Is this an undetected virus?

[jongooligan]

Hi folks

First time poster but long time Avat user.

My In box and Spam folder suddenly started receiving undeliverable mail notifications even though I hadn't sent any mail. Also my Sent Items box was emptied.

Smells like a virus to me so I ran an Avast scan & found nothing suspicious. Subsequently ran Spybot and found two registry changes - one disabling registry Tools and the other disabling Windows Task Manager.

Smells more like a virus to me.

What do I do to get rid of it if Avast can't find it?

Any help appreciated.

Thanks

[Pondus]

Check your computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found, and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and tell us if it worked

If anything is found other than cookies you may post the scan logs here 

[jongooligan]

Thanks for the quick reply Pondus.

This is what Malwarebytes found:

Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ad7fafb0-16d6-40c3-af27-585d6e6453fd} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected: C:\Program Files\WINDOWS (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\FONTS (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\HELP (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\INF (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\MSAGENT (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\MSAGENT\INTL (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Program Files\WINDOWS\SHELLNEW (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected: C:\Program Files\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.

Subsequent scan by SuperAntiSpyWare found one tracking cookie.

Hopefully that's fixed it. Thanks for your help Pondus.

Do you get across to Old Trafford very oftenand can you tell me how I upload a Leeds Utd badge to my profile?

[Pondus]

Do you get across to Old Trafford very often

Have not been to Old Trafford yet, shame on me...... :'(
I have been to Newcastle (there used to be a ferry, Bergen - Stavanger - Newcastle) so i have tasted the Newcastle brown ale 
lots of it........

can you tell me how I upload a Leeds Utd badge to my profile?

WHAT......leeds....not sure i can help you moore.......after what you did in the FA Cup......
Well there are some limitations, you need 20 post before you can do it....
you just enter the url to the picture in your profile

[jongooligan]

Pondus

Any idea why Avast didn't pick it up? I don't think it's missed anything before.

BTW - I live near Newcastle so next time you're over let me know and I'll take you to some of the local micro breweries for some really special English ales.

Quite a few regulars at Elland Rd from Denmark.

Cheers

Jon

[YoKenny]

Jon, I grew up in Durham just south of you before I came to Canada ages ago.

Steven Burn of hpHosts fame lives in Newcastle and I have sent him many a virtual ale.   

Malwarebytes is a perfect companion with avast! just like what steak pie would be without kidney and a proper temperature ale to wash it down. 

[Pondus]

Any idea why Avast didn't pick it up? I don't think it's missed anything before.

It happens, no security program have 100% detection, maybe in a test you can prepare for like VB100 but not in real life
So as kenny suggested, Malwarebytes PRO is a perfect companion. A onetime fee for a lifetime license www.malwarebytes.org

BTW - I live near Newcastle so next time you're over let me know and I'll take you to some of the local micro breweries for some really special English ales

oooo i like that......Beer: The cause of, and solution to, all of life's problems. (Homer Simpson)   

[DavidR]

My In box and Spam folder suddenly started receiving undeliverable mail notifications even though I hadn't sent any mail. Also my Sent Items box was emptied.

Smells like a virus to me so I ran an Avast scan & found nothing suspicious. Subsequently ran Spybot and found two registry changes - one disabling registry Tools and the other disabling Windows Task Manager.

Smells more like a virus to me.
<snip>

The practice of sending out spam under the guise of undeliverable mail notifications, etc. is quite common. On occasion this might also be an attempt to get the user to open the attachment (supposed copy of email), this could either just show spam or try to run malware.

Unless you actually do that open the attachment then there is no immediate risk of infection, so if you didn't open the attachment, anything that you happened to find in subsequent scans is unrelated to these emails.

avast doesn't actually scan the registry as a part of its standard scans, if it finds any spyware during a scan then it will look for associated registry entries. So it isn't surprising that an anti-spyware application might find what it considers changed registry settings. There is however, no indication of when these changes might have been made and again as I said I doubt they are related to these emails.

If you check the signatures of those who have them in this topic you will see they all have at least one on-demand anti-spyware and some also have one resident anti-spyware. This provides a multi-application approach to security, which improves overall protection; as has been said no single program is going to provide 100% protection.

[jongooligan]

Wow, I'm glad I came here. Thanks for all the information.

