[love2teach956]

I came home today and found that spam emails went out to all my contacts. I got 3 failure notices, apparently these contacts have new email addresses, thank goodness...I got this because one in the batch came to me, looks like they're "sending out" alphabetically. I had this happen back in June of 2010 and you guys were great in getting this off my computer. I"ve got McAfee I run and it's up to date.
What is causing this? I haven't been to any unusual or different site in almost 3 weeks, I only have time to visit about 6 common sites. I have Dell computer, Windows XP and I use a laptop as well running XP. I don't know if this is a virus and which device it's on. Thanks, in advance, for any help!

This is the name of what's going to my friends:

Edited by Rorschach112, 24 August 2010 - 06:41 AM.

[Advertisements]

Hello love2teach956 and welcome to G2G!

My name is Cold Titanium , and I will be assisting you with your problem. I am still in training, so all my replies need to be checked by an expert first. So there may be a slight delay in between replies.

Please follow all of my instructions without skipping anything. Also, please refrain from experimenting around whilst I am helping you. At times some of the things I tell you to do may seem unnecessary and frustrating, but just stick to it and we'll get through

Note: Please save these instructions in a file or print them out, as the internet may not be available while we are fixing the system.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #1

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top make sure it is set to Standard Output.
• Ensure the Use SafeList is selected for Extra Registry
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  msconfig
  safebootminimal
  safebootnetwork
  activex
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\*.wt
  %systemroot%\system32\*.ruy
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  %systemroot%\system32\ws2help.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2

• Download GMER to your desktop
• Right-Click and extract it to the desktop
• Double-Click gmer.exe
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning

• Click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save it to your desktop

Post ark.txt in your next reply


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'd like to see OTL.txt, Extras.txt, and ark.txt in your next reply

[Cold Titanium]

Hello love2teach956 and welcome to G2G!

My name is Cold Titanium , and I will be assisting you with your problem. I am still in training, so all my replies need to be checked by an expert first. So there may be a slight delay in between replies.

Please follow all of my instructions without skipping anything. Also, please refrain from experimenting around whilst I am helping you. At times some of the things I tell you to do may seem unnecessary and frustrating, but just stick to it and we'll get through

Note: Please save these instructions in a file or print them out, as the internet may not be available while we are fixing the system.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #1

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top make sure it is set to Standard Output.
• Ensure the Use SafeList is selected for Extra Registry
• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  msconfig
  safebootminimal
  safebootnetwork
  activex
  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\*.wt
  %systemroot%\system32\*.ruy
  %systemroot%\Fonts\*.com
  %systemroot%\Fonts\*.dll
  %systemroot%\Fonts\*.ini
  %systemroot%\Fonts\*.ini2
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\REPAIR\*.bak1
  %systemroot%\REPAIR\*.ini
  %systemroot%\system32\*.jpg
  %systemroot%\*.scr
  %systemroot%\*._sy
  %APPDATA%\Adobe\Update\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %APPDATA%\Microsoft\*.*
  %PROGRAMFILES%\*.*
  %APPDATA%\Update\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  %systemroot%\system32\ws2help.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so.
• When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Step #2

• Download GMER to your desktop
• Right-Click and extract it to the desktop
• Double-Click gmer.exe
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish. (Please be patient as it can take some time to complete)

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

After it finishes scanning

• Click on the [Save..] button, and in the File name area, type in "ark.txt"
• Save it to your desktop

Post ark.txt in your next reply


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'd like to see OTL.txt, Extras.txt, and ark.txt in your next reply

[Cold Titanium]

Hey, quick question...

Is this email a webmail account? Like hotmail, yahoo, gmail, etc...

[love2teach956]

Hey, quick question...

Is this email a webmail account? Like hotmail, yahoo, gmail, etc...

Hey, I will try to do those steps tomorrow if I can. Am working sometimes 12 hr days so can't get to this tonight
It's my yahoo account that I've had the address for about 5 yrs? It does always filter for spam. The only thing maybe I can think of is a friend of mine that I don't usually get emails from, forwarded me a joke, and that was about the time this happened, within a day or two maybe? I don't know?

[Cold Titanium]

Hello,

If it is your yahoo mail account, then it is possible that none of your computers are infected. What probably happened is that someone got into your yahoo account and spammed your contact list.

I suggest logging into your yahoo account and changing the password. After you change the password let me know if it happens again.

[love2teach956]

sounds good. Let me try that first. I'll change password tonight and see if I have anything else sent from my account to someone. Thanks!

[love2teach956]

Hm,not sure where my reply just went I changed password and seem to be okay. Let me know if you think I need to do all those steps above that you listed. Last time this happened it was sending spam for a few days. This seems to be just those two days. Think I'm okay. Let me know if you think I should do the checking of my hard drive or if you think I'm okay. thanks again-

[Cold Titanium]

No, I don't think it's necessary for you to do the other steps. Just keep an eye out and come back if you have any further problems.

Here are some good virus prevention steps anyway:

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster - to help prevent spyware from installing in the first place.
• SpywareGuard - to catch and block spyware before it can execute.
• IESpy-Ad - to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• MVPS Hosts file - The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc.
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
• Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And to help keep your system clean I recommend running one or two of these free malware scanners weekly

• Malwarebytes
• SuperAntiSpyware Free Edition

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Internet Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a different Internet Browser

• FireFox
• Opera

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It is also extremely important to keep your operating system up to date:

Turn on automatic updating

• Click Start.
• Select Control Panel.
• Select Automatic Updates.
• Click Automatic (recommended)
• Choose a day and a time when you know the computer will be on and connected to the internet.
• Click Apply then OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Have a Backup Plan

Keep a backup of your important files - This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

To learn more about how to protect yourself while on the internet read these articles:

• So how did I get infected in the first place?
• How to prevent Malware

Safe Computing!

~Cold Titanium

[love2teach956]

Thanks! I do use Firefox as my browswer. I have SuperAntiSpyware free on my computers so I'm running that now, full scan on both desktop and laptop. I checked to make sure my automatic updates are On and okay. I think I will install one of those others that you mention. I have a current subscription to McAfee and it ran last week and is set up to run, weekly, I think? Hope I'm covered. Again, thank you guys so much!!
You're a life saver to someone barely getting by on income! Thanks again