Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: SendDerek on January 03, 2007, 05:52:56 AM
-
Hello!
I have a question I would like to ask the experienced AV gurus here at Avast.
I have a PC running Win XP at work. I also have Avast Home installed and running swell. I have done a thorough scan on my entire PC and it actually picked up quite a bit of virii in the process of doing so.
There have been quite a bit of times were Avast will alert me saying something to the effect of "Too many duplicate emails have been sent!" and it gives me a choice to continue sending the emails or stop sending them.
After checking the Avast E-Mail scanner results, it says that it has sent out 7000+ emails today alone. These emails are being sent from and to random email addresses. The body text is verses from the Bible.
I have Outlook and Outlook Express setup on this machine if this helps at all.
What I have tried to do to correct:
*Run complete scan again (including boot time scan).
*Run Spybot S&D
*Run Crap Cleaner
*Run HijackThis
*Run WinTasks Pro 5
All of these and no resolve. I was hoping that some of you on this board might have an idea of what might be happening and how I can go about resolving the issue before the ISP shuts us down or something.
Thank you very much in advanced!
-Derek
P.S. It was also doing this same thing with Norton AV. I have uninstalled Norton and used Avast instead. It makes me shiver having to say the N-word. My appologies. ;)
-
Oh, and BTW: I am very computer literate. Tell it to me straight doc! ;D
-
Alwil team should seriously incorporate the outbound email worm protection in Standard Shield for proactive protection against such crap (which is otherwise used by Internet Mail provider).
Otherwise i think you can see the EXE file responsible for this by hovering email scanner icon in next to the clock (appears when scanning mail). At least if i remeber correctly.
-
Excellent. I will try this. I remember trying to double-click as well as right-click on the icon, but nothing appeared.
In the meantime, if there are any other suggestions, I would like to hear what you have to say.
Thanks!
-
Methinks that (very) young RejZoR is getting old and forgets that avast used, by default, to warn users of this problem.
It used to be (before faintheartedness) that avast would give this process information in the "timeout" message on the send side of the avast email scanner. But alas due to too many complaints from users of P2P programs using port 25 (among other issues) the avast team got cold feet and turned it off. At least it meant fewer complaints for avast - even if users like SendDerek did not get useful warning information anymore.
So, SendDerek ...here is a suggestion:
In the Internet Mail Scanner, select "Customize" and then select the "Advanced" tab
Check the box "Timeout for Internet Communication(s)" set the time to 60 (seconds)
Click "OK"
If 60 seconds produces no results then it may be worth trying 25 seconds (spambots are not always completely stupid).
I believe (or I hope ... since avast may have made other changes) that the spambot sending emails on your system will trip this avast check and cause a pop-up (as in the memory of RejZoR) that will advise you that a process whose name it will tell you has spent too long sending emails out of your system without your approval.
If you choose to follow this advice please let us know if this has any value in diagnosing your problem.
-
Just a thought, has Avast updated to it's newest DAT file? There was a worm introduced over the new year desinged solely for SPAM'ing:
details:
Subject - Happy New Year!
Attachement - POSTCARD.exe
Worm Name - Nuwar.B
Now i know that Avast was not picking this up as of yesterday because i tried it. I wasn't infected I was just trying various scanners to see which one found it..!!
Worth checking..?
-
Now i know that Avast was not picking this up as of yesterday because i tried it.
Can you please send an email with the file (false positive or infected) to: virus (at) avast.com
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
-
Oh, and BTW: I am very computer literate. Tell it to me straight doc! ;D
What is your firewall ?
This should be able to catch unauthorised outbound connections unless of course your firewall doesn't provide outbound protection, like XP's firewall.
You could also try sysinternals.com TCPView that should show the connections established and what program/file initiated the connection.
-
You could also try sysinternals.com TCPView
Sysinternals.com was bought by Microsoft in July, 2006 and become Windows Sysinternals :P
http://www.microsoft.com/technet/sysinternals/default.mspx
-
That's right but sysinternals.com redirects to the new site.
-
This is all great advice! Thank you very much.
I'm going to look into the timeout function, and then l'm very interested in this sysinternals TCPview.
I will post the results.
-
Glad we could help, welcome to the forums.
