malware on email

[Kinyau]

Hi wakuu,
my desktop computer is infected na some sort of malware/virus na inatuma email kwa adrress book nzima iliyoko kwenye yahoo. Mbaya zaidi nikufungua adress book inaniambia my adress book is empty yani imezihold zile contact na kuendelea kutuma spam.
Please advice me on what malware removal I should use, and can I rertace my contacts again?

 

[AljuniorTz]

Hi wakuu,
my desktop computer is infected na some sort of malware/virus na inatuma email kwa adrress book nzima iliyoko kwenye yahoo. Mbaya zaidi nikufungua adress book inaniambia my adress book is empty yani imezihold zile contact na kuendelea kutuma spam.
Please advice me on what malware removal I should use, and can I rertace my contacts again?

Hi; Pole
Umewahi kujaribu kufungua hiyo yahoo email account ktk PC nyengine? Kuna kitu narekebisha nikutumie punde tu. Ila ni procedure ndefu kidogo.
Stay tuned

 

[SnEafer]

i gues the first procedure is to change ur yahoo password, then download trojan remover ***which is free*** and scan your pc.


goodluck

 

[AljuniorTz]

An approach to remove all Spyware, Adware and Malware from your Computer

Preparation
Disconnect the infected machine from any and all computer networks (the Internet and/or Local Area Network).

If possible use a PS/2 based mouse and keyboard rather than USB (if you have to boot to DOS or Linux there may not be USB drivers). Have as many of these programs ready to run off removable media (floppy, CD, USB flash drive) as you can. It is best to run this software from removable media both to insure it is not compromised and because some malware may prevent the use of equivalent Windows based software on the infected machine.
• a disk imaging program
• a program to control auto-started programs such as autoruns
• a process monitor such as process explorer
• McAfee AVERT Stinger for virus removal
If possible download a Windows/software firewall, such as ZoneAlarm, on another computer and store it on removable media such as a flash drive. Likewise, the trial version of an anti-virus program such as NOD32 or Kaspersky is good to have on hand.
And speaking of firewalls, if there is a broadband connection, it can't hurt to have the machine positioned behind a hardware firewall such as that found in normal ordinary routers from Linksys, Belkin, Netgear and the like. There is nothing wrong with a software firewall such as ZoneAlarm but two levels of protection better than one. I suggest using a router just for its internal firewall even if there is only a single computer connected to the Internet. Wired routers offer a bit more safety than wireless routers and although they may be harder to find, they do still exist.

Stop Malware From Running
Boot to Safe Mode via F8.
Make a registry backup.
Stop the obvious malware from running at boot time with a utility that controls auto-started programs. This is best done from Safe Mode because I have seen malware that puts itself back into the list of auto-started programs as soon as its removed.
The AutoRuns program from SysInternals is a free program that controls auto-started programs. It is small, safe program from a reliable source. No installation is needed, you can run autoruns.exe from removable media.

Beware of malware with a good name in a bad directory. For example, the real version of winlogon.exe resides in the C:\Windows\system32 directory. A copy of winlogon.exe in the C:\Windows directory is trouble. Likewise, winlogin.exe (slight name change) in the C:\Windows\system32 directory is also bad news.
Check the "hosts" file and if it has any entries other than 127.0.0.1, comment them out. Sample clean hosts file.
For Windows XP and 2000 look in C:\WINDOWS\SYSTEM32\DRIVERS\ETC
For Windows 98\ME look in C:\WINDOWS
I have seen the hosts file locked by malicious software such that it couldn't be updated, deleted or even renamed.
Check My Network Places and delete anything suspicious, especially FTP sites referenced by IP address.
If the computer is behind a router, change the administration password for the router and tape the new password to the box.
Look for BHOs and disable anything you don't recognize. When in doubt disable it, you can always re-enable a BHO later.
You want to do this early because BHOs are kicked off by both Windows Explorer and IE. Windows XP SP2 has the IE Add-On manager. However, BHODemon could run off removable media without being installed to Windows, works with all versions of Windows and offers opinions about the BHOs, making it the far better choice. Deleting BHOs can be tricky because they are active if either Windows Explorer or IE is running. I used to suggest running BHODemon from removable media with Start -> Run -> x:\dir\someprogram.exe (modifying as appropriate).

