I have opened a mail attachement with postcard.exe. Unfortunately, this is the virus Warezov -AAV:
http://img70.imageshack.us/img70/6388/warezovaavoe4.jpg
The same message appear every 30 minutes.
A scan has been launched before windows startup. The problem is still there.
Here is my config :
OS : Windows XP SP2
Avast Version : 4.7 Edition Familiale (4.7.942)
VPS Version : 000704-0
Internet Connection : ADSL - No Proxy - Windows Firewall
Mail : Outlook Express
No other security software
I don’t want to reinstall all my compurter but this virus is very hard to remove
@ Tech
Well the image is just the avast alert Tech not malware.
The file c:\windows\smm32.exe is the file avast is alerting on, so if it is coming back every 30 minutes something is recreating it otherwise avast would continue to detect it not just every 30 minutes. Hopefully the other tools Tech mentioned will stop whatever is recreating it.
Warezov connects to different URLs to download new varients on a regular basis. The Windows Firewall will not stop the connection - you need a third party firewall to try to stop this. Zone Alarm, Comodo, Kerio, etc are good choices. After installing the firewall carefully review any programs requesting an internet connection. You want to allow normal processes while blocking the bad ones.
After installing the firewall a hijackthis log would be usefull. You can dowload the program here
and paragraph 2 under Usage Instructions will tell you how to extract and run the program. Make sure not to “fix” anything right now, just run the program and post the log here.
New to this forum but have been reading the Warezov thread with interest. I have recently been hit with the Warezov virus and have followed most - if not all - of the things posted on this forum to try and get rid of it. I now find myself in the situation where Avast isn’t finding anything, AVG AntiSpyware, Super AntiSpyware and SpyBot all say I am clean…but I am not clean. I am still churning out bogus emails at the rate of about 10 an hour…and its doin’ my head in ! I now know a lot more about Firewalls, Antivirus and all of these kind of things…but I just can’t get this email thing to stop !
Problen originally detected by Avast…but Avast couldn’t delete because was embedded in .pst archive. Deleted the .pst archive …as it wasn’t that important !
Any help gratefully received.
Graham
For the record :-
OS: XP SP2
Email: Outlook 2003
Antivirus : Avast 4.7 Home
Firewall : ZonaAlarm (the free one…just newly installed as a result of reading posts here…used to just use the Windows Firewall).
Now I figure I will probably be asked to post a HijackThis log…so here goes …have included the startup list as well !
Nothing stands out in the log. I believe some variants of Warezov use rootkit technology to hide themselves, so it would be a good idea to run a few rootkit scans.
I’d recommend F-Secure BlackLight, the Panda scanner, the BitDefender Scanner and maybe the Sophos scanner listed here:
From a web search, I suspect the key Sophos found is some sort of encrypted key and not part of a rootkit, which means the problem is probably an unrecognised process starting from a location not included in HijackThis!
Have you managed to block the process sending out emails with Zone Alarm? What was the name of the process? If not, check for suspicious applications connecting to the net and try and identify the malware process and block it.
You could try downloading Process Explorer from SysInternals and looking for the malware process. Kill the malware process and find and remove the startup entry with Autoruns, also from the same source.
Alternatively, try online scans with F-Secure and Trend Micro Housecall.
You are running an out of date version of Sun Java. I recommend you run Secunia Software Inspector to confirm this and also look for other out-of-date software. It will also give you a download link to get latest secure versions of software.
As Frank said, your version of Sun Java is 5 Updates behind, a serious security risk; should
uninstall it ASAP. The latest version for your XP SP2 OS is at :
www.majorgeeks.com/download4648.html .
Perhaps it is time for you to ask an experienced, trained, volunteer Malware Expert for help !?
Since you have Spybot, there are many at http://forums.spybot.info . Probably the 1st thing
they will ask you is to "rename" your "HijackThis.exe" to something else .
Also, Spiritsongs’ suggested renaming of hijackthis.exe to something like hijackthat.exe is worth a try. Usually this is a trick to use with Vundo (which you don’t have) but if Vundo can hide from hijackthis.exe other malware might as well. Do this after Vcleaner.
Thanks to all of you for your help.
Don’t think I am any further forward - although emails seem to have stopped for just now !
Ran vcleaner in safe mode - didn’t find anything.
Renamed HijackThis (to DesperateNow ) but logs just looked pretty much identical.
I haven’t been brave enough to start editing using the Process Manager stuff yet !
Frank (I think it was you ?) asked if I had isolated which app was sending the email by using Zone Alarm.
