Computer Expert Required

John

Unfortunately you are infected with gremlins, based on what you are saying about all the programs and scans you have done (assuming they are up to date with the latest definitions) your quickest and most definite solution may be a reformat and reload.

Backup up all your data, documents, favourites, outllok files etc and blitz the hard drive. (2 hours of your time).

Or you could spend coutnless hours maybe even days trying to find this gremlin that is buried deep in your system.

What ever you choose to do I would do it fast before you get blacklisted on the anti-spam sites.

I agree with your course of action if you ever catch the buggers however you would be the first to acheive such a feat which is akin to catching a fly with chop sticks, possible but not feasible.

John

Sorry to say it cobber, but your box has got a dose. ... ;-))

I had a similar problem a few months ago and fortunately we were able to clean it out without reformating the hd.

Over the years I have tried and been let down by Leprechaun, Macafee, Norton, AVG and a couple of others I can't recall. It would seem on occasions they are simply not up to the task.

The only thing I can suggest is trying other anti-virus software in the hope it'll catch the bug. You will most likely need to disable or perhaps even temporarily remove Norton, as you will invariably get a conflict between 2 different sets of anti-virus software.

You may like to try vet.com.au .. it's an Aus program I'm currently using, which seems ?? to be up to the task.

Good luck

hi john.
i'm no expert but from expensive experience, like roscoe i've used vet anti virus, 18 months with no problems. the data miners etc, i use adaware and spybot and update regularly. in the last week or so i've been getting heaps of mail from germany with links to sites. optus tells me this is the current virus causing trouble. i'm being extra carefull as a lot of this is coming in loking like it is from the 4x4 state associations that i normally deal with.
as a try do a manual update from norton.

regards peter

Hi John

I should be able to help you been in the IT industry for years. Can you go to microsoft.com and download their new spuware program and run that and clear anything you find. Can you also open your taskmanager and take a screen shot of all the processes running and email that through

Are you on a perminent internet connection? do you have a router or a modem?
Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out.
For Windows XP and 2000 look in C:\WINDOWS\SYSTEM32\DRIVERS\ETC
For Windows 98\ME look in C:\WINDOWS
Prob best you email all the answers back to me. Also what version of windows do you have. The more info you can give me the better.

Regards,

another good thing to get is spybot and adaware...run these things to check for n-case and the like....

recently, my bro'inlaw had the same problem...couldnt get data as the comp had been taken over by one or more trojan....

I ran spybot and adaware first and then vet... all okay now

n-case is or can be a prick of a thing to get rid of ...but vet and/or spybot takes care of it ...one of them does ...
i use no-adware...look around on the net..lots of cracks for it too ..you can message me if need be

oh and keep away from porn sites and you wont get these things...hehehe

You sure it is your computer and not a program somewhere else that has forged your address to start with John? Next is why would you be using a giveaway program like Outlook Express to do your emailing and not something better like Outlook although that has plenty of macro opportunities for small programs to use? I understand there are plenty of good other email clients that are not infiltrated so much by bots.

The next think is that the usual reccommendations by the ABC guys in Melbourne is to use ZoneAlarm rather than Nortons. I have ZoneAlarm Pro with Vet or ZoneAlarm with anti-virus to do the work and those seem to work pretty well on my networked system. Wireless networks, bridges and all!