An actively maintained list of BHOs is available at ComputerCops.biz (thanks Larry) but beware, it's a very big page. In the Status column "X" means malware, "L" means benign.

Review the list of auto-started Services (for Windows XP/2000) and disable the ones you don't recognize. Pay special attention to services that have no description.
Services are one of many ways to auto-start a program at boot time. To research Windows 2000 services see Purpose of Windows 2000 Services and Glossary of Windows 2000 Services. For XP see Windows Server 2003 System Services Reference or System Services for the Windows Server 2003 Family and Windows XP Operating Systems. To research the EXE that underlies a service see Windows Startup Online or WinTasks Process Library or Task List Programs at AnswersThatWork.com.
Examine the scheduled tasks for any obvious malware that kicks itself off this way.
Make sure Windows Explorer is displaying hidden and system files.
***Re-boot back to Safe Mode***.

Rebooting in Safe Mode is to find any malware that auto-starts despite the initial steps above. Eventually, we reboot normally and look for malware that snuck through the steps below. The goal is that by the time we run anti-Spyware software there's a clean playing field for malware removal.

Use a Process monitoring program to examine all the running programs.
For each malware program, note the location of the underlying executable file. Kill the process and rename the underlying EXE. If it resides in its own directory rename that too. Give it a name something on the order of: someprogram.DONOTRUN.exe. If you can't kill the process, boot to DOS or the Recovery Console and rename the underlying file from there.
For this, I like Process Explorer, another free program from SysInternals.com. Like AutoRuns, it requires no installation, you can run it directly from removable media. It can also drill down into svchost.exe and report the underlying services.
Even with newer versions of Windows such as XP, older mechanisms for automatically running a program at startup time still work. If you want to manually inspect these holdovers, check:
The [windows] section of Win.ini looking for an entry such as load=spyware.exe and run=spyware.exe
The [boot] section of System.ini looking for an entry such as Shell = Explorer.exe spyware.exe
Autoexec.bat looking for something like c:\spyware.exe

Repair, Delete and Re-build
This would be a good time to run anti-virus and anti-Spyware software to clean things up.
Next boot normally.
Remove the relatively honest Adware using Add/Remove Programs in the Control Panel.

Use a process monitor to check for any malware that might have been auto-started. Anything that shows up here is pretty darn resistant. It may have detected that its process was being terminated and created a new instance of itself. Or, it may use different names and run from different locations at each startup. Or it may be auto-started from an obscure part of the registry that the software you used to control automatically run programs does not handle (AutoRuns seem pretty complete to me). Note the underlying EXE, reboot to DOS or the Recovery Console and rename this file.


Trying to kill the process may only tell it that we are on to its existence and trigger a defense mechanism.
In Windows XP and Me make a Restore Point.
Delete:
• All ActiveX controls (see below)
• The web browser cache (Temporary Internet Files) for each user for each browser.
• Temporary files
• Cookies (perhaps overkill, I admit)
• The web browser history
• Empty the recycle bin for each Windows user
• Clean out the Java cache folder for each Windows user. The current version of Java (1.5) stores the cache in:
C:\Documents and Settings\userid\Application Data\Sun\Java\Deployment\cache\
You can also delete the cache using Control Panel - > Java -> General Tab -> Delete Files button
How to Clean a Java Cache Folder from F-Secure
• Disable System Restore to delete the old Restore points, then re-enable it and take a new Restore point
Active X programs/controls reside in C:\WINDOWS\Downloaded Program Files
on Windows XP/ME/98 and in C:\WINNT\Downloaded Program Files
in Windows 2000. With IE6 and Windows 2000 and XP, the cache and cookies
reside in C:\Documents and Settings\userid\Local Settings\Temporary Internet Files

Windows XP SP2 displays the installed ActiveX controls and offers to disabled them, but I would rather delete them.
I have read that Ad-aware can run from a USB thumb drive, but haven't verified this myself. If it can, this would be a good time to run it.
This is great time to run the free McAfee AVERT Stinger. Nice thiing about it is that it does not have to be installed, thus it can be run from a flash drive. In fact, it's a single .EXE file. Down side is that it only detects some viruses, it is not a full anti-virus product. As of July 2007 it detected 187 viruses.
I haven't tried it, but I've read that the free AntiVir PersonalEdition Classic from Avira can also run off a flash drive. This is a full blown anti-malware program.

