Hi,
I have been reading one of the post the same as my problem. I have now done all the instructions told system restore off then downloading all the software etc now i think i just need someone to have a wee look at my log file for me as i dont know what i have to look for etc.
Thanks
Sharon

:-* :-* :-* :-* :-*

Do you mean avast is alerting on a ‘Suspicious (not ConSuspicious) email message’ ?

If so what does avast find suspicious about the email as that to would be displayed ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Edit: If I’m incorrect in my assumptions can you please explain exactly what happened in more detail.

Hi Sharon :

What I find “suspicious” is the current “Status” of some of the programs on
your computer :

1. Your Sun Java is 2 “Updates/Versions” behind, a semi-serious security risk ;
   should uninstall it & any other Java “Version(s)” you may have, then go to
   www.majorgeeks.com/download4648.html for the latest .
2. Real(Player) - I recommend you read our Threads at
   http://forum.avast.com/index.php?topic=33796.0 and
   http://forum.avast.com/index.php?topic=33060.0 ; Best to uninstall this
   program; some have “replaced” it with “RealAlternative” .
3. AIM6 - there is a newer 6.5 version ; AIM is considered the most
   security vulnerable of all the Instant Messengers. Best to use another, like
   Yahoo Instant Messenger. IF you decide on continuing using AIM, should
   visit http://jayloden.com/aimfix.htm and use his FREE “AIMFix” program
   on a regular basis .
4. Adobe Reader - you have an outdated version, a serious security risk .
   Since this program is under increasing “Attack” from the Makers of
   Spyware, would be best to seriously consider uninstalling it and using the
   safer “Foxit Reader”, with Info at www.foxitsoftware.com/pdf/rd_intro.php .

For better spyware protection, you would be wise to use the FREE version
of “SUPERAntiSpyware” from www.superantispyware.com .

You do have something living in there

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\hbeyfc.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Hi Sharon and “oldman”,

This smells of Trojan-Downloader.Win32.Agent.bq

Let us try and cleanse it.

  Download Trend Micro Hijack This from  http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
  Doubleclick on HJTInstall.exe
  Hijackthis is being installed onto your PC, an icon is being placed onto the desktop.

  HijackThis will open after installation.
  Click on "Do a systemscan and save a logfile".
  A Notepad window will open, press the  CTRL and  A keys at a time, all is being selected.
  Then push both CTRL and C keys at a time, all is being copied.

  Log into the virus and worms section of this forum and look for "reply"
  Now attach the HJT logfile through CTRL-V
  In your case we have to rename hijackthis as follows:

Rename HijackThis.exe to pol.exe by doing the following;

* Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
* Right-click on the HijackThis.exe
* Choose from the pull-down menu; "Rename"
* And now Rename HijackThis.exe to pol.exe
* When you've renamed HijackThis, open HijackThis again.
* Take a fresh HijackThis log (click Do a system scan and save a log file)
* Post the fresh HijackThis log here.

1. Download combofix from one of this links and save it to Desktop:
   http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix’s window whilst it’s running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post as Attachments:

• a fresh HijackThis log
• combofix report

pol

Hi guys thanks for your replys my subject was ment to be constant suspicous email message lol not the above it was because of all that messages popping up i couldnt get piece to type it and must have got distracted and just sent it without noticing lol. Right the log that i posted was from trend micro, but will try the cleanse first or what i am not bad on a pc but not great either so i will try me best to follow all the instructions given. Thanks again for your helps ;D ;D ;D

Right i have just done the avast icon warnings thing and this is what is says

http://www.virustotal.com/analisis/032a6080e1a4d60bfff4e2b172ab313e

I think this is what you wanted me to post xx

Hi, before running combofix download and run this one, followed by combofix and HJT. Perhaps we can make the mailman go away.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

