slow running times, returned mail

[midwyfjan]

Ok, fellas, now here's the newest issues.
Since all the trouble began a few weeks ago with the original Timeout problems, my computer is running SO SLOWl And a LOT of the time, its' "thinking' - which always seems like a bad thing to me.

To deal with the original hijack problem, I loaded Ewido, then Zone Alarm Security Suite. Have run Trend Micro a few times.  Sent you all the HJT logs, someone suggested running the Symantec W32.Sober. remover, but it found nothing.

One of you said, from the things I sent, that Avast was finding that Sober virus in incoming emails and removing it. I think that's true. However, I also get these other returned emails that I think really are being generated from my computer. Avast doesn't catch anything on them.I've attached on of them, for your perusal.

Additionally, since the first HJT scan and fix, everytime I reboot, a Windows Installer window pops up. It says it's preparing to install something, then tells me it's trying to install MS Money 2003. I don't use that program, so tried to uninstall it, but it wouldn't let me. So now I'm stuck with this annoying thing to try to get rid of each time I reboot. It takes about 6-7 times of clicking Cancel before it quits trying. And always wants to send MS an error report. Oh, brother . . .

So I've run another HJT scan and that log is attached here. Can I remove all references to MS Money that show up there to fix this last problem? And is there anything there that would be causing such slow running?

[DavidR]

1. Having ZA Security Suite installed with avast can cause conflict as I believe that also includes a resident anti-virus, both of these could have conflicting drivers and registry entries. We don't reccommend having two resident scanners installed. Ewdio (free) is effectively on-demand but the Paid for version doesn't seem to have a problem with avast.

2. In this case, I doubt the emails are being generated by your email otherwise avast would detect them when they are sent (multiple emails with the same subject in a short time, etc. a suspicious alert by avast). This is likely to be down to forged from email addresses, someone with your email address in their addressbook is infected with some form of SpamBot and it uses emails from that address book as a from address.

Dumb ISP email servers may detect this as an infected email/Spam, etc. (or in this case to a bad address) and bounce it back (incorrectly) to the sender, the faked from email address.

There are also some devious people out there that send faked returned/bounced emails in the hope that you will open the attached file to see what the problem is and thereby get infected.

3. What errors were displayed when it wouldn't let you uninstall Money? The fact that it is trying to install Money seems strange if as you say it is already installed.

I suggest that you use one of the on-line HJT scanners to see if there is anything else that is either harmful or unknown and investigate those also. Some of the entries look strange to me with references to the WINNT folder, did you upgrade from win2k to XP?

For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

[midwyfjan]

David
1. I should have clarified: I already removed ZA Security Suite and installed their free firewall instead. I can't tell is Ewido is helping or not, it's the free version, and maybe I should uninstall it.
2. Well, if they're not being generated here, then someone is really messing with me, cuz I get these Delivery Failure notices ALL DAY LONG. Like maybe 3-5 a day, and increasing. Is there a specific setting on Avast that I should make sure is turned on to be sure it would detect this kind of hijacking?  However, since you mention it, each of these DO have an attachment - what should I do in this case?
3. To see what the screen exactly says when I reboot, I'll have to try it, which means I'll post that in my next message.

And the online analysis from HJT didn't show anything I was concerned about. It seems to be confused about some ActiveX objects (which I think are only there from when i had to load them to do the Trend Micro scans) and some Java files, as well as some Gateway .CAB files. I can copy and post it if you want to see it.

[FreewheelinFrank]

Ewido works quite happily with avast! and won't be causing the problem. It's also worth keeping it around as a double check for Trojans. Have you tried a spyware scan with Ad-Aware and Spybot Search and Destroy?

You could also try is TuneUp Utilities 2006, which has a good registry scanner (and a free trial!)

Clean up any junk with CCleaner then defragment your disk, that might help.

Try checking in Task Manager to see what is busy all the time.

The emails you might be able to talk to your ISP about.

[Lisandro]

Cuz I get these Delivery Failure notices ALL DAY LONG. Like maybe 3-5 a day, and increasing. Is there a specific setting on Avast that I should make sure is turned on to be sure it would detect this kind of hijacking?

You're probably hijacked... maybe it will be useful if you run HijackThis and analyse your results (or post them here).
Download: http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Tutorial: http://www.tomcoyote.org/hjt/#introduction
Online analysis of your Hijackthis log: http://hijackthis.de/index.php

Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1, this has been mentioned many times in previous threads.

However, since you mention it, each of these DO have an attachment - what should I do in this case?

Never open or run any attachment from these mails! 
Send them to Chest when warned by avast!

[DavidR]

Tech, he has HiJackThis and has run it with no obvious malware content. However, posting the HJT log contents here won't hurt.

I don't believe he has been hijacked (unless his HJT log shows otherwise), these returned emails don't originate from his system otherwise avast's heuristic's should flag multiple outbound emails in a short time as suspicious as in my pevious comments.

2. In this case, I doubt the emails are being generated by your email otherwise avast would detect them when they are sent (multiple emails with the same subject in a short time, etc. a suspicious alert by avast). This is likely to be down to forged from email addresses, someone with your email address in their addressbook is infected with some form of SpamBot and it uses emails from that address book as a from address.

Dumb ISP email servers may detect this as an infected email/Spam, etc. (or in this case to a bad address) and bounce it back (incorrectly) to the sender, the faked from email address.

There are also some devious people out there that send faked returned/bounced emails in the hope that you will open the attached file to see what the problem is and thereby get infected.

[midwyfjan]

I got this message twice today:

Our virus detector has just been triggered by a message you sent:-
  To: gjessup@wnyurology.com, northtowns@wnyurology.com
  Subject: Your Password
  Date: Thu Dec 15 16:31:54 2005

One or more of the attachments (File-packed_dataInfo.exe) are on
the list of unacceptable attachments for this site and will not have
been delivered.

