My computer is sending hundreds of spam emails as soon as I am connected to internet

Here is the latest log from ROOTREPEAL

******************************************************

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/09 08:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA95CA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B7F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA86EE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x86e29c08

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x86e29a80

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86d93a78

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x86edfcd8

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86e2acb0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86b781d8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9a0f350

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x86e27a98

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x86e2ab38

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x86e29db0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x86d62e30

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x86e2ba98

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x86e26d20

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x86e27df0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "<unknown>" at address 0x8703a3e8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x86e0aa80

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86e28a88

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86e27c68

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86e28b60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9a0f580

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86e2bad0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86e28e70

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86e26b88

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86e28cd8

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x86e27ad0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86f07da0

==EOF==
 
ok thanks for the info. you can delete the rootrepeal icon form your desktop. There is utility that will remove combofix for you;

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

One last thing you can do is make a new restore point. The how and the why;
One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If all is good, some tips to help remain malware free:

10 Tips for Reducing/Preventing Your Risk To Malware:


1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.


2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs that you may have malware on your computer.


3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If these are constantly finding malware on your computer then its time to review your computer habits.


4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. Do you trust the source?


5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.


6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?


7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.*


8) Install and understand the *limitations* of a software firewall.


9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.


10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. Using them will cause you all kinds of problems. If you download/install files via p2p networks then you are also much more likely to encounter malicious code. Do you really trust the source of the file? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.
 
You must log in or register to reply here.
Back
Top