email virus

[jakeholly]

I have a virus that results in my receiving many emails that are returns due to invalid email addresses though i did not send any emails (Not sure if i explained that well).  I first ran a standard scan and nothing was detected.  I then ran a thorough scan and a virus was detected.  I deleted it.  The emails kept coming.  I performed a thorough scan again and nothing was detected.  Please help.  Thanks.

[Lisandro]

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[jakeholly]

how do i clean temporary files? i am not very computer literate though i did figure out how to temporarily turn off system restore point.  Thanks.

[DavidR]

Try one of these, it automates the process, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

Inbound emails are not your problem especially bounced emails don't open any attachments (could be a tactic to infect you) nor reply to them, the best option is to delete the emails. The likely cause is someone you know with your email address on their address book is infected with a trojan spambot and that uses email addresses from his address book in the from email address. Unfortunately bounced emails get sent to the from address even if that has been faked.

What is your email program ?

Set the Internet Mail provider sensitivity to High, that should be able to identify if your system is sending out multiple identical email.

[jakeholly]

Thanks.  I have comcast webmail.  If it was my computer sending the emails, would they show up in my sent emails?  If so, then maybe i dont have a problem.

[jakeholly]

Also, i ran a scan with system restore disabled and the results came back with 336 lines unable to be scanned.  Does that indicate a problem or is that because system restore was disabled?  Otherwise no viruses were found.

[DavidR]

Thanks.  I have comcast webmail.  If it was my computer sending the emails, would they show up in my sent emails?  If so, then maybe i dont have a problem.

No they wouldn't show up on sent items folder. Some malware comes with its own very small SMTP program which can send emails independent of your email client.

Having webmail only strengthens my view that someone you know is infected and their system is sending the email with a faked from address of your email address.
I take it that the address is your comcast webmail one ?

Also, i ran a scan with system restore disabled and the results came back with 336 lines unable to be scanned.  Does that indicate a problem or is that because system restore was disabled?  Otherwise no viruses were found.

No it doesn't indicate a problem, avast should also give a 'reason why' the files were unable to be scanned. Please give some common examples ?

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn't know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

Files that can't be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

[jakeholly]

It is my webmail i use.  I was told the same thing by someone at work that because it is my webmail and not outlook that it is not me.  However, I looked at the expanded columns of my scan and all but three of the 336 files say password protected but two say "CHM archive is corrupted" and one says "CAB archive is corrupted".  What does that mean?

One filename is

C:\Program Files\PFILES\COMMON\SYSTEM\ADO\ADO210.CHM\$WWAssociatedLinks\BTree

The second is all the same as first except \Data in lieu of \BTree at the end

The third is D:\PRELOAD\DATA9_03.INP\hwxkor.dll

Any idea what any of that means?  Thanks.

[DavidR]

I wouldn't worry about those as avast may simply be unable to open the archive and reports this as corruption, though I didn't think .chm files were archives. I don't know the significance of the $ at the start of the $WWAssociatedLinks\, etc. perhaps an ads stream, but in any case there is nothing avast can do to rectify any corruption if it does exist.

Some info on ado210.chm http://www.google.com/search?q=ADO210.CHM.

The third seems to be a Microsoft Korean Handwriting Recognizer file, though its usual location is C:\WINDOWS\system32\dllcache\ so I'm not sure why it is in the D:\preload folder.
http://www.bleepingcomputer.com/filedb/hwxkor.dll-4545.html

I don't know if you use Korean Handwriting recognition, if so and it works again nothing to worry about.