help regarding sky and botnets

[black-ops]

Hi, well i came home yesterday to find that our sky connection was offline and CHAP authorisation return false. Anyway i rang sky and they said a large amount of email traffic has occured between my email address and foreign address i put this down to a bot net and low and behold sky said the same thing. So i thought, well it couldn't be my system as i take every precaution, and i put that down to my sisters system. Ok so i reformat my HDD and back everything up just to be on the safe side, however my sister has managed to loose her installation CD of windows xp for this quite old dell pc. I was wondering is there anyway of removing a possible botnet assigned to my sisters computer without having to re-install windows ... not that i can.
Thanks,

P.S sky has also said if the botnet gets back on our systems they will close our service until we pay for a technician to sort this out, i find this rather obsurd that we get penalised for someone elses illegal doings. I even have full security and don't go on rogue sites etc.

Thanks.

 

[PistolPete]

First steps first - you need to identify the problem.
Make sure you pull the machine from the network before you power it back up.

Download (on another machine) HijackThis and transfer it to the infected machine via USB stick or something. Run it and then post the output.
You should also get hold of the MS Rootkit Revealer and run that too - The results can be difficult to understand, but if anyway is lurking that could well find it.

Once you know what you are dealing with it's easier to determine how to get rid of it.

 

[Craig321]

Boot into safe mode, run full scans with these 4: http://tchan4.com/blog/2008/09/05/b...re-malware-trojan-etc-applications-2008-2009/

Then run ESET's online scan: http://www.eset.com/onlinescan/

When that's done install a decent anti virus and boot back into normal mode.

As PistolPete said, disconnect it from the internet until the problem is sorted so Sky don't terminate your service.

Probably best to download the above four anti spyware/virus/adware/malware programs on a clean PC, then boot the infected PC into safe mode and transfer the programs using a pen drive.

 

[malef!c]

In a way at least they are trying to stop this sort of thing - bad thing is they threaten to cut you off next time and get more money out of you with a tech visit!

Wonder if this is a start of a new trend with ISPs trying to combat zombie machines?

 

[black-ops]

well the funny thing is i had an argument with the guy who said it came from my ip i said what was the ip he gave me my internal address ... lol
anyway will have hte results from hijack this shortly

 

[blastman]

Personally, if your sure its your sisters machine and not yours with the problem, I'd do a reinstall.

Anybody who's tried to rid PC's of virus will tell you it's much quicker to reinstall windows and then you know that the machine is clean.

As for not having the dell recovery disk you have two options.


1 - check that the machine hasn't got a recovery partition. Dell sometimes have these (depending on the model). Best way to check is to use the BIOS to check the boot options. If there is another partition/drive reported at the bottom of the list bump it up to the top nd boot to it. You'll be able to reset to factory settings from there.

2 - If number 1 isn't an option, you can use the i386 folder on the machine to create your own XP installation disk. Using this folder to create the installation disk will keep your current XP license which mean you'll be fully covered by law and the product key on the side of the box will work.

For details on how to create a XP installation CD check the following link.

http://www.howtohaven.com/system/createwindowssetupdisk.shtml

Hope it helps.

 

[Dano]

Had a similar situation a couple of years back with NTL and a work pc, the only thing that I could find that was able to detect the infection was TrojanHunter , all else failed miserably and the only way I knew which machine was infected was by watching the router log and waiting to see all the spam packets going out.