will Avast find PushDo?

I have Avast Free v. 8.0.1489
Iam being told I have the trojan PushDo . Should Avast find this? If not, is it safe to say I do not have PushDo?

My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company. The new coy gave me a new IP address as you’d expect and it is this one that is causing the problem and for some reason they don’t want to give me a new IP as they’re telling me to sort out my infection. Anyon pointers folks ???

My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company
The new coy gave me a new IP address as you'd expect and it is this one that is causing the problem and for some reason they don't want to give me a new IP as they're telling me to sort out my infection.

Reading the above leads me to suspect that they have acquired one of the C2 servers/IP address of the spambots, I can check out your system if you wish. But as the old IP has no problems then I suspect I will find nothing. Is Avast webshield calling any alerts when you send/receive e-mail

Thank you for your interest in my problem. Avast Web Shield says and does nothing when I send and receive emails…the following is the error message.

[i]An error occurred sending mail: The mail server sent an incorrect greeting: Your IP address is on the XBL blacklist! Sending denied.
For further information and delisting procedure,
please see http://www.spamhaus.org/query/bl?ip=188.119.192.40.[/i]

I have had a long dialogue with the new Wimax coy’s techno (an Englishman fortunately) within a local area forum but it probably isn’t politic to paste a link publicly here; I am however in a pickle and your of offer further assistance wouldn’t be refused(!) Thanks in advance for continued help.

Sorry , a quick PS. Avast DOES find virus threats on incoming mails … so it is operating properly and OK.

For sure follow the steps here http://forum.avast.com/index.php?topic=53253.0
Then attach your logs in this thread

your IP is blacklisted by http://whatismyipaddress.com/blacklist-check

barracuda.org / abuseat.org / junkmailfilter.com / zen.spamhaus.org / xbl.spamhaus.org / mailspike.net

Because this found associated there: htxp://www6.addfreestats.com/cgi-bin/showuni3.cgi?usr=00605438
see: 188.119.192.40.pool.eurona.net. GRANADA. Google.es → interpares malaga [#
15]. Entry → 1 -MALAGASERVICEFLATS INTERPARES -FIN SEMANA DES etc.

polonus

Essex Boy: three logs attached… I hope I’ve done it correctly, over.

Polonus: not sure what your second note means. So far as my IP being blocked by the sites you quote, my WiMaxtechno says the address has been clean for some days. I’m getting very confused.

OK I have found a grand total of two orphaned adware elements and that is it. No unusual files have been added or modified for the last 30 days
I do not believe that you are infected

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKLM\..\URLSearchHook: {124d001a-bdcb-472f-aa59-bbe7e4bc3204} - No CLSID value found
O2:64bit: - BHO: (no name) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - No CLSID value found.
O3 - HKU\S-1-5-21-819605704-1034043224-4017780248-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Best Antivirus] C:/Program Files (x86)/Best Antivirus/BestAntivirus.exe File not found
O4 - HKLM..\Run: [Best Antivirus Agent] C:/Program Files (x86)/Best Antivirus/BestAntivirusAgent.exe File not found
O4 - HKLM..\Run: [Best Antivirus Updater] C:/Program Files (x86)/Best Antivirus/BestAntivirusUpdater.exe File not found

:Files
C:/Program Files (x86)/Best Antivirus

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Let this not interfere with essexboy’s cleasning routine.

The additional info I gave was for some adware launching that has been flagged in combination with that IP and sustained by the following evidence.

See: http://www.ipvoid.com/scan/188.119.192.40/ - for more details: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3A188.119.192.40&run=toolpage

Inclusion in either of the MAILSPIKE Blacklists (BL or Z) means that your IP Address has most likely been identified as being part of a real-time spam outbreak. More specifically, Mailspike lists IPs that are part of a distributed spam wave and does not take into consideration over-time IP behavior. It is also worth noting that this RBL is a zero-hour list, meaning that you can be listed and then unlisted very quickly. Please remember that normal propagation will occur and while your IP address may be unlisted on the Mailspike site, other services which query their database could still show you as listed until the listing expires.

polonus

I am still unable to send emails and CBL is telling me now I have a diferent bug, viz -
"
This IP is operating (or NATting for a computer that is operating) the “sendsafe” or similar (such as Advanced Mass Sender - AMS) bulk emailing malware. This software is almost exclusively used for sending “Nigerian 419”/“advance fee” frauds or phishing attempts. It is also used occasionally to send pharmaceutical spam.
"

  • beforehand it was suggesting the virus was PushDo. Is this a significant development please… ?

I’m off to a wifi cafe tomorrow in the hope I get issued another IP address so I should see whether I am allowed to send or not…

Did you run the OTL fix ?

Yes I ran that fix and made the report as requested.
I have today sent emails without difficulty from a wi-fi node in a cafe. Significant?

I have also realised I am making a problem for you and myself as we have two laptops in the house running on the same system and the same IP address; one is used daily for emails, the other logs on less frequently for music etc. Therefore - can I run the OTL fix on the other machine ad lib, or do you send me a link or particular instruction. Realising the work I’m causing, it would be churlish of me not to upgrade my subscription from ‘Free’ so consider it done this evening and accept my thanks for your help.
CB

Essexboy will be back on the forum later on so please wait for his further instructions, in the meantime do not run the same OTL fix on the other system as each fix is specifically created for that individual computer.

No we will need a separate log for each computer as they will be different

Hopefully the following is appropriate. Thank you in advance.

That one actually looks nice and clean … How is it behaving ?

The machine works fine, good and fast. I’m still unable to send emails, and am still IP 188.119.192.40. The WiMax coy techno has given me the following advice which, quite frankly, I’m very reluctant to follow as I 'm not happy about adding code I don’t understand to a machine which may not have a problem…

[i]One possible thing you can try additionally is to force any attempts to send anything to 78.47.46.141 to a dummy IP address. This will only work for that address though and it may change.

This can be done by editing the file:
C:\Windows\System32\drivers\etc\HOSTS and adding the line:

127.0.0.1 78.47.46.141

to the end. The file will look a bit like this:

For example:

102.54.94.97 rhino.acme.com # source server

38.25.63.10 x.acme.com # x client host

localhost name resolution is handled within DNS itself.

127.0.0.1 localhost

::1 localhost

127.0.0.1 localhost[/i]

So where do I go from here if my machines are clean? The first IP address I was given has been clear on Spamhaus (188.119.192.56) for some time; my current IP is blocked. Apart from going back to the previous WiMax provider (who was more expensive but I was able to send!) what is your advice please?

CBL appears to be the only site that blocks my IP. Can this be the villain?

127.0.0.1 78.47.46.141 this entry will route all your data to a server in Germany … See screenshot. I do not understand what he is trying to achieve there as if it is a dummy address then your internet may cease to work

It was last detected at 2013-06-08 02:00 GMT (+/- 30 minutes), approximately 6 days, 12 hours, 29 minutes ago.
CBL report. If you have no problem using hotspots then it is your ISP at fault Why do they insist on giving a static IP and why will they not change it