On friday the 13th I recieved several returned undelivered e-mail to address’s that I did not send anything to, they only had a link in the message line and it was a virus. then today several more came in and I had not even been on my computer all day, O the 13th I immeadiatly did a boot scan and it found 103 infected files, I deleted all of them except the one identified as Win32: Poison( Trj) the log said that it would be deleted on the next reboot, I rebooted several times and the log still showed the same message, then I found the file that was infected and deleted the file manually, that was on friday then tonight I ran another boot scan and it did not find any infections. So what can I do to stop the virus from sending e-mails to people in my address book
It would be helpful to know the file name and location. Instead of deleting the file, it is better to put it in the Virus Chest where it is safe.
-
What do you use for an email client? A web-based email server or something different? Most web-based email clients are good with spam filters and internal AV scanners.
-
Have you changed any of the default settings of Avast?
-
What version and product of Avast are you using?
-
What is your OS?
-
Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ (the blue button) for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
This is a common tactic for spammers/malware they say an email couldn’t be delivered, etc. and is attached, you are inquisitive enough to open said attachment to find out what is going on and bingo, spammed or infected (if you didn’t have avast).
If your system was indeed sending out spam, an undetected/hidden spambot then the mail shield may well be your first line of defence also it can detect multiple emails sent in a time frame. Presumably that didn’t happen ?
So I would suggest that you increase the sensitivity to High in the Mail Shield, Expert Settings, Sensitivity section.
Your firewall should also be a line in your defence, blocking unauthorised outbound connections, what is your firewall ?
It would help if you gave some examples of the detections found by avast: malware name; file name; location ?
Finally: Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest (a protected area) and investigate.
My OS -Win XP Pro SP3
Avast version 6.0.1000
Infected file name H:\Dell disc Transfer .…\page file sys
Have not changed any settings
Downloaded Malwarebytes and ran it and found 60 infections,
When I tried to paste the report to the reply it came up with an error saying that it exceeded the 10000 character limit so I am going to send it separate.
I cannot paste the report as it iMalwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6610
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/18/2011 9:35:47 AM
mbam-log-2011-05-18 (09-35-47).txt
Scan type: Full scan (C:|E:|H:|)
Objects scanned: 247148
Time elapsed: 42 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 37
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{EEAD004E-7E2D-49f8-831C-A01647E85B53} (PUP.MightyMagoo) → Not selected for removal.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{4D1EC4CA-4B92-4324-B8F8-C9A6ED06A8AE} (Adware.Hotbar) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{97E74A14-E5F1-40CC-9B0F-0D11946E5469} (PUP.MightyMagoo) → Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{07B18EAB-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{25560540-9571-4D7B-9389-0F166788785A} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3DC201FB-E9C9-499C-A11F-23C360D7C3F8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{3E720452-B472-4954-B7AA-33069EB53906} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{98D9753D-D73B-42D5-8C85-4469CDA897AB} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{9FF05104-B030-46FC-94B8-81276E4E27DF} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.MultipleButton (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.MultipleButton.1 (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.ThirdPartyInstaller.1 (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.UrlAlertButton (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MyWebSearch.UrlAlertButton.1 (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) → Quarantined and deleted successfully.
s too large, I will try to send half & half
Second half.Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt&Search(default) (Adware.Hotbar) → Value: (default) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) → Value: f3PopularScreensavers → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) → Value: FunWebProducts → Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064501.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064504.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064505.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064506.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064509.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064510.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064512.SCR (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064513.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064515.DLL (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064521.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064522.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064523.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064524.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064525.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064526.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064527.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064530.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064544.scr (PUP.FunWebProducts) → Not selected for removal.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064502.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
c:\system volume information_restore{a4ae8738-9832-4091-9ef2-272396f3786e}\RP666\A0064518.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
I niticed that some of the infected files shown in the report indicated that they were not selected for removal, What do I do to remove them???
All of this seems to relate to MyWebSearch, which is a bit low key (same with hotbar), but you should allow MBAM to deal with them.
The infected files are also related to MyWebSearch, when you remove associated files, system restore saves a copy, essentially these can be removed without issue.
Nothing in this log appears to be associated with any trojan spambot, etc., so it could well be as I suggested in my previous post some sort of scam, to try and have you open the attachments, etc.
Remove the ones selected (they actually go to the MBAM Quarantine) and run the scan again and post what isn’t selected for removal.
I have run malwarebytes again and removed all infections, Then I went to another e-mail address that I have and found 2 more e-mails with links that I am sending with this reply.
hxxp://wxw.sportnutrix.at/wp-content/themes/twentyten/life.html
hxxp://wxw.hdifinancial.com/wp-content/plugins/dropdown-menu-widget/133.html
I’m not entirely sure what you mean by (or the purpose of) this post ?
What/whose other email addresses are these, if these are unsolicited emails (first you shouldn’t open them) then you a) shouldn’t click links or open attachments in them and b) post active links to what might be malicious sites.
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
I was hoping that by showing what was sent, you as an expert could possibly find out what I am dealing with as I am a novice, I changed the links as you asked me to do, Sorry as I did not know. That is why I am here to get help to remove the infections and protect my system. Irven
Short of actually visiting the links there would be no idea what the stuff was, other than from the domain names both could be spam but they could also be malicious as one tries to redirect to another domain and it is an active page, .php. and the other is considered an attack page, see images.
There is no way to know what the payload could be as it is likely to change.
Not that this is something you need to know, any unsolicited email even so called failed sends should be treated in the same way, delete them don’t open them (that could be enough to activate remote scripts), don’t click links or open attachments.
Whilst the links are broken that are still active as the http has priority over www and the active link is created in the forums, albeit that it would fail because of the wxw.
Irven,
The suggestions given to you by DavidR are good. You can learn a lot here and feel free to ask questions. Other things I would suggest are:
-
Keep MBAM on your machine and scan your machine at least weekly. Remember to update it prior to running a scan every time. You will now only need to do quick scans. Anything found with MBAM, you need to put into quarantine. You may want to consider MBAM Pro (one-time paid fee for resident [on all the time] protection that does not conflict with Avast).
-
Keep your Avast definitions up to date. In addition to increasing your Mail Sensitivity Shield in Avast to High (as David explained to you) and not opening up unknown email or clicking on links, I would run an Avast Quick scan weekly. You can run an Avast Full scan monthly or more often if you feel it is needed. If you have never run a Boot scan, do so now, then you should only need to do it if you suspect a problem.
In addition,
- Keep your MS/Windows Updates current.
- Add security related Add-on’s to your browsers for safer browsing. See my and David’s Signature as an example.
- Use common sense when browsing and do not go to risky sites.
- When downloading software, read what you are clicking and do not download adware toolbars which are commonly opted in; look before you click or do a Custom install to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
Also, I noticed that you are still using an outdated version of Avast. You should upgrade it to the current version of 6.0.1125. You can do this by clicking upgrade on the main page of the Avast GUI. Reboot.
Let us know if you have any additional questions. Thank you.
To DavidR & Safesurf, I thank you both for the help and information, as for the boot scan I have done several since I got the infection, I always have my MS/Windows updated automatically,and I have the MBAM on my computer and will look at the Pro version,I am going to upgrade my Avast now, Again Thank you both for your help, Irven
You’re welcome. I’m glad that things are working for you now.
If feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.
Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience. Thank you for allowing us to assist you.
You’re welcome.