will Avast find PushDo?

[ColinWB]

I have Avast Free  v. 8.0.1489
Iam being told I have the trojan PushDo .   Should Avast find this?  If not, is it safe to say I do not have PushDo?

My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company.   The new coy gave me a new IP address as you'd expect and it is this one that is causing the problem and for some reason they don't want to give me a new IP as they're telling me to sort out my infection.     Anyon pointers folks ?

[essexboy]

My outbound emails are blocked as advised by Spamhaus when sent over my new WiMax provider but emails all go through fine when sent via my previous (and still connected) WiMax company

The new coy gave me a new IP address as you'd expect and it is this one that is causing the problem and for some reason they don't want to give me a new IP as they're telling me to sort out my infection. 

 

Reading the above leads me to suspect that they have acquired one of the C2 servers/IP address of the spambots, I can check out your system if you wish.  But as the old IP has no problems then I suspect I will find nothing.  Is Avast webshield calling any alerts when you send/receive e-mail

[ColinWB]

Thank you for your interest in my problem.  Avast Web Shield says and does nothing when I send and receive emails.....the following is the error message.

An error occurred sending mail: The mail server sent an incorrect greeting:  Your IP address is on the XBL blacklist! Sending denied.
For further information and delisting procedure,
please see http://www.spamhaus.org/query/bl?ip=188.119.192.40.

I have had a long dialogue with the new Wimax coy's techno (an Englishman fortunately) within a local area forum but it probably isn't politic to paste a link publicly here; I am however in a pickle and your of offer further assistance wouldn't be refused(!) Thanks in advance for continued help.

[ColinWB]

Sorry , a quick PS.  Avast DOES find virus threats on incoming mails ....... so it is operating properly and OK.

[essexboy]

For sure follow the steps here http://forum.avast.com/index.php?topic=53253.0
Then attach your logs in this thread

[Pondus]

your IP is blacklisted by  http://whatismyipaddress.com/blacklist-check
 
barracuda.org / abuseat.org / junkmailfilter.com / zen.spamhaus.org / xbl.spamhaus.org / mailspike.net

[polonus]

Because this found associated there: htxp://www6.addfreestats.com/cgi-bin/showuni3.cgi?usr=00605438
see: 188.119.192.40.pool.eurona.net. GRANADA. Google.es -> interpares malaga [#
15]. Entry -> 1 -MALAGASERVICEFLATS INTERPARES -FIN SEMANA DES etc.

polonus

[ColinWB]

Essex Boy:     three logs attached.... I hope I've done it correctly,  over.

Polonus:  not sure what your second note means.  So far as my IP being blocked by the sites you quote, my WiMaxtechno says the address has been clean for some days.  I'm getting very confused.

[essexboy]

OK I have found a grand total of two orphaned adware elements and that is it.  No unusual files have been added or modified for the last 30 days
I do not believe that you are infected 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\URLSearchHook: {124d001a-bdcb-472f-aa59-bbe7e4bc3204} - No CLSID value found
O2:64bit: - BHO: (no name) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - No CLSID value found.
O3 - HKU\S-1-5-21-819605704-1034043224-4017780248-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Best Antivirus] C:/Program Files (x86)/Best Antivirus/BestAntivirus.exe File not found
O4 - HKLM..\Run: [Best Antivirus Agent] C:/Program Files (x86)/Best Antivirus/BestAntivirusAgent.exe File not found
O4 - HKLM..\Run: [Best Antivirus Updater] C:/Program Files (x86)/Best Antivirus/BestAntivirusUpdater.exe File not found

:Files
C:/Program Files (x86)/Best Antivirus

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[polonus]

Let this not interfere with essexboy's cleasning routine.

The additional info I gave was for some adware launching that has been flagged in combination with that IP and sustained by the following evidence.

See: http://www.ipvoid.com/scan/188.119.192.40/ - for more details: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a188.119.192.40&run=toolpage

Inclusion in either of the MAILSPIKE Blacklists (BL or Z) means that your IP Address has most likely been identified as being part of a real-time spam outbreak. More specifically, Mailspike lists IPs that are part of a distributed spam wave and does not take into consideration over-time IP behavior. It is also worth noting that this RBL is a zero-hour list, meaning that you can be listed and then unlisted very quickly. Please remember that normal propagation will occur and while your IP address may be unlisted on the Mailspike site, other services which query their database could still show you as listed until the listing expires.

polonus

[ColinWB]

I am still unable to send emails and CBL is telling me now I have a diferent bug, viz -
"
This IP is operating (or NATting for a computer that is operating) the "sendsafe" or similar (such as Advanced Mass Sender - AMS) bulk emailing malware. This software is almost exclusively used for sending "Nigerian 419"/"advance fee" frauds or phishing attempts. It is also used occasionally to send pharmaceutical spam.
"

- beforehand it was suggesting the virus was PushDo.  Is this a significant development please...... ?

 I'm off to a wifi cafe tomorrow in the hope I get issued another IP address so I should see whether I am allowed to send or not....

[essexboy]

Did you run the OTL fix ?

[ColinWB]

Yes I ran that fix and made the report as requested.
I have today sent emails without difficulty from a wi-fi node in a cafe.  Significant?

I have also realised I am making a problem for you and myself as we have two laptops in the house running on the same system and the same IP address; one is used daily for emails, the other logs on less frequently for music etc.  Therefore - can I run the OTL fix on the other machine ad lib, or do you send me a link or particular instruction.  Realising the work I'm causing, it would be churlish of me not to upgrade my subscription from 'Free' so consider it done this evening and accept my thanks for your help.
CB

[CraigB]

Essexboy will be back on the forum later on so please wait for his further instructions, in the meantime do not run the same OTL fix on the other system as each fix is specifically created for that individual computer.

[essexboy]

No we will need a separate log for each computer as they will be different