John,

The collective term for this type of infection is "Malware"
Also try this: Click Start, then Run, type "regedit" to start the registry editor. Navigate to HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows ->
CurrentVersion -> Run.
In the right payne are listed applications that are started when your PC starts / logs in. Look for applications listed that you have not installed and delete them. Restart and all should be good.
Note that this is really high end stuff, somewhat risky and not always effective either. Active X apps are usually the most surreptitious and almost impossible to remove. Often indicated by a quick flash of a window after starting.
To be honest the best way is reformat the hard drive and reinstall everything. Backup your data first. Note that you email file is not under your My Documents folder.
If you do, dont reinstall Norton, it isbleepe (useless, as you have experienced and slows your pc considerably). Your best defence is Zone Alarm, Spybot and common sense. Use AVG free antivirus if you feel a need for an AV program.
Dont feel bad as this happens to the best of us. I have just been through the same thing and I have been in the industry for 8 yrs.
If you feel a little queasy get an expert to do the work, shoudn't cost more that a couple of hundred bucks.
Once you have everthing back together consider replacing Internet Explorer and Outlook (Express) with Mozilla Firefox browser and Mozilla Thunderbird email client. Although not the perfect solution, popup blockers and email filters will make your pc less vulnerable.
Tip: do not double click (or execute) on email attachments ending .pif, .zip, .exe, and .scr. If you unexpectedly recieve these files, confirm that they have been sent by the sender (they may have an affected pc) Almost guaranteed to install the malware.
PS if you have a recent PC with recovery disks use this.
PPS note that a lot of this type of malware is designed to collect accout and password info to be sent to a hacker. Disconnect from the net to be sure and change passwords ASAP, especially banking etc.
Good luck and remember "Google is your friend"
Shane

I reckon its funny computer related posts get quicker responses than 4by ones.

Sounds like you've been hit with the worm W32.sober.P (also called M, N or O)
Its a worm, like others, that emails itself to addresses in your address book when you are infected. This worm was highly active last 2-3 weeks and responsible for brining down many networks thru overloading. mid last week it went dormant and just stopped spreading itself. It has left a network of infected machines, which as you suggested are now being used to mass produce spam.

McAfee's stinger program will help:
http://vil.nai.com/vil/averttools.asp#stinger
This is a free tool, and will take out your infection, but you will still need to keep your antivirus program up to date. If you havent paid for a norton subscription, get a different antivirus. I recommend Trend after having used many.

you will also have to remove manually any other traces
Trend removal help

For your firewall, Id suggest Sygate personal firewall. This is free, and easy to use.

Both Zone alarm and Nortons are a pain in the a$$ to remove, and both are susceptible and targeted by some new viruses. Nortons actually has a flaw which helps your computer get infected with malware and spyware- Once again, make sure you are recieving your updates!

That there is why I love 4WDing. You can actually see when stuff breaks on your car.

John
My mate had this type of virus last week and had to back everything up and format his hard drive to clear it. It was scanning both in and out with AVG but changing IP addresses every minute or so , as well as blowing his download / upload limit.
Not sure but if you are running XP Pro you may need to disable your system restore as well if you are going to scan the system again. Maybe someone with a bit more tech knowledge could confirm this.

Good Luck
Tim

>Shane many thanks, I have had a look where you suggest and can recognize some of the programs listed, other stuff I don't.
>Problem is I am unsure as to what to remove and what it may do to me.
One says (Default) REG_SZ (value not set)

If you provide a list I can make some educated guesses. All care no responsibility!

You can also right click on Run and export to say desktop, then delete keys on the right 1 by 1 rebooting after each. You can double click on the saved file to re-import. Providing your system restarts. Obviously risky though.

>For all those following this thread I run XP Home, with windows fire wall enabled and up to date Norton, Spybot and Adware programs, nothing seems to find it.
>It is also not sending to or from my address book it seems to be inputing its own addresses and just passing them through my system ?????

These types of programs struggle to keep up with constantly evolving malware. Typically addresses are extracted from your email client address book and processed in the backgroud without a way to administer the process.
Right click on the Taskbar at the bottom of screen, Click Task Manager, Processes tab, "Show processes from all users" may reveal the process and the process may be ended. Usually requires you know what to look for and again not guaranteed successfull.

>Another thing that I have noticed is that on start up Auto Protect on Norton is disabled, requiring me to manually reset it.
>Not constantly either, probably happened about 5 times in the last 3 days.

Typical malware behaviour and an indication that you are indeed infected.

To be honest John, a reformat / reinstall is the only sure fire way of returning your system to normal.

Hope this helps (although probably not much!)
Shane

Echo your sediments.

I would think that reputable AV companies would not risk their reputation. Most likely Uni students and kids with too much time on their hands.

