All my contacts getting emails that I didn't send Viagra etc.

Wow, I can't believe this! I had a similar problem before and can't for the life of me remember what
we did to clean up the problem.

This time however the email is a little different and doesn't say viagra on my side so that I can see it
only the reciepient can. And when I look up my sent mail there is nothing in my in-box. The only I found
out this was happening because people I havent emailed in years were sending my messages saying the
email (content) was blank.

There were 2-3 mailer-dam and that how I got whatever info I have.
I have a business to run and I am losing money daily without my pc and ablilty to email

Troubled,
Tricia9000

Hi there Tricia!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

• Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  
• Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  
• I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  
• Stick with me till the end! If your computer starts running better, doesn´t mean it is clean yet!

====================
Three possibilities:

1. The spam e-mails were sent from your computer.
   
2. The spam e-mails were sent from your e-mail address. To avoid this, simply change the password of your e-mail address (from a clean computer!)
   
3. The spam e-mails were sent from a random e-mail address and your e-mail address was "spoofed" (i.e. the e-mails APPEAR to come from you, but in reality do not). There is nothing you can do about this, just make sure your personal data is not for grabs on the internet

Together we will verify whether option 1 applies. In the next step we will check your computer for malware.

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Ok, I read & followed the instructions as per bleepingcomputer.com page.
I disabled AVG and download combofix, when that was done. I restarted my pc
before I ran combofix, when I did it said it could not run because it had some
some corrput files download a newer version, so that is what I did. This time it said uninstall avg so I did after 15min of trying to uninstall avg didn't want to uninstall either. Next I finally ran combofix again and it executed the window came up- preparing to run, then the backing up to registry ( the two colored lines) came up. Then it goes back to a blank blue window just for a short maybe 5 -10 sec then the box goes away.

I serched for the log-notepad and I find nothing just as it displayed nothing.

Help what is going on?

If you have problems removing AVG, you can try their uninstall utility. You will most likely need the 32 bit version, but if you run a 64-bit operating system, you will need to download from the second link.

AVG Remover 32-bit
AVG Remover 64-bit

(Rightclick My Computer >> General should show your operating system, if it is WIN7 64-bit or Vista 64-bit, this will be indicated).

If that went well, please try ComboFix again. If you still can´t get ComboFix to run, let me know!

I tried the 64bit in the beginning because I am running windows 7, however I tried the link you provided and it seemed to uninstall ok, I restarted the pc. I then went back and checked the computer from the start button and it was no longer there. So I ran Combofix and again it said that Avg was running and try another method. I then went to check the control panel to see if Avg was still listed there and it was big as day, I tried to uninstall from there and it did nothing.

So my friend, where do we go from here?

Tricia

Mam, look! I made a friend on teh internet!

Let´s try and kick AVG off again, this time with Revo Uninstaller.

Download and install Revo Uninstaller from here.

• Run Revo Uninstaller
  
• Find the program you want to uninstall (AVG in this case), click it and click the Uninstall button
  
• When prompted for an uninstall mode choose Advanced
  
• Follow the prompts to uninstall AVG and related registry entries

Please let me know if that worked and we finally managed to kick AVG off your computer, Tricia.

If that worked, please try ComboFix again, as indicated in my first post.

ok friend, I tried that program and avg did not show up in the main view so I searched in junk files cleaner and found some program files there, here is one of the file paths it would not let me copy it: c:\Program Files (x86)\AVG\AVG10\Identy Protection\Agent\Bin\AVGIDSAgent.exe.old

C:\Program Files (x86)\AVG\Avg10\Toolbar\Firefox\avg@igeared\chrome\content\html\settings_closeddialog.htlm.old

C:\ProgramData\avg9\Temp\file9514.tmp


C:\ProgramData\avg9\Temp\fee5204d-1ae7-4446-b3d0-b9ee71b9d93c-21c-oop.tmp


Then I also looked in the autorun manager and AVG_TRAY there.


So I tried to use the Hunter mode and it would not locate it and I then went to my control panel and found it still there and tried to drag it to the hunter icon like instructed and it would not go. I found it in my recycle bin so I restored it and it was back on desktop and I then tried to drag to Hunter icon and still would not go. It said program open try another program. I tried the regular Revo and it still was not listed there even though it was sitting on my desktop.

so here I sit.

Lets try a new plan, Tricia. Two scans with two tools not named ComboFix.

Please download OTL by OldTimer from here and save it to your Desktop.

• Close all windows and double click OTL.exe.
  
• The Extra Registry setting should be Use Safelist
  
• Copy and paste the following text into the Custom Scans/Fixes box:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\system32\drivers\*.sys
%systemroot%\system32\drivers\*.dll
%systemroot%\system32\drivers\*.ini
%systemroot%\system32\drivers\*.exe
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.
/md5start
atapi.sys
explorer.exe
iastor.sys
userinit.exe
winlogon.exe
/md5stop

• Click the Run Scan button and allow it to run.
  
• It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  
• You may need to use two posts to get it all.

====================

• Please download MBRCheck by a_d_13 from either of the following mirrors and save it to your Desktop.
  