Reboot normally.

Hopefully, no malware is auto-started at this point.
In Windows XP and Me make a Restore Point.

Review the IE Trusted Zone (Tools -> Internet Options -> Security Tab -> Trusted Zones -> Sites button) and delete any web sites there. Review the IE Favorites and delete anything that looks suspicious. If there are too many malicious Favorites, then just rename the directory where they live (see below). Change the IE home page to a blank page (if you can). On the Content tab, click the Publishers button and remove any trusted publishers.
Internet Explorer Favorites live in C:\Documents and Settings\ userid\Favorites

Get a firewall program up and running.
If the machine already had a firewall installed, review the rules, it only takes a single exception to punch a big hole in the protection. Better yet, uninstall the current firewall and do a clean install of the latest version of the free edition of ZoneAlarm. ZoneAlarm is better than the firewall in Windows XP SP2 because it starts out with no exception rules and because it is more resistant to being shut down or disabled by malware.
Any computer infected with malware, is also likely to be infected with viruses. Better to get rid of the viruses first. Online virus scans should be used because client side anti-virus software may have been crippled.

Finally, it's time for anti-Spyware software. It's a shame that you need to run more than one, but you do. Opinions vary as to the "best" anti-Spyware programs, however, the following are generally respected and free.
• The classic programs are Ad-aware and Spybot.

• Trend Micro Anti-Spyware for the Web is free online Spyware removal

• Microsoft has an Anti-Spyware program that, as of this writing, is still in beta.

• SpyCatcher 2006 from Tenebril has a free Express edition

• Run the ActiveX based online CounterSpy scan from Sunbelt software (I've experienced some false positives with it). This is only a scan, if it finds something you want to remove, there is an installable free trial version.

• The Yahoo IE Toolbar uses the Pest Patrol engine and both detects and removes Spyware

• Can't hurt to run the ActiveX version of Microsoft's Malicious Software Removal Tool

• CA offers a free ActiveX scan with Pest Patrol. However, if it finds anything there is no free trial. There used to be manual removal instructions, but that was before the product was purchased by Computer Associates. The downloadable 30 day free trial version of Spy Sweeper from Webroot used to remove Spyware, but no more. Now it only detects.
If Spyware was detected and removed by the above programs, then you should also remove any Restore Points (Windows XP and Me only) that may include the malicious software.
You do this by turning off System Restore. Then turn it back on and make a new Restore Point.
Make sure that you can change the IE home page and security settings and that Internet Options appears in the Control Panel.

If not, try here: HijackThis

ALL THE BEST

 

[SnEafer]

**********************************
Hi wakuu,
my desktop computer is infected na some sort of malware/virus na inatuma email kwa adrress book nzima iliyoko kwenye yahoo. Mbaya zaidi nikufungua adress book inaniambia my adress book is empty yani imezihold zile contact na kuendelea kutuma spam.
Please advice me on what malware removal I should use, and can I rertace my contacts again?
********************************

Woooow you were right, it is a very long and useless procedure to the guy who asked the question.

the first thing to do is to see the spam email which is sent to everyone how it looks like and what is it advertising. with just that look you'll know if its really a malware or just some stupid kid got your pass and decided to have some fun with ur mail.

If its a malware then by changing the password you could have easily block it out.
yahoo emails ar very hard to be hijacked by a virus or a malware ***that was proved 2003***
upto there we would rule out malware, and for the viruses its very dangerous for them to be on a yahoo servers due to there new and improve traceback system which could trace the origin of any virus they come across.****so no virus either***

you could prove if its a virus by scanning your system with updated trojan remover. it will check ur registries folders and all.

upto there we ar only left with the stupid kid who got ur pass.

so about the stupid kid who got your mail pass, if he decided to delete all ur adds then there is no way you ar going to get those emails back. ***thats the reality***

if you want to get him off ur back just change ur pass and ur done.

goodluck

 

[Kinyau]

thanks aljunior,sneifer for quick advice, let me try fix it, I'll let u know of the outcome.