Author Topic: mystictea.cz (Read 6976 times)

wyocowboy · « **on:** January 15, 2012, 11:19:10 PM »

I keep getting a warning when I open my eM Client mail, that offers the following information:
Object: http//www.mystictea.cz/newcall-small.jpg
Infection: URL:mal
I have ran a complete system scan, but can't get this warning to go away, every time I open the mail program it reappears!
Thanks for any help...
wyocowboy

Pondus · « **Reply #1 on:** January 15, 2012, 11:22:31 PM »

Follow the guide here, and attach the logs
http://forum.avast.com/index.php?topic=53253.0

anyway those links seems to be dead now, but previous malicious it seem http://urlquery.net/report.php?id=16221

wyocowboy · « **Reply #2 on:** January 15, 2012, 11:40:10 PM »

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Morpheus :: MORPHEUS-PC [administrator]

Protection: Enabled

1/15/2012 3:35:31 PM
mbam-log-2012-01-15 (15-35-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 174434
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

polonus · « **Reply #3 on:** January 15, 2012, 11:44:25 PM »

One gets an error here: failure: <urlopen error [Errno -2] Name or service not known> IP 0 0 0
it is a booby trapped jpg that is being alerted,

polonus

Pondus · « **Reply #4 on:** January 15, 2012, 11:46:21 PM »

to avoid multiple post with copy and paste, you need to attach the OTL log

lower left corner: additional options > attach

wyocowboy · « **Reply #5 on:** January 15, 2012, 11:51:53 PM »

Sorry!, try this
Wyocowboy

Pondus · « **Reply #6 on:** January 15, 2012, 11:56:59 PM »

not MBAM log....we have already seen that......
but OTL log, it will be very long thats why you must attach it

wyocowboy · « **Reply #7 on:** January 16, 2012, 12:14:21 AM »

Here it is...
wyocowboy

essexboy · « **Reply #8 on:** January 16, 2012, 12:22:38 AM »

Not a great deal showing there - what is your e-mail client ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
Quote
:OTL
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()
O3 - HKU\S-1-5-21-1831967051-3588195963-903182636-1001\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll ()

:Files
ipconfig /flushdns /c
C:\Program Files (x86)\Search Toolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

wyocowboy · « **Reply #9 on:** January 16, 2012, 01:47:22 AM »

eM Client
Thanks
wyocowboy

essexboy · « **Reply #10 on:** January 16, 2012, 12:40:40 PM »

If you access your e-mail via the web portal do you still get the alerts ?

My thoughts are that the e-mail programme iteself has an infection or a file within it has been tampered with

wyocowboy · « **Reply #11 on:** January 16, 2012, 06:44:59 PM »

The "eM Client" has been scanned,and is constantly monitored and this "mystictea.cz" is never found in the virus chest! My mail server is Bresnan (Optimum), the "eM Client" is just the mail client. I am able to check my Bresnan (Optimum) mail utilizing their web client without problems, so it's just when I open the "eM" client program on my computer.
What I can't figure out, is why if Avast finds it each time the mail client is opened, it will not remove it? or move it to the virus chest.
Thanks
wyocowboy

essexboy · « **Reply #12 on:** January 16, 2012, 07:34:02 PM »

I will flash up my VM in a bit and try the e-mail client from there

wyocowboy · « **Reply #13 on:** January 16, 2012, 08:02:20 PM »

Thank you, I should mention, the first part of the warning popup displays the following:
"avast network shield has blocked a harmful site", then goes on to list:

Object:http//www.mystictea.cz/newcall-small.jpg

Infection:URL:Mal

Process: C:\ProgramFiles(x86)\eMClient\MailClient.exe

Could just be something in my avast "network Shield" settings?

Thanks
wyocowboy

essexboy · « **Reply #14 on:** January 16, 2012, 08:19:20 PM »

No it is blocking a redirect from the e-mail client

Author Topic: mystictea.cz (Read 6976 times)

wyocowboy

mystictea.cz

Pondus

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

polonus

Re: mystictea.cz

Pondus

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

Pondus

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

essexboy

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

essexboy

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

essexboy

Re: mystictea.cz

wyocowboy

Re: mystictea.cz

essexboy

Re: mystictea.cz