Avast WEBforum
Other => Viruses and worms => Topic started by: Izzyflip on May 27, 2005, 06:42:12 AM
-
I have an email message that keeps coming back into my inbox and freezing up the receipt of other mail.
It is not on the server. Somehow it keeps regenerating itself from within my email program or my computer.
I tried blocking the message, deleting it, etc and it keeps coming back. Sometimes everyday, sometimes after a few days.
It is from supprefnum174@citibank.com, no subject line, nothing in the body, no attachments.
I have emailed citibank and my ISP about it and they have not provided any valid answers.
I have searched "supprefnum", etc and have found no helpful information.
Avast found the following in a virus scan:
A0056375.ocx & brix6ie.ocx infected with the virus Win32: Adan-053 [Adw]
I have been unable to find any information on that virus and what to do about it. Avast suggested I put those files in the virus chest, which I did. I am still getting the recurring email message.
Did another scan last night and it found this:
C:\Documents & Settings\Application Data\Mozilla\Profiles\Default\tvdy7amh.slt\Cache\AOEA5AC6dO1\[UPX]
Unable to scan, UPX archive is corrupted.
I emptied the cache.
Still getting the email.
I am using mozilla suite 1.6 for browser and email.
Help!! Please and thank you.
-
I tried blocking the message, deleting it, etc and it keeps coming back. Sometimes everyday, sometimes after a few days.
Did another scan last night and it found this:
C:\Documents & Settings\Application Data\Mozilla\Profiles\Default\tvdy7amh.slt\Cache\AOEA5AC6dO1\[UPX]
Unable to scan, UPX archive is corrupted.
You should try to delete the Mozilla temporary files.
Also, it should be useful disable the System Restore. If you find a virus keeps coming back after you delete it, it's most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x. Enable/Disable System restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.
-
The fact that it keeps coming back doesn't mean it is the same virus, just that it keeps getting sent to you and avast keeps detecting it. I shouldn't be on your computer if you kept deleting it (but if you let it through once, that may be why it has been detected on a scan), follow Tech's suggestions.
The from address is undoubtedly forged and trying to block individual emails is like trying to hit a moving target, you could block the domain citibank.com (unless you are a citibank customer and would expect to get email from them).
They are likely to be speculative email phishing attempts in the hope that some gullible citibank customer will visit the link and enter their username, password and account details leaving their account open to fraud.
Your email address looks like it has been harvested in some way and ended up on a spam list, so aside from the virus emails you are probably getting some spam too. I suggest that you get an anti-spam tool, I use MailWasher Pro which allows me to monitor and delete spam from my ISP's mail server so it doesn't get downloaded, this can also be use to delete suspicious/infected emails. There is a freeware version of MailWasher however, it only allows monitoring of one email account.
-
Thank you everyone for the help.
I am going to try the reboot and scheduled boot scan as suggested. Will post my results.
I do get a lot of spam and have some filtering through my ISP.
Will look into the Mailwasher program, it sounds like it would be useful.
-
I turned off system restore function.
Did a bootscan with avast.
Did a full can with avast.
Shutdown. Robooted, etc, etc.
Turned sytem restore back on and back it came.
So I think that it is in the sytem restore files but avast not finding it??
How do I check for it in the stytem restore files?
Is there not a removable tool for Win32: Adan-053 [Adw]
I haven't been able to find any info on this virus/worm or how to remove it.
I am leaving sytem restore off for this week to see if the email comes back again.
Any other help anyone can provide will be greatly appreciated.
Thanks.
-
Turned sytem restore back on and back it came.
So I think that it is in the sytem restore files but avast not finding it??
The files 'appeared' there only after you've enabled System Restore.
When you disable it, all files are deleted (including the infected ones there).
How do I check for it in the stytem restore files?
Just run a normal full scanning (all drivers and check for archive files scanning too).
I haven't been able to find any info on this virus/worm or how to remove it.
You're clean now as far we can notice... 8)
-
I thought it was gone. But it's not!!
I had system restore off for a few days and the email didn't show up, until today!!
I went to trend.com and did an online scan there and it found nothing.
Just about to do another avast scan right now, see what it finds.
Will post my results.
Thanks again for the help.
-
Try other antispyware applications (freeware): download, install, update and run it.
Ad-Aware (http://www.lavasoft.de/support/download)
Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
A-squared (http://www.emsisoft.com/en/software/free)
Ewido (http://www.ewido.net/en)
-
I have Ad Aware and Spybot.
I just Ad Aware and did a scan a few days ago and it just found tracking cookies and they are in quarantine.
I ran Spybot a few days ago, too and it did not find anything. It hadn't been updated in a while so I just did that and ran another scan. It said no immediate threats were found.
What next??
Thanks again.
-
I thought it was gone. But it's not!!
I had system restore off for a few days and the email didn't show up, until today!!
Sorry to keep harping on but:
The fact that it keeps coming back doesn't mean it is the same virus, just that it keeps getting sent to you and avast keeps detecting it.
It is simply another infected email, yes it may have the same infection, that happens as the virus may be curently the one doing the rounds and these phishing emails are very prolific.
Either someone you know has an infected system and it is sending out infected emails to those in their addressbook or your name is on a list.
Be thankful that avast detects these emails and if your response was to delete them, once deleted they aren't on your system, so a scan will return nothing relating to that email detection.
-
I am pretty sure it is not being sent to me again.