SDFix: Version 1.156

Run by HP_Owner on 2008-03-12 at 23:24

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-12 23:29:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe”="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe::Enabled:hpqtra08.exe”
“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe::Enabled:hpqste08.exe"
“C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe”="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe::Enabled:hpofxm08.exe”
“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe”=“C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe::Enabled:hposfx08.exe"
“C:\Program Files\HP\Digital Imaging\bin\hposid01.exe”="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe::Enabled:hposid01.exe”
“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe::Enabled:hpqscnvw.exe"
“C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe”="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe::Enabled:hpqkygrp.exe”
“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe::Enabled:hpqcopy.exe"
“C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe”="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe::Enabled:hpfccopy.exe”
“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe”=“C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe::Enabled:hpzwiz01.exe"
“C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe”="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe::Enabled:hpqphunl.exe”
“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe”=“C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe::Enabled:hpqdia.exe"
“C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe”="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe::Enabled:hpoews01.exe”
“C:\Program Files\iTunes\iTunes.exe”=“C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes"
“C:\Program Files\AOL 9.0\waol.exe”="C:\Program Files\AOL 9.0\waol.exe::Enabled:AOL”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\Common Files\AOL\Loader\aolload.exe”="C:\Program Files\Common Files\AOL\Loader\aolload.exe::Enabled:AOL Loader”
“C:\Program Files\William Hill Poker\UA.exe”=“C:\Program Files\William Hill Poker\UA.exe::Enabled:UA Application"
“C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe”="C:\Program Files\Sports Interactive\Football Manager 2008\fm.exe::Enabled:Football Manager 2008”
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”=“C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger"
“C:\Program Files\Windows Live\Messenger\livecall.exe”="C:\Program Files\Windows Live\Messenger\livecall.exe::Enabled:Windows Live Messenger (Phone)”
“C:\Program Files\Winamp Remote\bin\Orb.exe”=“C:\Program Files\Winamp Remote\bin\Orb.exe::Enabled:Orb"
“C:\Program Files\Winamp Remote\bin\OrbTray.exe”="C:\Program Files\Winamp Remote\bin\OrbTray.exe::Enabled:OrbTray”
“C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe”=“C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe::Enabled:Orb Stream Client"
“C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe”="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe::Enabled:Bluetooth Application”
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger"
“C:\Program Files\Yahoo!\Messenger\YServer.exe”="C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server”
“C:\Program Files\LimeWire\LimeWire.exe”=“C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire"
“C:\Program Files\Sony Ericsson\Update Service\Update Service.exe”="C:\Program Files\Sony Ericsson\Update Service\Update Service.exe::Enabled:Update Service”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“%ProgramFiles%\iTunes\iTunes.exe”="%ProgramFiles%\iTunes\iTunes.exe::enabled:iTunes”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\Windows Live\Messenger\msnmsgr.exe”="C:\Program Files\Windows Live\Messenger\msnmsgr.exe::Enabled:Windows Live Messenger”
“C:\Program Files\Windows Live\Messenger\livecall.exe”=“C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 8 Jan 2008 213 A.SHR — “C:\BOOT.BAK”
Sun 20 Jan 2008 6,219,320 A…H. — “C:\Program Files\Picasa2\setup.exe”
Thu 10 Jan 2008 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”

Finished!

You just caught me before i did the combo fix lol above is the info you ask me to try and get hope i did it correctly :-* :-* :-*

Hi Thanks for all this info i have now removed them. I didnt even realsie all this was a risk, Thanks again :-*

Hi sharonbutcher3,

Yes, mind Spiritsongs advice, after you have continued oldman’s malware cleansing routine. After you have gotten the all clear from oldman’s you can do what Spiritsong proposes.
As searching for the malware that was found on your machine, which Sophos knows as Mal/Generic-A we will be looking for something similar to this (it installs itself in the registry):
C:\System Volume Information_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP859\A0182837.sys
C:\WINDOWS\new_drv.sys
Later it will show if I was right, follow oldman’s instructions to the dot, and all will be well, I will keep an eye on it, while it seems an interesting anti-malware routine,

polonus

oops i had done all spiritsongs advice first before old man had told me to cleanse!!!

Doing the updates before cleaning is fine. Did you run combofix? If you did please post the log. If you have already run combofix do not run it again, please locate thw original log here c:\combofix It will be a text file.

hey i am really getting good at all this now lol. Right i hadnt run the combo fix yet. so i just have a here is the results log. : ;D ;D

How’s the mail situation? We have one more file to test.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\jf.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Hi sharonbutcher3,

Characteristics of this infection:

If run, the trojan copies itself to the folloeing folder:

\avpo.exe

Then following files are being created:

\1vidq.sys
\ewmu.dll
\avpo0.dll

The file 1vidq.sys is being detected as Mal/RootKit-A and the file ewmu.dll as Mal/Generic-A.

The following registry entry is created, making that avpo.exe starts every time Windows starts:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
avpa\avpo.exe

Then there is this variant:
Characteristics -

This trojan was received as a self-extracting winzip execuable file.

Upon execution of the self-extracting executable file, the actual trojan file is extracted to the %system32% folder and then it is executed.

This trojan modifies the Startpage of Internet Explorer to a custom webpage, by modiying the following registry key

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"

with the following URL as the data

* http://oyunr.com

This website is of an online Casino.

The trojan also adds the following registry key, to prevent the user from manually changing the Startpage using Internet Options menu.

* HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel "HomePage"
  Data: 1

This trojan does not create any other registry entries for loading at system startup.
Symptoms
Symptoms -

Startpage of the Internet Explorer changed.

The buttons for manually changing the Startpage have been disabled.
Method of Infection
Method of Infection -

Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.

polonus

Hi old man so far so good i dont seem to be getting the messages any more 8) 8) 8) and heres the reply i got when i inserted that file.

0 bytes size received / Se ha recibido un archivo vacio

I’m curious where this file went C:\WINDOWS\system32\hbeyfc.exe
Did you delete it after you tested it?

Got to control panel, add/remove programs and uninstall these or similar, if present

Funweb Products
My Web Search (Smiley Central or FWP product as applicable)
My Way Speedbar (Smiley Central or other FWP as applicable)
My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
Search Assistant - My Way

Open HJT, run a system scan only, check mark these lines if present

[b]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [jf] C:\WINDOWS\system32\jf.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm098YYGB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab[/b]

Close all other browsers/windows, click fix, close HJT.

This file is supposed to be a printer file, it’s location and size seems strange, so we will test it.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\CJXP1100EN.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Please note:

[]Please, never rename Combofix unless instructed.
[]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\hbeyfc.exe C:\WINDOWS\system32\jf.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJTlog.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall