VBS: ExeDropper-Gen [trj] notification when I send email in Thunderbird

[Antonia]

Hello,

I was wondering whether anyone can help me.

I get an Avast pop-up whenever I try to send email from my Thunderbird Portable IMAP account running out of Dropbox.

It says that I have a Trojan - VBS: ExeDropper-Gen [trj]

I have scanned my whole computer and my whole Dropbox folder with Avast, MBAM, Superantispyware and AVG. All come up clean. I have reinstalled a clean version of Thunderbird Portable. And yet still this Avast (and AVG) pop-up appears when I send email.

The problematic item is in C - Users - PCname - AppData - Local - Temp - nsemail.html

The problematic process is thunderbird.exe

I've had to turn off Mail Shield in order to get any work done...

Any thoughts? Thanks in advance.

[Pondus]

with Avast, MBAM, Superantispyware and AVG.

do you have avast! and AVG installed ?

only install one AV program, as running multiple AV can create lots of mysterious windows errors and false detections

[Antonia]

Hi Pondus,

I have had both installed at different times in the last 24 hours. Only have Avast at the moment. Thanks.

[SafeSurf]

I have had both installed at different times in the last 24 hours. Only have Avast at the moment.

But when you are not using the other AV, are you completely uninstalling (using the vendor's uninstaller tool) the other AV?  You can't just disable it because it is still running in your machine (drivers, etc.), and this will create lots of mysterious windows errors and false detections.  So what have you been doing with these two AV's (Avast and AVG) over the past 24 hours or more?

[Antonia]

Thanks Safe Surf. Yes, I ran AVG and there was a problem when emailing, but no problem detected with scan. Did complete uninstall (as you mention) and installed Avast. Again, there is a problem when emailing, but no problem detected with a scan.

Thanks.

[SafeSurf]

To clarify, you are only using Avast now and you completely uninstalled AVG by the vendor's uninstaller tool...correct?

I would keep your Avast Mail shield turned on for protection even though it is giving you warnings.  It is there for a purpose.

I know you did scans with Avast, MBAM and SAS. 

I suggest that you check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions of obtaining an new MBAM log (make sure you update MBAM first) and the OTL logs.  Post the MBAM log here (copy and paste) and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  If needed, we will refer you to one of our malware experts.  Thank you.

[Antonia]

Hello Safe Surf,

Yes, I have uninstalled AVG using the installer tool and am now only using Avast.

Here is the MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5041

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

04/11/2010 11:49:19
mbam-log-2010-11-04 (11-49-19).txt

Scan type: Quick scan
Objects scanned: 149644
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logs to follow.

Thanks.

[Antonia]

And here are the OTL logs.

Thanks.

[SafeSurf]

Thank you for posting the logs.  I know you turned off the Avast Mail Shield, but did you also turn off (or using on-demand) the Web Shield as well?  If you turned the Web Shield off, please turn it back on as this provides protection.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Please do not make any further changes to your machine now that you have provided the logs.

I also suggest that you not sync you phone with your machine or use your machine for any social media (chat, IM, Skype, etc.), or playing games, or surfing until Essexboy gives you the OK do to so as a precaution.

Let me know if you have any questions or your problem worsens.  Thank you.

[essexboy]

Hi Antonia - I will remove the rest of AVG, clear your temp files and then ask you to run a quick but deep AV scan.  Once the deep AV scan has completed then run a bootscan with Avast

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2010/11/01 13:39:09 | 000,000,000 | ---D | C] -- C:\Users\Antonia\AppData\Roaming\AVG10
  [2010/11/01 13:33:31 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG10
  [2010/11/01 13:28:49 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the express scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

FINALLY

Run a boot time scan with Avast