It is in my system somewhere and regenerating itself as I have gone online several times and checked my email on my ISP before downloading it from my email program and the email is not on the server. But when I then download email to my computer, it shows up.
It is dated Nov 23, 2004 2:39am and it always has that date and time everytime it shows up.
-
I am pretty sure it is not being sent to me again.
How have you arrived at that opinion?
Which provider is picking it up the infected email, Internet Mail or Standard Shield?
I then download email to my computer, it shows up.
Which leads me to believe it is a received email.
I suggest that you download the freeware MailWasher program and use that to monitor the email account that this is coming in on. This should confirm/deny that it is being received and not regenerated.
The date and time like the from address can be forged.
-
I believe it is not being sent to me again as I go to uniserve.com which is my ISP and check my email there and the message is not there. I then logoff from there. Open my email program (which is mozilla) and download my messages from the server and the email in question shows up.
If it is not in my inbox online but shows up in my email program, then would that not suggest that it is coming from within my system not be remailed to me?
I am not that prolific at these things so hey I could very well be wrong.
I will try the mailwasher for sure.
-
I installed mailwasher and it did not catch the recurring email.
I opened mailwasher today, reviewed emails and marked unwanted ones for deletion - the recurring email was not there, then had mailwasher process and open my mail program and download the messages I wanted to my inbox. The recurring email showed up in my inbox even though it was not in the mailwasher list I had just reviewed.
I am stumped.
Any other ideas out there??!!
-
empty trash in Mozilla, then COMPACT/COMPRESS/Clean all Folders from within mozilla
Also clean out similarly any intervening mailwashers/spamkillers etc etc..
Empty Mozilla Cache including offline-files (if any) for ALL users
(maybe avast shield needs to be paused for the above)
Also post a Hijackthis-Log for Diagnosis (see link "VirusRemoval" below in my sig)
;)
-
Bear with me as I am not sure what you are asking me to do.
I alway empty trash before closing mozilla mail.
COMPACT/COMPRESS/Clean all Folders from within mozilla
Not sure what you want me to do. There is an option to compact folders and I did that but I dont' really know what exactly that does. What do you mean by "clean" all folders.
Also clean out similarly any intervening mailwashers/spamkillers etc etc..
Again not sure what you mean by "clean"
I emptied the cache in Mozilla.
Note: Hijack detects IE - I only use IE if a page won't open properly in Mozilla.
Here is the current HijackThis-Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:27:55 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Accelerated Access\aaccess.exe
C:\Program Files\Internet Call Director\ICD.EXE
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\PROGRA~1\ACDSYS~1\ACDSee\ACDSee.exe
C:\DOCUME~1\FUTURE~1\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pageaday.com/pad/2004STUP/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\WINDOWS\Speech\Dragon\web_ie.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Accelerated Access\PBHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Internet Call Director.LNK = C:\Program Files\Internet Call Director\ICD.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Uniserve Accelerated Access.lnk = C:\Program Files\Accelerated Access\aaccess.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Accelerated Access\aaccess.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Accelerated Access\aaccess.exe/227
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://www.panel3.angusreid.com/central/02030105/cccabs/CleverContent.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5242A5A1-EF1E-11D5-B3EE-0050DAC5EBD0} (printQuick Browser Add In (Ver4)) - http://216.65.221.30/plugin/axversion/1400/printQuick1400.cab
O16 - DPF: {5D11F7A5-DB3D-458B-80DF-08EFC77C4F39} (NetOnCourse MILive Participant Control(MR)) - http://62.219.1.103/events/bin/media/2.2.3.0-2.0.2.3/MILive.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1000/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://ftp.coupons.com/brxpdf5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1953B555-94A6-4D34-BB4C-684521AE0B9D}: NameServer = 216.113.192.3 216.113.192.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{1953B555-94A6-4D34-BB4C-684521AE0B9D}: NameServer = 216.113.192.3 216.113.192.4
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
-
Again not sure what you mean by "clean"
Antispyware applications (freeware): download, install, update and run it.
Ad-Aware (http://www.lavasoft.de/support/download)
Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html)
A-squared (http://www.emsisoft.com/en/software/free)
Ewido (http://www.ewido.net/en)
Webroot Spy Sweeper: (http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10373771.html)
Microsoft AntiSpyware (http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en)
X-Cleaner Free (http://www.xblock.com/download-freeware.php)
For antiTrojans see the sharewares bellow (download, install, update and run it, you can test it for some days):
TrojanHunter (http://www.trojanhunter.com/)
TDS-3 (http://tds.diamondcs.com.au/)
-
I have Ad aware and Spybot - both of which I updated a ran several days ago.
I will run again.
I will try Trojan hunter.
Thanks.
-
I downloaded, installed, updated and ran Trojanhunter.
It did not find anything.
-
I know this has nothing to do with it but mozilla 1.6 is pretty old!Version 1.7.8 is out and since 1.6 there have been alot of security and other improvements!I hope you will defeat that malware!
Best whishes!
Mikey
-
I agree I think it is is time to update Mozilla.
If you can believe it - I had firefox first and switched to Mozilla suite - I thought it was much nicer to have an integrated browser and email. Apparently there is some controversy between the two that I just read about. Mozilla users feel Firefox is getting all the attention and Mozilla or rather Seamonkey is being forgotten.
I do hope I resolve this issue, too.
Knock on wood, I've never had any problems with this computer before.
I'll keep plugging away and see if I can get rid of it.
Thanks again all for the help.
Will post any new findings I have.