Ok, fellas, now here’s the newest issues.
Since all the trouble began a few weeks ago with the original Timeout problems, my computer is running SO SLOWl And a LOT of the time, its’ "thinking’ - which always seems like a bad thing to me.
To deal with the original hijack problem, I loaded Ewido, then Zone Alarm Security Suite. Have run Trend Micro a few times. Sent you all the HJT logs, someone suggested running the Symantec W32.Sober. remover, but it found nothing.
One of you said, from the things I sent, that Avast was finding that Sober virus in incoming emails and removing it. I think that’s true. However, I also get these other returned emails that I think really are being generated from my computer. Avast doesn’t catch anything on them.I’ve attached on of them, for your perusal.
Additionally, since the first HJT scan and fix, everytime I reboot, a Windows Installer window pops up. It says it’s preparing to install something, then tells me it’s trying to install MS Money 2003. I don’t use that program, so tried to uninstall it, but it wouldn’t let me. So now I’m stuck with this annoying thing to try to get rid of each time I reboot. It takes about 6-7 times of clicking Cancel before it quits trying. And always wants to send MS an error report. Oh, brother . . .
So I’ve run another HJT scan and that log is attached here. Can I remove all references to MS Money that show up there to fix this last problem? And is there anything there that would be causing such slow running?
Having ZA Security Suite installed with avast can cause conflict as I believe that also includes a resident anti-virus, both of these could have conflicting drivers and registry entries. We don’t reccommend having two resident scanners installed. Ewdio (free) is effectively on-demand but the Paid for version doesn’t seem to have a problem with avast.
In this case, I doubt the emails are being generated by your email otherwise avast would detect them when they are sent (multiple emails with the same subject in a short time, etc. a suspicious alert by avast). This is likely to be down to forged from email addresses, someone with your email address in their addressbook is infected with some form of SpamBot and it uses emails from that address book as a from address.
Dumb ISP email servers may detect this as an infected email/Spam, etc. (or in this case to a bad address) and bounce it back (incorrectly) to the sender, the faked from email address.
There are also some devious people out there that send faked returned/bounced emails in the hope that you will open the attached file to see what the problem is and thereby get infected.
What errors were displayed when it wouldn’t let you uninstall Money? The fact that it is trying to install Money seems strange if as you say it is already installed.
I suggest that you use one of the on-line HJT scanners to see if there is anything else that is either harmful or unknown and investigate those also. Some of the entries look strange to me with references to the WINNT folder, did you upgrade from win2k to XP?
I should have clarified: I already removed ZA Security Suite and installed their free firewall instead. I can’t tell is Ewido is helping or not, it’s the free version, and maybe I should uninstall it.
Well, if they’re not being generated here, then someone is really messing with me, cuz I get these Delivery Failure notices ALL DAY LONG. Like maybe 3-5 a day, and increasing. Is there a specific setting on Avast that I should make sure is turned on to be sure it would detect this kind of hijacking? However, since you mention it, each of these DO have an attachment - what should I do in this case?
To see what the screen exactly says when I reboot, I’ll have to try it, which means I’ll post that in my next message.
And the online analysis from HJT didn’t show anything I was concerned about. It seems to be confused about some ActiveX objects (which I think are only there from when i had to load them to do the Trend Micro scans) and some Java files, as well as some Gateway .CAB files. I can copy and post it if you want to see it.
Ewido works quite happily with avast! and won’t be causing the problem. It’s also worth keeping it around as a double check for Trojans. Have you tried a spyware scan with Ad-Aware and Spybot Search and Destroy?
You could also try is TuneUp Utilities 2006, which has a good registry scanner (and a free trial!)
Clean up any junk with CCleaner then defragment your disk, that might help.
Try checking in Task Manager to see what is busy all the time.
The emails you might be able to talk to your ISP about.
Tech, he has HiJackThis and has run it with no obvious malware content. However, posting the HJT log contents here won’t hurt.
I don’t believe he has been hijacked (unless his HJT log shows otherwise), these returned emails don’t originate from his system otherwise avast’s heuristic’s should flag multiple outbound emails in a short time as suspicious as in my pevious comments.
2. In this case, I doubt the emails are being generated by your email otherwise avast would detect them when they are sent (multiple emails with the same subject in a short time, etc. a suspicious alert by avast). This is likely to be down to forged from email addresses, someone with your email address in their addressbook is infected with some form of SpamBot and it uses emails from that address book as a from address.
Dumb ISP email servers may detect this as an infected email/Spam, etc. (or in this case to a bad address) and bounce it back (incorrectly) to the sender, the faked from email address.
There are also some devious people out there that send faked returned/bounced emails in the hope that you will open the attached file to see what the problem is and thereby get infected.