-
Just a thought, has Avast updated to it's newest DAT file? There was a worm introduced over the new year desinged solely for SPAM'ing:
details:
Subject - Happy New Year!
Attachement - POSTCARD.exe
Worm Name - Nuwar.B
Now i know that Avast was not picking this up as of yesterday because i tried it. I wasn't infected I was just trying various scanners to see which one found it..!!
Worth checking..?
It's not that certian email though. Like I said earlier, it's an email that contains verses from the Bible. I will try and get the newest updates though. I had just installed it yesturday and assumed (dangerous) that it had installed all the updates automatically.
-
I'm going to look into the timeout function
Here you can see more about timeouts into Internet Mail provider and your email account: http://forum.avast.com/index.php?topic=11380.msg96646#msg96646
Anyway, since avast! version 4.7.807 the mail scanner module ("Internet Mail" provider) has been significantly changed to improve the overall user experience, especially in case of slow connections (dial-up). Namely, most of (if not all) the "Timeout expired" related problems should be gone by now.
-
Now i know that Avast was not picking this up as of yesterday because i tried it. I wasn't infected I was just trying various scanners to see which one found it..!!
I disagree, the "postcard" worm was being detected from the very beginning (Avast was one of the first who detected it).
How did you find out it can't detect it?
Am I guessing correctly if I say VirusTotal and/or Jotti's?
-
I disagree, the "postcard" worm was being detected from the very beginning (Avast was one of the first who detected it).
Thanks for posting... from time to time, an official word about detection is comfortable. ;)
-
Okay, I have more information for you guys and a screenshot.
The information I get when I hover over the icon is pretty random, but for the most part, this bit is most always on there:
mx10.tds.net
Some others that I managed to write down quickly (it changes every second):
nsl.smfiber...
bootsit.com...
Here is the screenshot with TCPView and Avast showing:
(http://img.photobucket.com/albums/v203/send_derek/SpamMessages.jpg)
We don't really use this computer for e-mails, so as a temp fix, I wanted to block all outgoing smtp traffic. Is there a way to do this?
-
We don't really use this computer for e-mails, so as a temp fix, I wanted to block all outgoing smtp traffic. Is there a way to do this?
You need to block the ports 25 and the 12025 as you can see in the picture...
Which is your firewall? Do you have a router to connect the Internet?
-
Well System Process is pretty weird process name as it is usually only listed as System so this might be something trying to masquerade as System, although the Process ID of 0 is also weird.
In task manager what has the process ID of 0 ?
There is no easy way to block emails being sent you would have to block the email port 25 in either a firewall or router. as this would appear to be using its own emailed. So you still haven't said what your firewall is ?
Try windows, Start, Run, type 'msconfig' without the quotes and click OK, now look at the Startup Tab and list what you see there.
-
Well the TCPView is just showing you that it is avast that is actually facilitating the sending of the spam messages.
Did you try the suggestion I gave you to have avast identify the process sending the spam?
As Tech says you need a firewall with outbound protection to really help you with this one.
If you have such a firewall then you should remove outbound access for ashMaiSv.exe, this is the avast process that is actually delivering the mail. That will stop it being sent. It will not identify the infection in your system or remove it - which is what you ultimately need to do.
Again if you have an outbound protection firewall and you terminate the avast e-mail scanner then the real culprit sending the emails should show up asking for permission to connect outbound (or it will be a process you have already authorized but should not have).
It is very typical for these spambots to hijack a Windows process to do their work, we have quite often seen in the past winlogon.exe and explorer.exe as the infected processes. Neither of these should have any valid reason for outbound access.
-
Just to add, if the shyte is running inside the SYSTEM process it's quite likely there's a kernel-mode malware component involved (a rootkit, basically). Not very good news indeed... :-\
What you could try is run a specialized rootkit-detection tool such as F-Secure Blacklight (it's free): http://www.f-secure.com/blacklight/try_blacklight.html
Thanks
Vlk
-
Sorry for withholding information to ya'll.
This isn't a machine that I'm normally working on and it has no firewall except that of Windows SP2.
I have checked the processes in msconfig and there is nothing out of the ordinary (or so it seems).