As an aside, consider using a "Live CD", bootable Linux distibution such as Ubuntu or Knoppix, in order of personal pref. CD burner required although the Ubuntu CD can be ordered free!

Usually a simply matter of booting from the cd and using the web browser to connect to your web mail (if you have this facility... Optus does). As no Operating System is installed on your hard disk infection is unlikely and a reboot will reset everything. Sime distros will allow saving of settings (like an email config) to a USB key. May provide a short term solution in you situation. I have an old laptop with a failed hard disk and I use this method to allow my kids to access web / email / chat with great success. After supporting corporate networks all day the last thing I want to do is work on my kids pc.

By the way, firewalls such as Zone alarm, Sygate etc will not prevent these types of infection, they can however prevent some of the genereated traffic. Again an advanced subject. YMMV. Personally I just use the built in FW with XP. Less installed crap the better.

Ubuntu:-
http://www.ubuntulinux.org/
Knoppix
http://www.knopper.net

Food for thought.
Shane

John

When you reformat you should load Norton Ghost. This makes it so much easier to reload everything next time. Apparently it keeps a mirror of everything.

We seem to have to reformat at least once a year with viruses, breakdowns etc. We luckily have a young guy, a backyard computer genius, who did the whole thng for us last time for $75 and loaded Norton Ghost for the future.
Frustrating isn't it.
John

John,

I hope to be of some assistance to you as I work in IT. Reimaging your pc is the last option. Unfortuanlty without the full error message I cannot help. It would be worth doing a search on "google" www.google.com with the full error message and see if there are any fixes on the net.
Microsoft Windows has many security holes. This can be fixed though by going to the following address: www.windowsupdate.com click on "scan for updates" and then click on "critical updates" link once it has checked your pc. Install all of these patches. Hopefully one of these will close the "back door" of the pc which the virus is using.
The other thing you can do is go to the registry. Click on "start" then "run" and type in "regedit". Then browse through to the following location:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Currentversion/Run
Click on the "run" folder and see the files on the right hand side. If there is anything which looks like the virus then delete it. Use this as the last option as if you delete the wrong info you could harm your pc but you probably have nothing to lose anyway.
If this does not work and there is no fix on the internet then you will need to reimage. If you do reimage your pc then make sure you go to "windows update" and do this again as there will be many new patches to install from a new image.
This might have been mentioned but I don't have time to read all the above comments but I did see "format" a few times which scared me. This should be the last option.
Hope this helps.

if yer need a hand, your in cranny arent you? Im in langwarrin. gimme a yell tomorrow if your home..

Foloow the advice of Benspoon he has hit the nail on the head, you have a virus which is creating its own smtp engine in the background. By running the free trend home virus checker it will pick up the virus variant you have www.trendmicro.com.au/free_tools/

I am a 20 year systems engineer

Good Luck

Pfffft to any web based virus checker. Some virus' disable them thus don't gaurantee your PCs safety. I did that once and then found Grisoft free edition which kicked the virus well and truly on its merry way.

I use Grisoft AVG free edition and spybot search and destroy and don't have any hassles. If you want to get these two free version just go to www.octapc.com.au and on the right hand side under free software is all the good stuff.

Spybot is given awards regularly by top PC mags, often number one becuase not only is it free it is also not going to ad malware like some of them do. In other words, some anti-spyware software stop some spyware and let those that sponsor their web sites.

Nortons'??!!! Tisk tisk.............

If you have identified the virus get the removal tool from the web and run it

if you cant find the right tool, remove the hard drive and go to a shop or someone who knows what they are doing (no amatures) and have it scaned with a working antivirus program

the reson for this is once it is not a active part of the operating syatem the virus is normaly helpless

note

this method only cleans the files not the registry thats you need to take it to some one who knows how to clean the registary

ps

it may be part of the virus is in the restore file

pps

if all else fails do low level format and do not put saved files back, no disks you have used or you will be right back where you started, format all disks that anybody could have used

frank

Hi John, I'll be brief. I didn't bother reading all of the responses. I work in the computer industry btw.