Consider renaming the files to avoid this constraint.

The virus detector said this about the message:
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe)
MailScanner: Executable DOS/Windows programs are dangerous in email (File-packed_dataInfo.exe)

-- MailScanner Email Virus Scanner www.mailscanner.info MailScanner thanks transtec Computers for their support

I never sent any messages to WNYUrology.com. It doesn't appear that avast! is generating this. Who/what is MailScanner?

And those other emails I referred to earlier, avast! doesn't pick them up, so I can't send them anywhere except to the trash.

And by the way, I'm a "she". 

Most recent HJT logfile is attached.

[midwyfjan]

Also, regarding the trouble with MS Money trying to install upon startup, here's what the various screens say:

AT first, a Windows Installer box appears, that says "Preparing . . . "
Then, a new box comes up that says, Please wait while Windows configures MS Money 2003.
Next, the box says "Setup needs to close MS Money Express 2003 and is unable to do so. Please close MS Money Express 2003 and click Retry. If you are not sure how to close it, consult Help."
There's no Help option there. I tried to Open Ms MOney, and it says it needs to install itself, and for me to insert the CD. But this program came on this computer, so I don't have the CD. Finally, when I click, cancel, it says Error 1706: no source.

I don't use MS MOney and would happy to uninstall it but it won't let me. I notice a couple of items in the HJT file are MS MOney files. Can I delete them? Will this stop this problem? It began after the first time I ran HJT and "fixed" a couple of things. Stupid me.

[FreewheelinFrank]

You can restore items 'fixed' by HijackThis!, as long as you've installed it in its own folder. Might be worth checking what you've deleted to see if anything refers to MS Money, or indeed any other innocent application.

I never sent any messages to WNYUrology.com.

No. Another infected computer sent the message but said it came from you. It's like I write a junk mail letter and put your address at the top and mail it to 1000 people. Those people might blame you for the junk mail, when in fact you didn't send it: it's the same with worm generated spam mail.

[DavidR]

I got this message twice today:

Our virus detector has just been triggered by a message you sent:-
  To: gjessup@wnyurology.com, northtowns@wnyurology.com
  Subject: Your Password
  Date: Thu Dec 15 16:31:54 2005


I never sent any messages to WNYUrology.com. It doesn't appear that avast! is generating this. Who/what is MailScanner?

And those other emails I referred to earlier, avast! doesn't pick them up, so I can't send them anywhere except to the trash.

And by the way, I'm a "she". 

Most recent HJT logfile is attached.

Re read my first reply point 2. about Dumb ISPs and devious people, your only course of action is to ignore these supposed returned emails.

My humble apologies to midwyfjan (she)

[Spiritsongs]

   midwyfan :

     I noticed the following from your HJT log :

     1) Your Java Runtime Environment program is 2 Updates
          behind; on the antiSPYWARE forums that I frequent,
          it is strongly encouraged that "old" versions be
          completely removed, then go to www.java.com
          and get their latest.
     2) You have AIM 95; I periodically see news items of
          malware coming through AIM, therefore, I recommend
          you uninstall that version, then go to the AIM portal
          at www.aim.com to get their latest. Better yet, after
          uninstalling AIM 95, install the safer Yahoo IM.
     3) I saw no antiSPYWARE program listed in your HJT log;
          do you have one ? If not, I recommend you download
          Ad-Aware from :
       www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
         After doing so, get the Updates, then run a "Full System
         Scan" setting.

[midwyfjan]

Thanks, everyone for all all your help. In regards to your points:
1. I already installed the new Java, but it gave me some kind of trouble at the point of installation. Can't remember what. Should I uninstall all Java programs, then start over from scratch?
2. Don't know how I could have only AIm 95, when I've only been using it for 2 years, and it updates itself automatically. But I can uninstall that too and get the latest version. I don't want Yahoo, since both of my adult kids use AIM, and that's how I communicate with them quite often.
3. Used to have Ad-Aware, but during one of the HJT analyses, someone said it wasn't good and I should switch. So I now use Ewido for getting rid of spyware. At least, I was under the impression that Ewido was for that purpose.

Have run scans ad nauseum of late, get such conflicting responses, it's weird.

And to DavidR - I've not forgotten your advice about dumb ISPs and devious people - it's just that it's sometimes hard to tell the difference between something that's being done TO you by someone, and something your computer is being hijacked to do to someone else. Trying to be safe and certain about these things. I do appreciate your guidance. My ISP just sent out an email about problems they're encountering from autoresponders. Corresponding with them about this problem, and perhaps I can fix it my changing settings there.

[Lisandro]

Thanks, everyone for all all your help. In regards to your points:
1. I already installed the new Java, but it gave me some kind of trouble at the point of installation. Can't remember what. Should I uninstall all Java programs, then start over from scratch?

Only if you're sure the problem is not Azureus like David posted.

3. Used to have Ad-Aware, but during one of the HJT analyses, someone said it wasn't good and I should switch. So I now use Ewido for getting rid of spyware. At least, I was under the impression that Ewido was for that purpose.

You're right. Ewido is a good antispyware and antitrojan.
But forget what they say agains Ad-aware. It's a very good antispyware.

[DavidR]

Tech, I didn't mention anything about Azureus in this thread, Spiritsongs mentioned updating Java.

[Lisandro]

Tech, I didn't mention anything about Azureus in this thread, Spiritsongs mentioned updating Java.

Sorry, it was here http://forum.avast.com/index.php?topic=18105.msg153848#msg153848
Too many opened threads in my mind