Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Olórin on February 03, 2006, 12:23:32 AM
-
I'm quite new to avast anti-virus. upon using it, i noticed that 'Internet Mail' under on-access scanner is constantly scanning e-mail messages by the thousands. i do not recall having used any internet mail client in my computer and i do not use outlook. now i'm wondering where all these e-mails is coming from. and recently it has been detecting suspicious mail. below is the message given. there's 3 buttons, delete, continue and don't send, whereas delete is unclickable.
Suspicious whitespace sequence
Sender: Duane Bishop <22len@abercrombiekent.com.au>
Recipient: altimeter@narod.ru
Subject: Ñîçäàíèå ñàéòîâ, ðàñêðóòêà, ïðîäâèæåíèå
i need help in countering this problem. where is the source of all these e-mails? how, if possible, can i stop this unnessary scanning? and what tips could i get in configuring avast?
the problems i had before i reformatted my computer seems to be coming back. [unable to minimize certain programs, error in explorer.exe upon shutdown] if anyone would know how to correct these errors, i would much appreciate the help. :) thank you.
-
***
Welcome to the forums, Olorin ! :)
Please give us a little more info about your computer ... such as OS, any past av program, have you done a virus scan with avast, do you have a firewall? Also, do you have any other anti-malware programs such as Ad-Aware, Spybot-S&D, ewido, a-squared, etc? ???
Please reply as soon as possible with more info.
***
-
I may be having a similar problem.
Not a new user. On-Access Scanner is busily popping up the blue note at bottom right for two days solid now, continuous. Well, sort of continuous....it spurts up 2, 5, 10 existing message subject lines, or so, then releases them, one after another until the blue note disappears. Then it takes another gulp and repeats. It seems to be working through all outlook folders, currently working in Sent Items folder, so it has come quite a ways thus far. I do not know if it is in Archives/Sent Items or Personal Folders/Sent Items, as there is no such indication.
Appears to be scanning each and every piece of mail though I can't say for sure. I have no idea where to spy on this process' origin or stage of completion, or even whether it is actually expected behavior or not.
If it is running some sort of deliberate maintenance, perhaps seeking Kama Sutra evidence?, which is what I first imagined upon seeing it in process.
If the behavior is expected, I would prefer that it do this work in the background without the perpetual messaging.
Thinking back, the sequence of events was that
1. I became aware of the kama sutra situation a few days ago.
2. I immediately started a disc scan using the tray icon Start-avast-antivirus path.
3. Eureka, perhaps I should be CERTAIN that I have the latest updates.
4. Stopped the scan.
5. Forced the updates from the system tray.
6. Received message to restart computer
7. did so
8. Working along for several hours when
9. bluenote bluenote bluenote gang-o-bluenotes.
;D
Wat givs? How to proceed ?
XP Pro SP2, OL2003Pro, Dell Lat C840, more? ask.
-
Details above.PLEASE RESPOND! ???
I am going now to update my system details, as the signature line is not current yet, I see.
-
i'm using win2000..i used mcafee before this. and i'm using spybot s&d and spyware blaster. but i already delete the previous programs registry..it that might be the cause..
and duff...what do you mean by "1. I became aware of the kama sutra situation a few days ago."??
just curious here.
-
Please be aware that the Internet Mail scanner does not ever scan the folders of your mail client. The internet Mail scanner has absolutely no idea what mail client you use or where the folders for your mail client are.
What the Internet Mail scanner does scan is mail that is being read into your system from an external mail server, as it is being read, and also outgoing mail as it is being created by your system and going to an external mail server.
What this sounds like - in both your reports - it that you have probably become infected with an email "spambot" that is using your system to generate mass mailings of spam.
You may wish to look at the recommendations in this thread:
http://forum.avast.com/index.php?topic=18648.msg158086#msg158086
-
Okay, well. The thread mentioned bore no resemblance whatsoever to the problem I have described above.
It is indeed the Avast On-Access Scanner blue-topped pop-up (same as the one that always has popped up with subject line when an email comes in; same as the one that has always popped up with subject line as I move through my mailboxes within Outlook). What is happening is the popup, instead of just signalling and scanning new mail as it arrives (as usual), is pretty much continuously flipping through my Outlook folders, as noted. I can see the folder titles and message subjects in the popup, and the title bar of the pop-up is (as in the two just-described ordinary circumstances) Avast On-Access Scanner.
