
>> newsgroup
>> for discussions about VIRUS.
>
> I am fully aware that I'm not following 'the rules' Fitz - but it is in a
> good cause, I assure you.
>
> I'd also bet that at least 99% of 'visitors' to the Microsoft newsgroups,
> this one included, will click on a link provided by another poster
> (helper) rather than copying and pasting into their browser. It appears to
> me (and I suppose I may be wrong) that no-one from Microsoft itself
> actually monitors/polices the groups. No-one is responsible for checking
> that each and every link takes one to the 'right' destination.
>
> Perhaps you have never even considered the possibility that some posters
> here may not be honest, law abiding, citizens Even those wearing the MVP
> badge.
>
> There really is no way of knowing ................ is there? )
>
> Dave
>

What is the "good cause" when you take away from others who seek help in
this newsgroup about a VIRUS when you're talking about who checks the links,
etc.? You're dealing with STRANGERS. Why WOULD you think they would be
"honest, law abiding, citizens" and trust them? You don't do it face to
face...why here? However, you do MVPs a disservice when you imply that they
are dishonest. The original OP requested info about Zombie email. This has
nothing to do with that. Even though the OP seems new at this (he prefaced
his post with "I am assuming I am on the right Group." (good netiquette), he
wanted "suggestions" for solving his problem. You're still in the wrong
group for social networking.