A little more information from me:

Soon after my In box started filling up I got a call from my brother saying he had received a dodgy email message from me with the same subject as the dodgy email I had received from him some months earlier. (Does that make sense?)

So, can I assume that:
a) the source of the virus was the original dodgy message from him and
b) that the dodgy message has been sent to everyone in my contacts.

If assumption b is correct do I need to warn all my contacts?

Oh, and why didn't the Windows XP firewall stop all that crap going out?

Pondus

Quite a few regulars at Elland Rd from Denmark.

Sorry Pondus - had a Homer moment there. Meant to say that there were a few regulars from Norway

Thanks again folks.

Jon

[YoKenny]

The XP firewall is an inbound firewall only.

A software firewall like PC Tools firewall is good:
http://www.pctools.com/firewall

[Pondus]

So, can I assume that:
a) the source of the virus was the original dodgy message from him and
b) that the dodgy message has been sent to everyone in my contacts.

If assumption b is correct do I need to warn all my contacts?

If the bad guys have your address, they can also use it to send from, so it does`t have to come fro your computer, they can fake the sent from address. I have received spam/hoax sent from myself ? not after i got Gmail, very god spam/virus filter


http://www.google.no/search?hl=no&ei=fvRSS5ruMJTe-QbWqoXDDg&sa=X&oi=spell&resnum=0&ct=result&cd=1&ved=0CAYQBSgA&q=how+do+spammer+get+my+address&spell=1

Hoaxes, myths, urban legends
http://vmyths.com/hmul/

Welcome to HoaxKill
http://www.hoaxkill.com/index2.html

Once you are certain that a message is a hoax, you can send it to hoaxkill@hoaxkill.com. Our software will then extract the addresses of all previous recipients from the message and inform them all that the message is a hoax.


BreakTheChain
http://www.breakthechain.org/

Hoax-Slayer
http://www.hoax-slayer.com/

[Chris Thomas]

@ jooloogigan

I think you should change your email passwords also.

[DavidR]

<snip>
Soon after my In box started filling up I got a call from my brother saying he had received a dodgy email message from me with the same subject as the dodgy email I had received from him some months earlier. (Does that make sense?)

So, can I assume that:
a) the source of the virus was the original dodgy message from him and
b) that the dodgy message has been sent to everyone in my contacts.

If assumption b is correct do I need to warn all my contacts?
<snip>

Again this is a common tactic as the from email address is so easy to fake and most people open emails from people they know, wrong, you never know who sent it without a lot of investigation, unavailable to most.

Someone who has your email address in their address book is infected and that uses the email addresses in the address book to send out spam (or malware) to all in the address book. They also use email addresses in the address book for the from address, so it isn't uncommon to receive emails supposedly coming from yourself (I get lots, but a simple filter catches them).

So by now you should have the idea, make no assumptions.

You most certainly shouldn't send out warning emails to all your contacts, causes more harm than good (panic, adds to masses of emails flying round).

The XP firewall is no use whatsoever in this case as it has zero outbound protection. I suggest that you set the avast Internet Mail provider to High sensitivity as that would detect if your system was sending out multiple identical emails in a period of time (spam), so at least you would know it isn't you sending it.

As for changing your passwords, not required if they haven't hacked your email account. If they had your email would be sending out masses of spam and your ISP would be likely to alert you in the form of stop it or be banned email or words to that effect.

[jongooligan]

There's a lot to take in here folks but so far I've got myself a firewall (thanks Kenny), read all the stuff at the links Pondus posted and changed my settings to those recommended by DavidR.

Also had a look at some of the stuff from your signatures and I'm just getting to grips with NoScript

Thank you one and all.

One plus out of all this is that people have been in touch who I haven't spoken to for ages. 
Also, I'm getting quite interested in this stuff so if any of you could suggest where I go next (given my obvious newbie status) I'd be very gratefull.

Once again, Thanks to all.

Jon

[DavidR]

You're welcome.

As for where to go next, you are already there
There is a wealth of knowledge on the avast forums, not just about avast, the General Forum for example.

Spend a little time browsing the forums and if "interested in this stuff" means malware, then the Viruses and Worms forum could scare the pants of you, but at the same time you get an idea od the scum out there trying to infect your system/rip you off, etc. etc. Along the way you will see tools and general security practices mentioned which you can apply.