Finally, one odd note. I ran Hijack this (and yes, it's current) and I got these four lines, TWO OF THEM VERY ODD, referencing Avast:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
Please Advise
-
Olorin-
Kama Sutra is a bad worm, set to go off today. News about it was released all during last week. Google it, for sure you will find much to gather on the details. Surely Avast has some resources on it here??? I only mentioned it because it was my awareness of the threat, and my action to avert the threat, which initiated my current drama.
-
Duff,
The "hijack this" lines you report happen for every user of avast and represent no problem.
It might prove useful to create (for a while) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
If you choose to share the log with us then please be sure to edit the log first and obscure any information personally identifiable to you.
-
Duff,
by the way on which provider(s), in the advanced tab, do you have "show detailed info on action performed" checked?
Are you using the Outlook plugin of avast or the Internet Mail provider?
-
Could you be a little more specific as to the advanced tab to which you referred? I don't know where to gather that information for you.
When I open Outlook, the Alwil/Avast green & orange splash screen pops up, indicating that I am using the plugin. Also, there are 7 providers running in the On-Access Scanner. I don't know if that answers your question adequately.
Here is the log content, after making the log=20 change you proposed. Hopefully I have struck a balance between privacy & usefulness:
02/02/06 15:53:53 00000378: Started as service, Log = 1(0x00000001)
02/02/06 15:53:53 00000378: Build 4.6.763
02/02/06 15:53:53 00000378: Windows XP Workstation (Service Pack 2)
02/02/06 15:53:53 00000378: Using WinSock 2.0
02/02/06 15:54:09 00000378: AutoRedirect settings changed 1(0x00000001)
02/02/06 15:54:28 00000378: IgnoreLocalhost settings changed 1(0x00000001)
02/02/06 15:54:28 00000378: POP Start settings changed: 1
02/02/06 15:54:29 00000378: POP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378: POP RedirectPort: xxx
02/02/06 15:54:29 00000378: SMTP Start settings changed: 1
02/02/06 15:54:29 00000378: SMTP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378: SMTP RedirectPort: xx
02/02/06 15:54:29 00000378: IMAP Start settings changed: 1
02/02/06 15:54:29 00000378: IMAP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378: IMAP RedirectPort: xxx
02/02/06 15:54:29 00000378: NNTP Start settings changed: 1
02/02/06 15:54:29 00000378: NNTP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378: NNTP RedirectPort: xxx
02/03/06 23:02:17 00000378: Log settings changed 20(0x00000014)
Also, it's still behaving as described.
Is it possible that a particular specialized avast scan is underway, and is that something that I can confirm or monitor?
Please advise.
-
The messages (below the blue bar labeled avast! On-Access Scanner Message) read:
Scanning\Inbox\whatever subfolder\<Subj:whatever the subject is
or, depending on who-knows-what, perhaps
Scanning\Sent Items\<Subj:whatever the subject is
-
Duff,
if you select the Outlook/Exchange provider click "Customize" and then go to the "Advanced" tab do you have the "show detailed info on action performed" box checked?
-
Yes I do have that box checked. Also: THIS IS THE PROCESS that is scanning as described. AH! that was also the solution. Turning of that switch.
Now then.
MESSAGE TO PROGRAMMERS:
How did it get switched on?
Was that a default that got reset with the program update, and if so, why? SEVERAL HOURS OF WASTED TWEAKING INVOLVED HERE!
As well as screen interruptions making all other programs and work that I've been trying to focus on, FAR more difficult to use. I strongly recommend not flipping that switch in future program updates. Thank You.
-
As I look back over that hijack this log, more sense emerges.
Please advise what other settings switches have been altered.
I can't bear any more unscheduled chaotic behavior from my antivirus product. I promise that I will seriously consider the paid version (which I already had been moving toward when this happened) if you will please identify what mysteries have been altered, or ppoint me in the direction where those CHANGES TO SETTINGS are specifically detailed.
-
Finally, Alanrf, if there are points to be given for problem solving, you get my unfettered vote. Triumph, baby. Right on.
-
Oh. Also. Olorin's problem is not solved, & on reflection I completely hijacked his thread, thinking at first that I had the same problem. Perhaps this can be fixed at the moderator level, with a more appropriate title for my <solved> problem. Such a:
"Default Settings Changes on Update Caused Bothersome Display-Related Program Quirks," perhaps. =)
-
as. "Such as:"
-
Duff,
I speak as just an avast user and if I have assisted you a little in detecting your issue then I am glad, but if this switch had been turned on by the latest update for all avast users of Outlook I am sure we would be seeing more comments about it in this forum. I will leave it to the avast team to ponder how it may have been changed for you.