  • Mirror #1
    
  • Mirror #2
    
  • Mirror #3
  
  
• Double click MBRCheck.exe to run it (right click > Run as Administrator for Vista and WIN7)
  
• It will show a black screen with a report of what has been found.
  
• Exit from the program, also if an infection is found.
  
• The report can be found on your desktop, named MBRCheckxxxx.txt
  
• Please post the contents of that report in your next reply.

Last edited by tricia9000 on 18th March 2011, 3:08 pm; edited 1 time in total (Reason for editing : remove file)

delete file

Last edited by tricia9000 on 18th March 2011, 3:09 pm; edited 1 time in total (Reason for editing : delete file)

delete file

Last edited by tricia9000 on 18th March 2011, 3:10 pm; edited 1 time in total (Reason for editing : delete file)

Well, that doesn´t look bad, Tricia. We´re going to run an OTL script to remove some broken entries and traces of some low risk adware, although these were/are no cause for real concern.

• Please run OTL.exe again
  
• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:files
C:\Program Files (x86)\MyWebSearch

:otl
IE - HKCU\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - Reg Error: Key error. File not found
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files (x86)\MyWebSearch\bar\1.bin
O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {30F9B915-B755-4826-820B-08FBA6BD249D} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKCU..\Run: [EPSON Stylus Photo 1400 Series] File not found

:commands
[reboot]

• Then click the Run Fix button at the top.
  
• Allow it to run. It may take some time and you may see some things happen to your desktop - this is normal.
  
• If it asks to reboot the computer, allow it to reboot.
  
• If the program freezes, and the computer fails to reboot - let me know.
  
• Finally, post the contents of the log. (Located at C:\_OTL\Moved Files)

====================

We´re going to run a scan with ESET Online Scanner. Please make sure you are logged in as a user with administrator rights and proceed with the following steps:

• Use Internet Explorer to browse to the ESET Online Scanner webpage
  
• Click the green ESET Online Scanner button
  
• A popup window will open
  
• Accept the terms of use and click Start
  
• Internet Explorer probably informs you that ESET tries to install an add-on. Allow that.
  
• UNSELECT the Remove all threats option.
  
• Click Start
  
• When the scan has finished and threats were found, click List of found threats
  
• Click Export to text file and save it as e.g. eset.txt on your desktop
  
• Click Back
  
• Select Uninstall application on close
  
• Click Finish. ESET Online Scanner will now uninstall itself
  
• Please post the contents of the eset.txt in your next reply.

====================

I think your computer is clean. The ESET scan should be able to confirm that.
Have you changed your e-mail password already?

What do you want to do with AVG? It is kind of stubborn. Do you want to keep it or do you want to get rid of it and get another (free) antivirus??

Here is the result from OtL:

========== FILES ==========
File\Folder C:\Program Files (x86)\MyWebSearch not found.
========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\ not found.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com deleted successfully.
File C:\Program Files (x86)\MyWebSearch\bar\1.bin not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\EPSON Stylus Photo 1400 Series deleted successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 03182011_082424

Yes I did change my email password from another pc what is the best free anti-virus that is also user friendly. Here is the result from Eset there were 2 infections found:


First result:

C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application



Second result:

C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application







Last edited by tricia9000 on 18th March 2011, 3:06 pm; edited 2 times in total (Reason for editing : forgot about antivirus)

Hi tricia9000,

Gabethebabe ask me to finish up with your PC. He had to attend to some personal affairs for the next few days.

Okay, we still have some leftovers of MyWebSearch. Let's remove them. Then we'll deal with your anti-virus software.

Please download Malwarebytes Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

I completed the Malware task and found no infected files and here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6100

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/18/2011 1:06:57 PM
mbam-log-2011-03-18 (13-06-57).txt

Scan type: Quick scan
Objects scanned: 265495
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Next, what is a good free anti-virus user friendly program for me to run.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Using Windows Explore by right-clicking the start button and left clicking Explore navigate to and find the following files: if found, delete them (some may not be present after previous steps):

• Files:
  C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll
  C:\Program Files (x86)\Windows Live\Messenger\riched20.dll

As for free Antivirus. I use Avira AntiVir Personal. Let's remove what's left of AVG as follows:

Use the uninstaller below:

http://www.appremover.com/get/appremover.exe

Click on Run on the box that pops up and follow the prompts.

Restart your computer completes removal of AVG Antivirus. Now you can install Avira below. Yes, it's very user friendly..

• Avira AntiVir Personal. Click Here - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
  

With that done, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Kenny,
I copied your note and ran the app remover and the only thing that came up was to uninstall malware and I declined. I clicked the back button and then checked the the other box for apps that were partially installed for a deeper scan and that took longer and still no result.

Then I closed application, should I consider that everything is ok or what?
Is it ok to install Avira now?

Tricia

Oh, by the way you guys are awesome!

Yes go ahead and install Avira and let me know when you are done.

Hi Tricia,

How is your PC doing?

Sorry I have not posted, had a family member very ill. All is well and I really
love avira. Thank YOU!

You're Welcome!

Some final items:

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

There are some older versions of Java on your computer. These can be a source of infection.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
  

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.
  

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips