Hi every one, This is my first post on the forum so if i do anything wrong go easy on me
I’m currently using SpyWare doctor and Avast! on my PC, every day they find something new (probably bad), however the other day when i was MSN IM i received a message from my friend asking me to look at his “dream car” i opened the message and there was nothing inside, I asked him about it and, he claims never to have sent the message, I then realised it was a virus. Ever since then Avast! Mail scanner alerts me every couple of minutes with a pop-up screen telling me about a suspicious message
"There are too many identical emails in appointed time
I have ran both avast! and Spyware doctor and they can find nothing. Do you have any suggestions on how to fix my problem ?
many thanks Jacob
P.s I’m a total noob so please treat me like one
Very sorry I think i have just found another post which seems to have the same problem, I’m reading the advice on their page.
It may be that the spambot is either hidden or undetected, so we can try some other tools.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
I really think that alwil should look into im viruses, I’ve been hit by it as well
It might be a good idea not to sign into msn again or change your screen name telling people not to accept anything you send them or not to talk to you unless it’s necessary because now that your infected it tries to infect all of your online contact as well, thats how I found out I had the virus, one of my friends said that I was trying to send him a .rar file and its been doom and gllom ever since
I read you post and i think we have the same problem spg SCOTT, and i have already notified my friends not to accept any files from me. As I’ve apparently been sending the m left right and centre. :-
I’ve tried using Superantispyware and all it found were a few Trojan droppers and some cookies.
I also found the original folder i was sent and deleted it since then I’m no longer sending out as many emails, about one every 10-20 minutes now.
I’m currently running a scan with MalwareBytes Anti-Malware freeware version, I will post later with the results.
OK results are in… its not good Malwarebytes fun 6 more infections, I know how to paste the actual report in so I’ll write it out
Two Trojan.FakeAlert.H
One Trojan.FBrowsingAdvisor
Three Adware.Navipromo.H
Could any of these be my problem ?
I managed to find what I think is the file (you probably saw it in the post) and I have managed to stop the emails by killing the process with a process manager (task manager, in the processes tab might work if you can find put the name of the file) but it is still there and is still working on startup.
Have a look in the C:\windows\system32 folder and if, by some chance you have the same virus as me, and the file
C:\WINDOWS\system32\hojyr.exe
is there then that may be it and you can kill it from task manager (I’ve found this stops the emails until you turn the pc off, meaning on startup, but it makes life that bit easier)
Not sure but really I think the quys in the forum need the filenames and locations to make an accurate judgement, can you attach the actual log file? (probably too long to fit in a post)
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vefefe (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg_navps.dat (Adware.Navipromo.H) → Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg_nav.dat (Adware.Navipromo.H) → Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\seqiueg.dat (Adware.Navipromo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\diwoohout.exe (Trojan.FakeAlert.H) → Delete on reboot.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) → Quarantined and deleted successfully.
This is the log, for the scan i did earlier, and i can’t find hojyr.exe so i don’t think i’ve got it, however i did find diwoohout.exe hiding away in my C:\WINDOWS\system32 folder
@ spg SCOTT
Upload C:\WINDOWS\system32\hojyr.exe to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
Might also be worth seeing if you have the same file that linoleum is reporting.
@ linoleum
Same drill as above for this file:
C:\WINDOWS\system32\diwoohout.exe
Zero hits on google which is suspect in its own right for a file in the system32 folder.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
I’m surprised that SAS, MBAM failed to detect this one (did you run these scans from safe mode? ), but there are enough detections on VT to send the sample to avast for further analysis.
Moving the file to the avast chest may help however, it may be set-up as a service also which would mean it would be in use, check that there isn’t an entry for it in the Task Manager. If so, end the process before moving it to the chest once you have a copy in the chest delete the original file in the system32 folder.
Download and run HJT and post the contents of the log file (cut and paste or attach the .log file) into this topic, you may need to split it over two or more posts depending on how large it is.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:14, on 13/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
If diwoohout.exe is visible in Task Manager, kill it.
Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.
Click the “Extended” tab.
Scroll down and find the service called SmartLinkService (eyizydeoytarv1z)
Click once on the service to highlight it.
Click “Stop”.
Right-click on the service.
Click on “Properties”.
Select the “General” tab.
Click the Arrow-down tab on the right-hand side on the “Start-up Type” box.
From the drop-down menu, click on “Disabled”.
Click “Apply”, then “OK”.
Now, run HijackThis again and when it finishes, put a check before the following lines:
Then, make sure ALL windows except HijackThis are closed and hit the “Fix Checked” button.
Reboot.
Open HijackThis.
Click on the “Open Misc. tools section” button.
Click on the “Delete an NT service” button.
Type eyizydeoytarv1z in the space provided and click OK.
The program will ask you to reboot. Accept.
This may not be enough to remove this malware, but it’s worth a try, as are the online scans I linked to above.
Not to mention you also still have AVG7 installed on your system, uninstall it.
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
I think i may have solved the problem, but i couldn’t have done it without any of you. Thanks very much :). I have just uninstalled AVG.
Polonus, I’m sorry i don’t really understand what you want me to do. I’m a bit of a noob when it comes to computers. How do i find these registry keys, so that i can delete them ? are they in Hjack this ?
once again many thanks every one
These are registry entries with the mentioned information, but if you feel unfamiliar with it, the other information may have cured these as well, as did the run of MBAM,