You need 4 things to protect yourself properly.

1. Virus Scan. This stops malicious code (programs) from running. It is important it is a recognised one and is set to update daily or every few days. You sound like you have this covered. This mostly protects e-mail attacks.

2. Spyware Protection. This protects from websites that load crap on your computer when you browse their sites. Best one I've found is Spy Sweeper. Run a full sweep and let it stay resident in memory.

3. Windows Updates. If you are using XP or 2000, you need to set your automatic updates on and make sure you install them regularly. This and a firewall protect you from works, which are the worst form of attack.

4. Firewall. Best to be hardware in the form of an internet router or broadband router, but can be software like Norton Security. Windows XP Service Pack 2 also has an inbuilt one that isn't bad.

If you need any help with any of this, drop me a mem message and I'll give you an e-mail address.

Cheers,

Smocky.

Well I seem to have fixed the problem.
It turns out that was a very new Trojan called Webus.F only been discovered on the 17th May according to the info from Symantec and the fix has now been released by them within the last week.

I am also please to say that the best part appears to be that whilst the spammer was able gain access via one of my ports the output has actually been stopped by Norton.
I have my Norton settings set to scan all incoming and out going emails the Trojan according to the technical details attempts to delete some of the security settings, so I assume it was successful in bypassing the incoming scans but was scanned on the outgoing and recognized as spam by Norton and what I originally described as the rejection notice was in fact the Norton email proxy advising that it had detected and canned the out going mail. Phew!!! that explains why I was not getting heaps of bounced returns by heaps ofbleepof recipients around the world.
How and where I picked up the infection, I don't really know, but I suspect it came via one of the interactive game sites that my son accesses from time to time but who really knows.

How I found the right fix was to go to the Trend Micro and the Symantec web sites (Which actually had the correct and most up to date detail) and use their search facility, inputed the info I had being the two spam sites that kept popping up on the connection screen (webadi.robobot.org and upseek.org) until I found the Security Response that matched, then followed the fix. I also had to do this on another computer as mine was flat out trying to send crap to the rest of the world everytime I went on line.

Thanks for all the offers of help by everyone who responded in this thread, I really appreciate your efforts with your respective advice.

I don't really know what else we can do except keep your anti virus software as up to date as possible and look for the right fix before heading for the formating options, in my case the amount of business data that resides on my laptop would have taken me quite sometime and a huge headache to replace it all from my backups.

I still would like to use my bullbar on the ba$tards who propagate this crap.

This might not be very helpful to your current situation, but try this link.

There are a bunch of us using the forum that just shake our heads in dismay at what PC users have to put up with, and to a certain extent take forgranted.

Tim

A quick suggestion
do a search for spybot or go to
www.safer-networking.org/
or read
spybot.eon.net.au/
and download spybot and update the spybot definitions.
Also try Ad aware from
www.lavasoftusa.com/
I use both and find it fixes all my probs.
Regards

Just read about the latest in the virus/spam/trojan/spyware wars. Something called "ransomware"!

It works such that you pick up some malicious code via an email or web site and this software then grabs hold of a few key dtafiles (Office Documents and stuff) and effectively encrypts them and locks them up so you cannot open them.

When you go to open the files you see a message telling you that your files are being held to ranson and that you should send US$200 via Western Union or whatever and visit a certain website with payment details and you will receive the encryption key to unlock your documents!

What the hell will they come up with next?!?!?!?!?!?!?!?

Details ein Sydney Morning Herald tech section.

Ransom side of things isn't vandals but criminals, just like the current ebay scam. I received an email telling me my ebay account has been suspended because they accused me of "placing false bids which is most likely by associates of mine". The wanted me to go to a web site to input my details (Password and id) if I wanted to refute this.

The should be put in jail permanently and the key thrown away, but sadly the Civil Rights Group would mamby pamby the little mongrels and want them out because they were such little darlings in jail.... I suppose I would too with what goes on in jails.