All I can say is that every time I start Outlook I get at best a handful of ‘delivery failures’ in my inbox and at worst about 70. I have everything set to ask for access via Zone Alarm…but nothing really does. Not sure what - if anything else I can do there ?
In another desperate effort to stop me throwing the whole PC out the window I have just repaired Microsoft Office. No dodgy emails in the last half hour - but this is most likely a false dawn. I have gone a couple of hours before with nothing.
When I first found the Warezov-MF (via Avast) it was embedded in one of my pst files. It was one that I didn’t use so I just deleted the whole .pst.
I have updated my Java app as well as several others. I have also ditched all of the BTYahoo protection stuff that I seem to be paying pretty dearly for - and its no use !
At the end of all this I think I have learned that Avast Home 4.7 plus the free Zone Alarm is good enough security for me in the future (with regular SpyBot style checking too !)
Thank you all for your help. It is good to know that there are some good folk out there willing to help this sad geezer !
Graham
P.S. Whole 50 minutes now since last dodgy email…needs to go until I wake in the morning before I am happy !
I believe your computer is clean, Graham, and has been clean since you deleted the infected pst file.
Unfortunately I think someone else’s computer is infected with malware that is sending out spam with your email address spoofed as the senders address. This is why you’re getting bounced email.
There’s nothing you can do about this other than wait for the other person to recognize and clean up the problem. Given the sudden disappearance of returned email this may have already happened (or maybe they just turned off their computer).
Frank (I think it was you ?) asked if I had isolated which app was sending the email by using Zone Alarm.
All I can say is that every time I start Outlook I get at best a handful of 'delivery failures' in my inbox and at worst about 70. I have everything set to ask for access via Zone Alarm...but nothing really does. Not sure what - if anything else I can do there ?
As mauserme said, this certainly looks like a case of address spoofing, not a spambot infection on your computer.
Thanks for all of your help and pointers.
Things aint gettin’ any better…dodgy email still flooding in…if anything its getting worse. (200 emails today already)
Is there really nothing I can do ? Seems strange that you can go to all sorts of lengths to remove viruses from your PC…but with this (which is probably worse than a virus) there is nothing to be done !
Changing my email address would always be an option I suppose ?
It would, untill you sent an email with your new address to the infected computer. Then you would be right back where you started. Had the same thing a few years ago. It took a month and I had to finally get the infected user’s ips involved. >:(
Dodgy emails flooding in can’t be stopped by changes on your system, it isn’t generated on your system and isn’t being imported by something on your system. Somehow your email address has ended up on a list or simply as has been said on someone’s system that is infected and is constantly sending emails to everyone on their address book.
As you said you could change your email address, this would likely provide a respite, but you have to consider who you give it to and how you use it to stop the same condition building up. Personally I would do this as one measure the second get an anti-spam tool to pre-scan email from your email server, it will identify a huge amount of spam which it flags for deletion (at the server so you don’t first have to download it to your inbox). You can check those not flagged and identify the spam and dodgy emails and also mark them for deletion and for learning.
I use MailWasher Pro, although it is primarily for Spam it is also easy to deal with suspicious emails. There is a free version, but this only works with a single email account, which may be enough for your needs. The Pro version works with multiple accounts. With a good anti-spam program (one that can delete from the email server) you may be able to get away with your existing email address, but a completely clean start is likely to have better results.
It’s not that nothing can be done, its that you aren’t in a position to do much because the problem is not on your computer.
Well, if you wanted to be proactive …
There’s a chance, though not a guarantee, that you are in the address book on the infected computer. If the list of people who have your address is short you could try contacting them. They’re probably experiencing quite a slow down on their computer right now. But this is truly a long shot.
If you do as suggested, send an email warning that one of them might be infected don’t what every you do send it to all in your email address book in one go (send in small batches, also avast might think it is spam).
If you do send it to multiple recipients, put their email address in the BCC field, otherwise you will be giving a gift as all addresses in the To and CC fields are visible in the email that is received and those addresses would then be exposed to the same problem.
Send the email to yourself with other recipients in the BCC field.
In my case it was quite easy. It was klez. The true return path with this virus could be viewed in the message source. I don’t think that the evil authors made this mistake again.
I also don’t believe I was in the address book on the infected computer, but rather my address had been harvested from an email that had been forwarded to said computer.
In your case, I think following the suggestion of contacting your contacts and advising them of the problem may be your best bet. But as also suggested, it may be a long shot.
If they in turn are experiencing the same, have them do the same. Their contact circle could be quite different than yours.
) but logs just looked pretty much identical.