HELP ! My PC has been compromised !!

[penang@freemail.c3.hu]

Last nite my PC behaves normally, but this morning, it took over 1
hour to boot up the XP.

Now, in the tasking tray, I see tons and tons of messages are being
sent out !

I have not configure this PC to send out emails. I use webmails. But
now my PC is sending out tons and tons of emails !!

The symantec norton antivirus is doing the "Symantec Email Scan" on
those emails and the emails are jamming up the system.

What can I do ????

What software should I use to remove this security breach ????

Please help !!!!

Thank you !!

[David H. Lipman]

From: <penang@freemail.c3.hu>

| Last nite my PC behaves normally, but this morning, it took over 1
| hour to boot up the XP.
|
| Now, in the tasking tray, I see tons and tons of messages are being
| sent out !
|
| I have not configure this PC to send out emails. I use webmails. But
| now my PC is sending out tons and tons of emails !!
|
| The symantec norton antivirus is doing the "Symantec Email Scan" on
| those emails and the emails are jamming up the system.
|
| What can I do ????
|
| What software should I use to remove this security breach ????
|
| Please help !!!!
|
| Thank you !!



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[PA Bear [MS MVP]]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.


penang@freemail.c3.hu wrote:
> Last nite my PC behaves normally, but this morning, it took over 1
> hour to boot up the XP.
>
> Now, in the tasking tray, I see tons and tons of messages are being
> sent out !
>
> I have not configure this PC to send out emails. I use webmails. But
> now my PC is sending out tons and tons of emails !!
>
> The symantec norton antivirus is doing the "Symantec Email Scan" on
> those emails and the emails are jamming up the system.
>
> What can I do ????
>
> What software should I use to remove this security breach ????
>
> Please help !!!!
>
> Thank you !!

[David H. Lipman]

From: <penang@freemail.c3.hu>

| Last nite my PC behaves normally, but this morning, it took over 1
| hour to boot up the XP.
|
| Now, in the tasking tray, I see tons and tons of messages are being
| sent out !
|
| I have not configure this PC to send out emails. I use webmails. But
| now my PC is sending out tons and tons of emails !!
|
| The symantec norton antivirus is doing the "Symantec Email Scan" on
| those emails and the emails are jamming up the system.
|
| What can I do ????
|
| What software should I use to remove this security breach ????
|
| Please help !!!!
|
| Thank you !!



Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...HJTInstall.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malwa..._Here-f37.html
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Patrick Keenan]

<penang@freemail.c3.hu> wrote in message
news:284d05e7-7d2a-425d-87fe-4279d9af68c8@e6g2000prf.googlegroups.com...
> Last nite my PC behaves normally, but this morning, it took over 1
> hour to boot up the XP.
>
> Now, in the tasking tray, I see tons and tons of messages are being
> sent out !
>
> I have not configure this PC to send out emails. I use webmails. But
> now my PC is sending out tons and tons of emails !!
>
> The symantec norton antivirus is doing the "Symantec Email Scan" on
> those emails and the emails are jamming up the system.
>
> What can I do ????
>
> What software should I use to remove this security breach ????
>
> Please help !!!!
>
> Thank you !!

The very first thing you should do is to disconnect the PC from any network
connection or telephone line, so that it cannot send anything. Then, you
can start scanning and manually searching for files that shouldn't be
running or in existence. Process Explorer and Hijack This are good
starting points.

Look for .exe and .dll files that have apparently random names. If you
delete them and new ones come back, there is another file that is creating
them you've missed.

Often these files are hidden away, so doing searches for hidden and system
files can often identify malware. Go to a command prompt, and from the
root directory use the dir command with the /a:h and /a:s switches to show
system and hidden files, and the /S switch to search all subdirectories.
At the end of the command, use the redirect to file to get a file you can
actually read: dir /ah /S >>list.txt

Clear *all* the temp folders and content.ie5 folders. This is a prime
location and entry point for malware. Look in the System32 folder for
files that shouldn't be there.

You can attach that drive to another well-protected system and scan it as a
hosted drive. Trying to gain control of an actively infected drive can be
difficult, but hosting it makes the process a lot easier since the
infections can't launch at boot.

Because you don't boot from it, there is very limited opportunity for
infection to spread to the host system. You might try using the Trend
Micro Housecall online scanner; since its files are online they are much
harder to compromise.

HTH
-pk

[Delta]

Ok, you are victim of a internet worm, that seem to spread by mail.
a) kill all suspicious processes like "rcgvejmrg.exe" OR MISTYPED names like
"explroer.exe".
best would be making a hijackthis log and sending it to some people, known
to handle them (or here).

[Sandy Mann]

"Delta" <bla@bla.net> wrote in message
news:93B6E4D1-7E61-4E53-A4C3-6EC502809B7D@microsoft.com...
> Ok, you are victim of a internet worm, that seem to spread by mail.
> a) kill all suspicious processes like "rcgvejmrg.exe" OR MISTYPED names
> like "explroer.exe".
> best would be making a hijackthis log and sending it to some people, known
> to handle them (or here).
>

I assume that Delta meant "(NOT here)"

from a old post by Frank Saunders:

***************************************
First eliminate any scumware. See Dealing with Unwanted
Malware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm especially
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch


Note that AdAware and SpyBot S & D will each catch some
things the other won't. Also, each needs to be updated
with the program's update function before every use, even
when just downloaded. There's also a lot more to do than
just those two programs. CWShredder is also available
here:
http://www.kellys-korner-xp.com/regs...cwshredder.zip
**Post your HijackThis log to
http://forums.spywareinfo.com/ or the Spyware forum at
http://forum.aumha.org/ for expert analysis, not here.**
Alternative download pages for Ad-Aware, Spybot,
HijackThis and CWShredder may be found on this page:
http://aumha.org/a/parasite.htm.


If nothing there helps, please post back to this thread.


********************************************


--
HTH

Sandy

[David H. Lipman]

From: "Delta" <bla@bla.net>

| Ok, you are victim of a internet worm, that seem to spread by mail.
| a) kill all suspicious processes like "rcgvejmrg.exe" OR MISTYPED names like
| "explroer.exe".
| best would be making a hijackthis log and sending it to some people, known
| to handle them (or here).

No HJT logs posted in any Microsoft news group or posted to Usenet at large.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp