nrhy Posted April 28, 2007 ahhh, thanks for the quick reply forwardin addy... = email? Fwiw you have one of the more severe infections,i suspect either your winlogon.exe is patched or you have rootkit main.sys loaded but don't panic were going to kick their malware butts shortly yea! thanks for the clear explanation Share this post Link to post Share on other sites
nrhy Posted April 28, 2007 Tried with winzip and winrar, neither works:? can I upload it the way it is? or will the server reject it? yes, I received the update thanks Share this post Link to post Share on other sites
fatdcuk Posted April 28, 2007 Tried with winzip and winrar, neither works.yes, I received the update thanks I must admit i do not use 3rd part tools for compression/decompression of Zip formats.Inhouse on the OS is the *send to* option on right click when the file is highlighted and select *compressed(Zipped)folder* option. Has that been disabled or is your ndis file 0 byte in size ? Share this post Link to post Share on other sites
fatdcuk Posted April 28, 2007 Ok try this approach towards harvesting the file. Use IceSword file copy and save the file as ndis.old when you copy it. If not no biggie as it will turn up sooner or later elsewhere but i will definetly like a copy of the spambot since SAS is not detcting that variant so i'm guessing it is a new repack Share this post Link to post Share on other sites
nrhy Posted April 28, 2007 alright, the zip file is up on the castlecops website...or so it said. tell me if you can access it thanks Share this post Link to post Share on other sites
fatdcuk Posted April 28, 2007 alright, the zip file is up on the castlecops website...or so it said. tell me if you can access it thanks Great job I have them now and will be be looking at them shortly.Thanks again for the upload Share this post Link to post Share on other sites
fatdcuk Posted April 28, 2007 Those files not being present is not a problem,like i said earliar depending on which *variant* of the infection you had would govern which badboys were on your machine.So its a good thing if they are all not present in one way Just to double check,did you upload your winlogon.exe from system32 folder to VT service ? Share this post Link to post Share on other sites
nrhy Posted April 28, 2007 yeah, except its taking a while it stops scanning after some time with the winlogon file... AhnLab-V3 2007.4.28.0 04.27.2007 no virus found AntiVir 7.4.0.15 04.28.2007 no virus found Authentium 4.93.8 04.27.2007 no virus found Avast 4.7.981.0 04.26.2007 no virus found AVG 7.5.0.464 04.26.2007 no virus found BitDefender 7.2 04.29.2007 no virus found CAT-QuickHeal 9.00 04.28.2007 no virus found ClamAV devel-20070416 04.29.2007 no virus found DrWeb 4.33 04.28.2007 no virus found eSafe 7.0.15.0 04.27.2007 no virus found eTrust-Vet 30.7.3601 04.27.2007 no virus found Ewido 4.0 04.27.2007 no virus found FileAdvisor 1 04.29.2007 No threat detected Fortinet 2.85.0.0 04.28.2007 no virus found F-Prot 4.3.2.48 04.27.2007 no virus found for the most part, its clean... Share this post Link to post Share on other sites
fatdcuk Posted April 28, 2007 Right when you say its stops scanning,do you mean a message appears at the top left of the page saying *Service has stopped* ? If so click refresh to reload and keep repeating until it starts mal checking again.We need the full report before the all clear is sounded Share this post Link to post Share on other sites
nrhy Posted April 29, 2007 done, its all good no threat, no virus...totally clean Thanks alot for everything you done fatdcuk!!! greatly appreciate it Share this post Link to post Share on other sites