One or more of the attachments (File-packed_dataInfo.exe) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Consider renaming the files to avoid this constraint.
The virus detector said this about the message:
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe)
MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe)
– MailScanner Email Virus Scanner www.mailscanner.info MailScanner thanks transtec Computers for their support
I never sent any messages to WNYUrology.com. It doesn’t appear that avast! is generating this. Who/what is MailScanner?
And those other emails I referred to earlier, avast! doesn’t pick them up, so I can’t send them anywhere except to the trash.
Also, regarding the trouble with MS Money trying to install upon startup, here’s what the various screens say:
AT first, a Windows Installer box appears, that says "Preparing . . . "
Then, a new box comes up that says, Please wait while Windows configures MS Money 2003.
Next, the box says “Setup needs to close MS Money Express 2003 and is unable to do so. Please close MS Money Express 2003 and click Retry. If you are not sure how to close it, consult Help.”
There’s no Help option there. I tried to Open Ms MOney, and it says it needs to install itself, and for me to insert the CD. But this program came on this computer, so I don’t have the CD. Finally, when I click, cancel, it says Error 1706: no source.
I don’t use MS MOney and would happy to uninstall it but it won’t let me. I notice a couple of items in the HJT file are MS MOney files. Can I delete them? Will this stop this problem? It began after the first time I ran HJT and “fixed” a couple of things. Stupid me.
You can restore items ‘fixed’ by HijackThis!, as long as you’ve installed it in its own folder. Might be worth checking what you’ve deleted to see if anything refers to MS Money, or indeed any other innocent application.
I never sent any messages to WNYUrology.com.
No. Another infected computer sent the message but said it came from you. It’s like I write a junk mail letter and put your address at the top and mail it to 1000 people. Those people might blame you for the junk mail, when in fact you didn’t send it: it’s the same with worm generated spam mail.
I noticed the following from your HJT log :
1) Your Java Runtime Environment program is 2 Updates
behind; on the antiSPYWARE forums that I frequent,
it is strongly encouraged that "old" versions be
completely removed, then go to www.java.com
and get their latest.
2) You have AIM 95; I periodically see news items of
malware coming through AIM, therefore, I recommend
you uninstall that version, then go to the AIM portal
at www.aim.com to get their latest. Better yet, after
uninstalling AIM 95, install the safer Yahoo IM.
3) I saw no antiSPYWARE program listed in your HJT log;
do you have one ? If not, I recommend you download
Ad-Aware from :
www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
After doing so, get the Updates, then run a "Full System
Scan" setting.
Thanks, everyone for all all your help. In regards to your points:
I already installed the new Java, but it gave me some kind of trouble at the point of installation. Can’t remember what. Should I uninstall all Java programs, then start over from scratch?
Don’t know how I could have only AIm 95, when I’ve only been using it for 2 years, and it updates itself automatically. But I can uninstall that too and get the latest version. I don’t want Yahoo, since both of my adult kids use AIM, and that’s how I communicate with them quite often.
Used to have Ad-Aware, but during one of the HJT analyses, someone said it wasn’t good and I should switch. So I now use Ewido for getting rid of spyware. At least, I was under the impression that Ewido was for that purpose.
Have run scans ad nauseum of late, get such conflicting responses, it’s weird.
And to DavidR - I’ve not forgotten your advice about dumb ISPs and devious people - it’s just that it’s sometimes hard to tell the difference between something that’s being done TO you by someone, and something your computer is being hijacked to do to someone else. Trying to be safe and certain about these things. I do appreciate your guidance. My ISP just sent out an email about problems they’re encountering from autoresponders. Corresponding with them about this problem, and perhaps I can fix it my changing settings there.
I know what you mean ;D
It would be nice if there was some way to find what initiates the Java (javaw.exe) you were thinking about. You were tinking about that?
The following is posted on several antiSPYWARE forums :
"It is extremely important that all prior versions of Java be uninstalled. If not, you are a walking target for a major infection. The following procedure is strongly encouraged:
Please follow the steps to remove older version Java components
Close any open programs you may have running, especially your web browser
Click Start > Control Panel (Depending on your OS or configuration, you may have to click Start > Settings > Control Panel)
Open Add or Remove Programs (If you have Windows 98 or Windows 2000, open Add/Remove Programs)
Click once on any item listing Java Runtime Environment in the name. (Not every version of Java will begin with “Java” so be sure to read each entry in the list)
Click the Remove or Change/Remove button
Follow steps 4 and 5 as many times as necessary to remove all versions of Java
Reboot your PC once all Java components have been removed
Proceed with reinstalling Java by going to http://www.java.com/en/ and install the latest version from the website "
midwyfan :