Infected again after OTL cleanup? Kaspersky finds malware. HELP!

[castalla]

I recently was infected - super help here removed the infection - or did it???!!!!

I got a message from isp telling me that the ip address was being used to spam.  They suggested running Kaspersky.

This produced the following:

HEUR:Trojan.Win32.Generic
sonldi.dll
C:\_OTL\MovedFiles\07072012_151403\C_Users\bb\AppData\Roaming

Trojan.Win32.Scar.glcg
Molebox
C:\_OTL\MovedFiles\07072012_151403\C_Users\bb\AppData\Roaming\xsecva\xsecva.exe/

Backdoor.Win32.ZAccess.ual
80000032.@
C:\_OTL\MovedFiles\07072012_151403\C_Windows\Installer\{6d94205e-92a9-8545-3a86-0155c692227b}\U

Backdoor.Win32.ZAccess.ual
trzA26E.tmp
C:\_OTL\MovedFiles\07072012_151403\C_Windows\Installer\{6d94205e-92a9-8545-3a86-0155c692227b}\U

Any advice welcome.

[Pondus]

nope.....not infected
kaspersky have detected the infected files that OTL moved....... C:\_OTL\MovedFiles

did You let Essexboy remove his tools when he was finish ?

i send him a PM so he can have a look here.   

[castalla]

Tools were removed.

What worries me is that I removed the infection on Monday - but got the isp message today stating the spam had occurred yesterday (Wednesday) via a trojan.

Thanks for your help.

[DavidR]

These are in the OTL moved folder and aren't active. When your cleanup was confirmed and you reported your system was OK (after a day or so) you should have received information on removing the tools used in the cleanup.

I also believe the purpose of the _OTL moved folder is to send samples to avast if they weren't detected by avast.

So did you report your system was working normally and did you get information on removing the tools used ?
Did anyone suggests sending these samples in the _OTL moved folder to avast ?

This really should have been in your original topic on the cleanup as all of that information would have been there.

[essexboy]

If you had run the OTL cleanup button then the quarantine folder would have been deleted

Maybe I will bold that line from now on

Also is your email web based... Hotmail, Google, Yahoo etc ?

[DavidR]

Tools were removed.

What worries me is that I removed the infection on Monday - but got the isp message today stating the spam had occurred yesterday (Wednesday) via a trojan.

Thanks for your help.

ISPs are pretty dumb (and slow at times) when it comes to spam, how they know that spam occurred via a trojan is beyond me as they aren't monitoring your system. That is speculation on their part in my speculative opinion

It is easy to fake a from email address in an email and this results in emails being bounced back to the fake email address. If your prior infection included sending spam then I would say that you should have changed your email password. Trojans sending spam, generally don't use your email client but their own SMTP program, they are also using an email account/server that has been hacked or allows forwarding.

Set your Mail Shield Sensitivity to High Heuristics.

[castalla]

As far as I know I followed all the instructions including cleanup!

Mail is via 3rd party pop server using Opera mail.

What can I do now to cleanup the system completely (apart from a reinstall!!!)

[castalla]

What is suspicious is that I used a VPN account yesterday for the first time since the original infection last weekend - the spam report came from the VPN provider today.   Sort of suggests the infection was still active yesterday??

I've changed the mail account details.

[castalla]

Here's the link to my original issue: http://forum.avast.com/index.php?topic=100870.msg807067#msg807067

[essexboy]

No not really otherwise your other e-mail would have given the same indications

It sounds like it is related to your VPN provider, could you PM me a link for it please so that I can check their site out


I will be having a chat with OT as this is the second case where the quarantined files were not removed

[castalla]

Can I just delete those moved OTL files?

[essexboy]

Yes take out the whole folder

[Pondus]

just one thing.....

They suggested running Kaspersky.

doest that mean you have avast and Kaspersky installed......or did you uninstall one.?

[castalla]

I have Avast running.

They suggested the Kaspersky Security Scan - not the full program.

[essexboy]

No problem with the VPN, as they suggest, monitor it for a day or so and come back if there are any problems at all