Which firewall would be recommended for this one? Something free would be best.
I cannot see any process with the ID of 0.
I also do connect through a router. I will configure it to block port 25.
-
There's one other way we can avast to report the process path ... at least it might confirm the System Process contamination.
It might prove useful to create (for a while, since the volume of message will create a large log) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log and will contain avast's reading of the path of the process being used to make the outbound connections.
-
I tried the log thing. I can't really read it very easily though.
I would like to share with you guys. It started to grow very rapidly and became > 1MB. I will upload to Media Fire so that you can download and look for yourselves.
http://www.mediafire.com/?0ym0jwmvitz
Here is a small portion:
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34: <-SMTP 250-csmtpmx13.frontal.correo
250-8BITMIME
250-PIPELINING
250 SIZE 71303168
01/03/07 16:22:31 00000E34: sent 79 (1160)
01/03/07 16:22:31 00000E34: received 33 (1160)
01/03/07 16:22:31 00000E34: ->SMTP MAIL FROM:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34: sent 33 (1104)
01/03/07 16:22:31 00000E34: received 40 (1104)
01/03/07 16:22:31 00000E34: <-SMTP 250 MAIL FROM:<efe-getafe@terra.es> OK
01/03/07 16:22:31 00000E34: sent 40 (1160)
01/03/07 16:22:31 00000E34: received 31 (1160)
01/03/07 16:22:31 00000E34: ->SMTP RCPT TO:<efe-getafe@terra.es>
01/03/07 16:22:31 00000E34: sent 31 (1104)
01/03/07 16:22:32 00000440: Cannot connect to SMTP server 65.54.244.40 (65.54.244.40:25), connect error 10060
01/03/07 16:22:32 00000440: sent 87 (904)
01/03/07 16:22:32 00000440: --SMTP Finishing connection handler
01/03/07 16:22:32 000005DC: SMTP accept connection from: 127.0.0.1
01/03/07 16:22:32 000005DC: Connection handler: 00000D08 (1024)
01/03/07 16:22:32 00000D08: Ignored PIDs: 2672 3724
01/03/07 16:22:32 00000D08: Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 192.168.0.4:119 127.0.0.1:119 192.168.0.4:143 127.0.0.1:143 192.168.0.4:25 127.0.0.1:25 192.168.0.4:110 127.0.0.1:110
01/03/07 16:22:32 00000D08: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 16:22:32 00000D08: --SMTP command REDIRECT 65.54.244.72:25 1856
01/03/07 16:22:32 00000D08: PATH: \Device\HarddiskVolume2\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
-
Is the link supposed to contain some data?
BTW maybe you could make the log file < 200KB and attach it here?
Thanks
Vlk
-
Is the link supposed to contain some data?
There is a download file button on that page.
-
Sorry for withholding information to ya'll.
This isn't a machine that I'm normally working on and it has no firewall except that of Windows SP2.
I have checked the processes in msconfig and there is nothing out of the ordinary (or so it seems).
Which firewall would be recommended for this one? Something free would be best.
I cannot see any process with the ID of 0.
I also do connect through a router. I will configure it to block port 25.
u better download comodo..it's free and it has the feature named "define a new banned application" in which u can select an application to block from any internet access..this firewall helped me a lot with a bot which did the same work as yours(sending numerous emails)...i did a full system scan with avast and even if it founded it couldn't stop it...then i tried spybot and AVG antispyware and they couldn't stop it either..so i disabled avast email scanner,i found the process that contains the bot,i blocked it with comodo and did an online scan with bitdefender,it founded the bot,deleted it and after that i ran windows in safe mode and deleted it by myself coz it appeared again..now i have no problems and i have the exe file still in the block list of comodo just in case..maybe my bot was easier to remove it but i think comodo helped me a lot on that thing..u can see some gd free firewalls here http://www.snapfiles.com/Freeware/security/fwfirewall.html i recommend comodo and zonealarm.. ;)
-
Here is a section from my log when I deliberately send an email message ...
1/03/07 17:35:38 00000254: Ignored Addresses: 72.3.135.203:80 193.243.128.78:80 193.243.128.76:80 62.132.1.234:80 204.58.27.57:80 204.58.27.41:80 204.58.27.49:80 204.58.27.33:80 198.200.173.74:80 198.200.173.139:80 127.0.0.1:80 70.86.176.98:119 212.26.219.158:119
01/03/07 17:35:38 00000254: Ignored Processes: avgemc.exe forx.exe FXMadeEasy.exe aoltpspd.exe waol.exe tor.exe wcescomm.exe utorrent.exe ypager.exe V3P3AT.EXE bitcomet.exe mpftray.exe ABC.EXE CZDCPlusPlus.ex CRAXY.EXE NETMONSV.EXE SYMPROXYSVC.EXE NAVAPW32.EXE WEBPROXY.EXE EMULE.EXE TMPROXY.EXE isafe.exe SMPROXY.EXE ccLgView.exe ccSetMgr.exe ccPwdSvc.exe ccApp.exe ccProxy.exe ccPxySvc.exe ccEvtMgr.exe winroute.exe avast.setup
01/03/07 17:35:38 00000254: --SMTP command REDIRECT 204.127.225.17:25 392
01/03/07 17:35:38 00000254: PATH: \Device\HarddiskVolume2\Program Files\Mozilla Thunderbird\thunderbird.exe
01/03/07 17:35:38 00000254: Connected to SMTP server 204.127.225.17 25 (496)
You notice the PATH statement gives the name of the process that is sending the email - in this case my Thunderbird mail client.
In your log it is consistently pointing to the program ashDisp.exe. This is very strange and I guess we will have to see if the avast folks have a comment. I suppose that it is just possible that someone has managed to infect avast itself or to masquerade as an avast module.
Did you try the blacklight scan suggested by Vlk?
By the way what is the size, date and time of your ashDisp.exe file?
-
< disagree, the "postcard" worm was being detected from the very beginning (Avast was one of the first who detected it).
How did you find out it can't detect it?
Am I guessing correctly if I say VirusTotal and/or Jotti's?
>
Nope, i tried it with my U3 (up to date) scanner on a machine where I'd copied the .exe to.
I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious... So, as of the 31st none of the scanners I tried could see this as malicious.
Sorry, i was just telling it like it was!!
-
Nope, i tried it with my U3 (up to date) scanner on a machine where I'd copied the .exe to.
I then tried numerous other scanners, i.e. Mcafee (not mobile!) etc to see if it could identify this .exe as being malicious... So, as of the 31st none of the scanners I tried could see this as malicious.
It may have been a corrupted sample then... (this is quite common, actually - the attachments gets somehow screwed and arrives in a non-working state).
Do you still have the file? It would be worth a quick look just to make sure...
Thanks
Vlk
-
It may have been a corrupted sample then... (this is quite common, actually - the attachments gets somehow screwed and arrives in a non-working state).
Do you still have the file? It would be worth a quick look just to make sure...
Thanks
Vlk
Sorry, no. I've updated all scanners to latest .dat files. It is worrying though that major anti-virus
vendors can firstly, not identify a known (it was know it was coming) malicious file, and secondly that some updates can get screwed in this fashion leaving the user unprotected...!!
Awil was (admittedly) one of the better ones in this instance.
Cheers
-
Sorry, no. I've updated all scanners to latest .dat files. It is worrying though that major anti-virus
vendors can firstly, not identify a known (it was know it was coming) malicious file, and secondly that some updates can get screwed in this fashion leaving the user unprotected...!!
Maybe I said it wrong... all I was saying is that the postcard.exe file you got could be screwed (not the AV updates).
That is, the virus sample could have been benign (datamged) and hence no AV detected it (which is, in this case, correct behavior)
Thanks
Vlk
-
Maybe I said it wrong... all I was saying is that the postcard.exe file you got could be screwed (not the AV updates).
That is, the virus sample could have been benign (datamged) and hence no AV detected it (which is, in this case, correct behavior)
Thanks
Vlk
Ouch, sorry. No I got rid of the .exe file after trying the various scanners. I don't like leaving these types of files on any of my machines.
cheers
-
Sorry it has been so long since the last update.
The issue has not been resolved as of recent mostly due to my inability to work on the machine. It's the Point Of Sale machine for the store, and we are not able to ring people up without it.
