Avast is spamming me constantly about outgoing email

Hello

I think my wife has downloaded a virus that Avast can’t get rid of completely. I have constant messages popping up in the corner telling me Avast has blocked a threat. I get up to 51 of these messages before it starts again. They always refer to outgoing mail and that Avast has blocked it, but whatever it is doing it isn’t getting rid of it completely.

Process is always mostly C:\windows\syswow64\svchost.exe

Any advise would be greatly appreciated.

Thanks.

follow instructions here http://forum.avast.com/index.php?topic=53253.0

attach logs from Malwarebytes and OTL …when done, help will arrive

Could you attach a screenshot of the alert please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply

EDIT: Snap :slight_smile:

Nice one, thanks very much.

Here is the output from the ASWMBR program and have attached the two files produced by OTL:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-05 20:58:58

20:58:58.263 OS Version: Windows x64 6.1.7601 Service Pack 1
20:58:58.263 Number of processors: 4 586 0x2502
20:58:58.264 ComputerName: SEIBERT-HURST UserName: acer
20:59:02.597 Initialize success
20:59:06.538 AVAST engine defs: 14030500
20:59:17.085 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
20:59:17.090 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
20:59:17.215 Disk 0 MBR read successfully
20:59:17.217 Disk 0 MBR scan
20:59:17.233 Disk 0 Windows VISTA default MBR code
20:59:17.250 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12000 MB offset 2048
20:59:17.266 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 24578048
20:59:17.274 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 464838 MB offset 24782848
20:59:17.378 Disk 0 scanning C:\Windows\system32\drivers
20:59:28.926 Service scanning
21:00:00.570 Modules scanning
21:00:00.579 Disk 0 trace - called modules:
21:00:00.592 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:00:00.599 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004bd3060]
21:00:00.605 3 CLASSPNP.SYS[fffff88001af043f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004914050]
21:00:02.820 AVAST engine scan C:\Windows
21:00:07.067 AVAST engine scan C:\Windows\system32
21:03:28.933 AVAST engine scan C:\Windows\system32\drivers
21:03:45.538 AVAST engine scan C:\Users\acer
21:24:28.486 AVAST engine scan C:\ProgramData
21:31:53.041 Scan finished successfully
21:32:46.474 Disk 0 MBR has been saved successfully to “C:\Users\Maria\Desktop\MBR.dat”
21:32:46.480 The log file has been saved successfully to “C:\Users\Maria\Desktop\aswMBR.txt”

Let me know if this stops the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O2:64bit: - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [bfxjbhhh] C:\Users\Maria\AppData\Local\dgcfjdgm.exe ()
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [buvgcoev] C:\Users\Maria\AppData\Local\xwteuboc.exe ()
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [mttlkgab] C:\Users\Maria\AppData\Local\qkvwukij.exe ()
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [rwqsbljh] C:\Users\Maria\AppData\Local\rqjkremj.exe ()
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [smkhwaqi] C:\Users\Maria\AppData\Local\vqikptpt.exe ()
O4 - HKU\S-1-5-21-1210587596-3410156555-903348221-1001..\Run: [vqqqkdcd] C:\Users\Maria\AppData\Local\epefeoee.exe ()
[2010/02/11 02:43:14 | 000,036,136 | ---- | C] (Oberon Media) -- C:\ProgramData\FullRemove.exe

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks very much, that has worked a treat!!!

Cheers :slight_smile:

check back tomorrow and essexboy will remove the tools used :wink:

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: