Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ColinWB on June 05, 2013, 10:21:10 PM
-
I have Avast Free v. 8.0.1489
Iam being told I have the trojan PushDo . Should Avast find this? If not, is it safe to say I do not have PushDo?
My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company. The new coy gave me a new IP address as you'd expect and it is this one that is causing the problem and for some reason they don't want to give me a new IP as they're telling me to sort out my infection. Anyon pointers folks ???????
-
My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company
The new coy gave me a new IP address as you'd expect and it is this one that is causing the problem and for some reason they don't want to give me a new IP as they're telling me to sort out my infection.
Reading the above leads me to suspect that they have acquired one of the C2 servers/IP address of the spambots, I can check out your system if you wish. But as the old IP has no problems then I suspect I will find nothing. Is Avast webshield calling any alerts when you send/receive e-mail
-
Thank you for your interest in my problem. Avast Web Shield says and does nothing when I send and receive emails.....the following is the error message.
An error occurred sending mail: The mail server sent an incorrect greeting: Your IP address is on the XBL blacklist! Sending denied.
For further information and delisting procedure,
please see http://www.spamhaus.org/query/bl?ip=188.119.192.40.
I have had a long dialogue with the new Wimax coy's techno (an Englishman fortunately) within a local area forum but it probably isn't politic to paste a link publicly here; I am however in a pickle and your of offer further assistance wouldn't be refused(!) Thanks in advance for continued help.
-
Sorry , a quick PS. Avast DOES find virus threats on incoming mails ....... so it is operating properly and OK.
-
For sure follow the steps here http://forum.avast.com/index.php?topic=53253.0
Then attach your logs in this thread
-
your IP is blacklisted by http://whatismyipaddress.com/blacklist-check
barracuda.org / abuseat.org / junkmailfilter.com / zen.spamhaus.org / xbl.spamhaus.org / mailspike.net
-
Because this found associated there: htxp://www6.addfreestats.com/cgi-bin/showuni3.cgi?usr=00605438
see: 188.119.192.40.pool.eurona.net. GRANADA. Google.es -> interpares malaga [#
15]. Entry -> 1 -MALAGASERVICEFLATS INTERPARES -FIN SEMANA DES etc.
polonus
-
Essex Boy: three logs attached.... I hope I've done it correctly, over.
Polonus: not sure what your second note means. So far as my IP being blocked by the sites you quote, my WiMaxtechno says the address has been clean for some days. I'm getting very confused.
-
OK I have found a grand total of two orphaned adware elements and that is it. No unusual files have been added or modified for the last 30 days
I do not believe that you are infected
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKLM\..\URLSearchHook: {124d001a-bdcb-472f-aa59-bbe7e4bc3204} - No CLSID value found
O2:64bit: - BHO: (no name) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - No CLSID value found.
O3 - HKU\S-1-5-21-819605704-1034043224-4017780248-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Best Antivirus] C:/Program Files (x86)/Best Antivirus/BestAntivirus.exe File not found
O4 - HKLM..\Run: [Best Antivirus Agent] C:/Program Files (x86)/Best Antivirus/BestAntivirusAgent.exe File not found
O4 - HKLM..\Run: [Best Antivirus Updater] C:/Program Files (x86)/Best Antivirus/BestAntivirusUpdater.exe File not found
:Files
C:/Program Files (x86)/Best Antivirus
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Let this not interfere with essexboy's cleasning routine.
The additional info I gave was for some adware launching that has been flagged in combination with that IP and sustained by the following evidence.
See: http://www.ipvoid.com/scan/188.119.192.40/ - for more details: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a188.119.192.40&run=toolpage
Inclusion in either of the MAILSPIKE Blacklists (BL or Z) means that your IP Address has most likely been identified as being part of a real-time spam outbreak. More specifically, Mailspike lists IPs that are part of a distributed spam wave and does not take into consideration over-time IP behavior. It is also worth noting that this RBL is a zero-hour list, meaning that you can be listed and then unlisted very quickly. Please remember that normal propagation will occur and while your IP address may be unlisted on the Mailspike site, other services which query their database could still show you as listed until the listing expires.
polonus
-
I am still unable to send emails and CBL is telling me now I have a diferent bug, viz -
"
This IP is operating (or NATting for a computer that is operating) the "sendsafe" or similar (such as Advanced Mass Sender - AMS) bulk emailing malware. This software is almost exclusively used for sending "Nigerian 419"/"advance fee" frauds or phishing attempts. It is also used occasionally to send pharmaceutical spam.
"
- beforehand it was suggesting the virus was PushDo. Is this a significant development please...... ?
I'm off to a wifi cafe tomorrow in the hope I get issued another IP address so I should see whether I am allowed to send or not....
-
Did you run the OTL fix ?
-
Yes I ran that fix and made the report as requested.
I have today sent emails without difficulty from a wi-fi node in a cafe. Significant?
I have also realised I am making a problem for you and myself as we have two laptops in the house running on the same system and the same IP address; one is used daily for emails, the other logs on less frequently for music etc. Therefore - can I run the OTL fix on the other machine ad lib, or do you send me a link or particular instruction. Realising the work I'm causing, it would be churlish of me not to upgrade my subscription from 'Free' so consider it done this evening and accept my thanks for your help.
CB
-
Essexboy will be back on the forum later on so please wait for his further instructions, in the meantime do not run the same OTL fix on the other system as each fix is specifically created for that individual computer.
-
No we will need a separate log for each computer as they will be different
-
Hopefully the following is appropriate. Thank you in advance.
-
That one actually looks nice and clean .. How is it behaving ?
-
The machine works fine, good and fast. I'm still unable to send emails, and am still IP 188.119.192.40. The WiMax coy techno has given me the following advice which, quite frankly, I'm very reluctant to follow as I 'm not happy about adding code I don't understand to a machine which may not have a problem........
One possible thing you can try additionally is to force any attempts to send anything to 78.47.46.141 to a dummy IP address. This will only work for that address though and it may change.
This can be done by editing the file:
C:\Windows\System32\drivers\etc\HOSTS and adding the line:
127.0.0.1 78.47.46.141
to the end. The file will look a bit like this:
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 localhost
So where do I go from here if my machines are clean? The first IP address I was given has been clear on Spamhaus (188.119.192.56) for some time; my current IP is blocked. Apart from going back to the previous WiMax provider (who was more expensive but I was able to send!) what is your advice please?
-
CBL appears to be the only site that blocks my IP. Can this be the villain?
-
127.0.0.1 78.47.46.141 this entry will route all your data to a server in Germany .. See screenshot. I do not understand what he is trying to achieve there as if it is a dummy address then your internet may cease to work
It was last detected at 2013-06-08 02:00 GMT (+/- 30 minutes), approximately 6 days, 12 hours, 29 minutes ago.
CBL report. If you have no problem using hotspots then it is your ISP at fault
Why do they insist on giving a static IP and why will they not change it
-
Three weeks to the day since it all started and suddenly I can send without difficulty. Don't understand why but grateful to you for your support.
-
Not a problem, to be honest all you had was a little adware.. I wonder if you were given an IP that was previously a spambot ?
-
I am embarressed to say I need to re-open this discussion. After the 3 weeks of being unable to send emails, suddenly the fog cleared and all resumed to normal as tho' nothing had ever happened.
After many weeks of sending emails without problems we turned everything off when the builders came to change the electrics. After 28 hrs or so I booted everything up, sent a few emails only to find my (new?) IP address was being blocked by CBL. (188.119.192.40) I have checked ALL internal IP addresses, I have deep scanned with Avast, I have used MS Security Scanner (deep) and all say no problems. I've done lookup and ipconfigs. If I go to the ISP I'm sure they'll say I am infected but I am sure I'm not. Is there any way of seeing if the ISP is provably at fault? I have one last trump card....a laptop I have not opened for 2 years, so if this sends blocked mails (if you see what I mean) then it has to be them, but how do I convince them? Help again please, famed avast !
-
Try the laptop and see if that gets blocked
-
The laptop has not been used since Feb2013; I thought it was older. However, an outgoing email was blocked.
A direct question please - can it be my mail.domain.com outgoing server to blame? It's own IP address passed when I checked the sequence of numbers, so I assume it's clean along with ALL other internal numbers. I do not have contact with everyone using this ISP in Spain but the local area general chat forum, chaired by the ISP's local agent, is not being flooded with complaints like mine. why me? What's happening and how do I solve it? A totally new install of W7 seems to be the only solution. Or dirching the company and going back to a more expensive and slower competitor. It's all very starnge.
-
If the laptop was blocked then there is nothing on your computers causing this, in my assessment, it is an ISP problem. Is your IP address able to be changed ?
-
Hooray....they admit it's their fault ! Thanks very much for your input.
Brgds...... Out!
-
Glad it is now resolved for a while I thought that there was something brand new that I was not seeing, even though the evidence said otherwise :)