i just got this virus earlier today i ran av and microsoft antispyware program’s deleted the stuff that was detected and restarted my computer. it turn’s out that i haven’t gotten rid of the virus and there are message’s popping up saying"
Suspicious Message!
There are too many identical e-mails in appointed time
Sender: “Candy Corley” jjmold@1-cs.com
Recipient: Massimo massimo.castoldi@york-transport.com
Subject: Visit our new online pharmacy store and save upto 85%There are too many identical e-mails in appointed time
there are other window’s popping up saying Suspicious Message! and all that 18 window’s of the come’s. i’m new here and using av and unfortunatly i didn’t think of writing down the file infected and the name of the virus. sorry there is also a different pop up window saying"
It sounds like you might have one of the mass mailing worms.
If you right click the avast! icon in your system tray, then click avast! Log Viewer there should be some lines showing what was identified. Please post this information.
You didn’t just get a virus as mauserme says you have a mailing trojan resident using svchost (or copy/infected version of it) to send out email, avasts outbound email check has stopped this because of multiple emails heuristics check (so you won’t find much more in the log viewer) and a timeout has occured as a result.
First do you have a firewall (I hope you don’t say windows XP), if so what? Block outbound connection for svchost.exe as a temporary measure whilst we deal with this.
1/26/2006 3:45:29 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:45:30 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:45:49 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:46:24 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 3:46:40 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame2[1].exe” file.
1/26/2006 3:46:48 PM SYSTEM 1120 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 3:46:57 PM SYSTEM 1120 Sign of “Win32:Cws-M [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\YHIVUDMB\zgame3[1].exe” file.
1/26/2006 3:47:25 PM SYSTEM 1120 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 3:47:37 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 3:47:49 PM SYSTEM 1120 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 3:47:56 PM SYSTEM 1120 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\gdnOT2341[1].exe” file.
1/26/2006 3:48:12 PM SYSTEM 1120 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.
1/26/2006 3:48:25 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\zgame2[1].exe” file.
1/26/2006 3:54:19 PM SYSTEM 1120 Sign of “VBS:Malware [Script]” has been found in “” file.
1/26/2006 3:54:27 PM SYSTEM 1120 Sign of “VBS:Malware [Script]” has been found in “” file.
1/26/2006 3:54:31 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\st_v46[1].exe[UPX]” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\system32\mspostsp.exe” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 4:11:33 PM name 2708 Sign of “Win32:Trojano-2997 [Trj]” has been found in “c:\winxp\system32\msupdate32.dll” file.
1/26/2006 8:06:25 PM name 3276 Sign of “Win32:Inject [Trj]” has been found in “C:\System Volume Information_restore{BD211675-8ADC-4424-9357-5624BF8FEDE0}\RP12\A0008952.exe” file.
1/26/2006 8:43:49 PM name 3276 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINXP\system32\nostalgia.dll[UPX]\MSVprep.exe” file.
1/26/2006 8:43:54 PM name 3276 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINXP\system32\nostalgia1.dll[UPX]\MSVprep.exe” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\1ZZFT1WE\gdnOT2341[1].exe” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame2[1].exe” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame3[1].exe” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 8:49:19 PM name 1136 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 8:49:19 PM name 1136 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 8:49:20 PM name 1136 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\K5MFGHY3\st_v46[1].exe[UPX]” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.
You should not put clickable links to malware here.
Dr.Web hyperlink scanner finds Exploit MS05-053 here.
Always make it these links don’t work, write dot = . for instance.
There are young users here, that like to experiment, and they get there computers infected. Here is the info on this trojan: http://vil.mcafeesecurity.com/vil/content/v_136912.htm
If these infections are related to the exploits that Polonus mentioned they will be back unless you ensure your OS is fully up to date and ensure you have a working full firewall, not just windows XP’s half a firewall.
And we are still waiting for answers, I can only assume you don’t have a firewall, otherwise you could have added svchost.exe to the exclusions/exceptions as I suggested in my first reply. If you don’t have a firewall or one that doesn’t give out bound protection, then you are fighiting an uphill battle because as fast as you remove it something will take its place.
We ask questions to try and help with a solution/work around, etc. If you don’t answer we can’t help.
I don’t even know if you downloaded and ran ewido.
Well as I said windows XP firewall doesn’t give outbound protection and is extremely inflexible in blocking applications, XP’s firewall allows for exceptions, which as I read it allow access rather than deny access, so you can’t so it with XP. That is why we are all banging on about getting a proper full firewall.
svchost.exe when blocked doesn’t usually cause a problem until you try do do a windows update as it is required. This was a temporary measure until you dealt with the problem, which you say is still there.
Cut and Paste into the thread is fine, there are also two links to on-line analysis sites, that way you don’t have to wait.
your OS is way out of date now XP SP2 with many security update safter that. These have patched many vulnerabilities which have been exploited. You need to update your system to close these vulnerabilities.
Your browser is also out of date but you can’t get IE6 SP2 until you have XP SP2 installed, this has many security improvements.
You don’t appear to have a software firewall, this is an absolute essential, otherwise you are playing Russian Roulette with an automatic.
Fix all the 01 HOSTS entries, I doubt that you put them there, this redirects c3314.z1306.winmx.com to multiple web sites so you could be getting multiple pop-up windows.
Fix:
O3 - Toolbar: (no name) - {AFA5C569-B040-4500-8078-A4CC0A120E79} - (no file)
O4 - HKCU..\Run: [WindowsUpdate] C:\WINXP\System\svchost.exe /s