I installed Comodo Firewall on it and disabled the Avast Mail protection in hopes that I could figure out what was happening through the use of Comodo's logs. Unfortunately, without much time to configure it, the firewall was blocking important access that is needed for the POS system to work.
I am going to wait for a good load of down time and try and figure it out then. Also, I got the Qwest redirect page saying that the account is disabled because of this virus. I quickly lied my way through the page to regain internet access. I will be really trying to fix this virus today before we get redirected (or worse) again.
I will also be running the blacklight scan when I am given the chance. I tried to do it once, ran it for about 10 minutes, and had to exit due to customer.
This PC hasn't been re-formatted in a while and we're almost just looking at getting it wiped clean again instead of going through the virus-hunt hassle. But not yet.
Thank you for all of your support on this. I will keep you posted with any progress.
-
I will also be running the blacklight scan when I am given the chance. I tried to do it once, ran it for about 10 minutes, and had to exit due to customer.
blackligh in an online rootkit scanner..if u want an easier solution thry this one http://www.trendmicro.com/download/rbuster.asp its an on-demand scanner which doesn't need inernet connection to scan.. ;) u can see pther similar softwares here http://www.geocities.com/dontsurfinthenude/antitrojan.htm
-
Vlk, Igor,
this user posted an avast mail log (almost a week ago!) that appears to show ashDisp.exe as the source of the spam email causing problems.
While I know that you are busy folks I think this demands a response from the avast team.
So ... how about a comment please?
-
Vlk, Igor
Maybe Vojtech is the man 8)
-
As another update, I have run the backlight program, but it came back with nothing. I have currently turned the avast mail client back on to see if there has been any mail going through. For some reason, it seems that it only goes through after 2:00 in the afternoon. I have also been watching TCPView but nothing has occurred. As another precaution, I have been watching the comodo firewall logs, but it appears to be nothing out of the ordinary (BTW: Comodo blocks the backlight scan attempt. You must shut the firewall down first).
Once again, I will keep you guys posted on what is happening.
And as another little detail about it, we noticed it started happening around after the new year and on two computers. One was a laptop that was connected to the network, and the other was the POS PC. We have 3 other computers on the same network, but they do not seem to be infected. These infected PC's also had Norton installed when then attack hit. The other machines did not. Since then, these 2 machines have Avast installed now instead. Norton had popped up about 100+ warning messages and totally froze the system if you can imagine.
Thanks for any help!
-
These infected PC's also had Norton installed when then attack hit.
Do you mean, when you've installed avast?
Disabling Norton is not enough to avoid conflicts with avast... :'(
Please, follow: http://forum.avast.com/index.php?topic=23089.msg211543#msg211543
-
These infected PC's also had Norton installed when then attack hit.
Do you mean, when you've installed avast?
Disabling Norton is not enough to avoid conflicts with avast... :'(
Please, follow: http://forum.avast.com/index.php?topic=23089.msg211543#msg211543
Oh, I know better than that. lol ::)
Norton was totally uninstalled before I installed Avast. I just meant that Norton was the AV installed at the time of attack. I installed Avast in hopes that Avast would take care of it better than Norton. And, it did detect a bunch of new viruses, but not the particular one that we're trying to find.
-
If it's the ashDisp.exe process that seems to be sending out the emails it may be because there's a rogue DLL loaded into its address space.
Please try doing the following: download Process Explorer from http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx, simulate the problem (i.e. confirm the ashDisp.exe process is sending out emails), then run Process Explorer, scroll the process tree to ashDisp.exe, press Ctrl+L to display the lower pane, press Ctrl+D to have DLLs in the lower pane, and then click Ctrl+A to save the contents of the window to a text file. Then post the contents of that file (or attach it to your post).
This should give us a complete list of modules (DLLs) loaded into ashDisp.exe address space.
Thanks
Vlk
-
The worm contained in "Postcard.exe" is again sent around just now by a false Hallmark- Email offering an e-card.
The offer is written in bad english and refers to a german web-domain offering a download of Postcard.exe
I assume it is a worm- have not dared to actually download and execute it to test my avast.
anyone who wants it for test purposes pls send me a msg- I will send the downloadlink. and eml file