The only time I have been aware of unexpected changes (for myself and others I support) has been after using the "Repair" function of avast but that has typically involved turning on providers that had previously been turned off.
I hope that avast will continue to behave itself for you.
As for Olorin ... we will continue to try to find a resolution there too.
-
Olórin,
may we get a little information about your system? Which operating system do you use? Do you use a firewall on your system? If you do which one do you use?
Am I correct in understanding that you do not use any email program on your system to send email?
-
Duff,
it's alright that you hijacked my thread. i'm glad everything is well for you now. i have been busy and away from my computer. so i'm get right on my problem now.
i'm using windows 2000 sp4. i'm not using any firewall. and i do not use any email program on my system.
-
Olórin,
welcome back to the forum.
First may I just suggest that running without a firewall these days is rather like leaving home with the door unlocked. Unless you have some other layer of protection I would suggest you review some of the suggestions for free firewall software (use the search function on this forum) here in the forum. OK no more preaching on that from me.
You have told us that you are not using an email program on your system - so it would be logical to assume that you are not receiving email or sending it and therefore the Internet Mail scanner should not be reporting anything amiss. I mentioned early in this thread the possibility of an infection on your system by an email spambot. Such programs now usually have their own built in email software and can sit there and send out messages by the 1000s from your system and for many the first clue to such infection has been a warning from the Internet Mail scanner.
To see if your system really is sending out emails can you please turn on the logging I described in reply #8 in this thread and share with us the log produced. If the log is very large then just share the early part of it with us.
-
I notice you have joined another thread on a similar issue - notice DavidR's comment on firewall - you are in good hands with DavidR and Tech - I'll leave you to it.
-
yes, but you're still welcome to help. i wouldn't mind learning a thing or 2. i just needed more help cos i dont really know how to get certain things done on avast. so i'm just asking around anywhere where i could get help. and thanks alot for all you're done. i really appreciate it. :)
-
this is the log requested.
02/03/06 07:47:45 000017B0: Started as service, Log = 1(0x00000001)
02/03/06 07:47:45 000017B0: Build 4.6.763
02/03/06 07:47:45 000017B0: Windows 2000 Workstation (Service Pack 4)
02/03/06 07:47:45 000017B0: Using WinSock 2.0
02/03/06 07:47:45 000017B0: getnameinfo not loaded 127(0x0000007F)
02/03/06 07:47:46 000017B0: Tray icon settings changed 0(0x00000000)
02/03/06 07:47:46 000017B0: AutoRedirect settings changed 1(0x00000001)
02/03/06 07:47:46 000017B0: IgnoreLocalhost settings changed 1(0x00000001)
02/03/06 07:47:46 000017B0: POP Start settings changed: 1
02/03/06 07:47:46 000017B0: POP Listen settings changed: xxx.x.x.x xxxxx
02/03/06 07:47:47 000017B0: POP RedirectPort: 110
02/03/06 07:47:47 000017B0: SMTP Start settings changed: 1
02/03/06 07:47:47 000017B0: SMTP Listen settings changed: xxx.x.x.x xxxxx
02/03/06 07:47:47 000017B0: SMTP RedirectPort: 25
02/03/06 07:47:47 000017B0: IMAP Start settings changed: 1
02/03/06 07:47:47 000017B0: IMAP Listen settings changed: xxx.x.x.x xxxxx
02/03/06 07:47:47 000017B0: IMAP RedirectPort: 143
02/03/06 07:47:47 000017B0: NNTP Start settings changed: 1
02/03/06 07:47:47 000017B0: NNTP Listen settings changed: xxx.x.x.x xxxxx
02/03/06 07:47:47 000017B0: NNTP RedirectPort: 119
02/03/06 07:47:49 000003C4: Cannot connect to SMTP server 216.82.240.163 (216.82.240.163:25), connect error 10061
02/03/06 07:47:49 000004B8: Cannot connect to SMTP server 66.179.26.156 (66.179.26.156:25), connect error 10061
02/03/06 07:47:50 000004A0: Cannot connect to SMTP server 195.245.231.99 (195.245.231.99:25), connect error 10061
02/03/06 07:47:50 000004C4: Cannot connect to SMTP server 207.217.120.57 (207.217.120.57:25), connect error 10061
02/03/06 07:47:54 000003C8: --SMTP Mail is clean
02/03/06 07:47:57 000004B4: --SMTP Mail is clean
02/03/06 07:47:59 000003C4: --SMTP Mail is clean
02/03/06 07:48:02 000017B0: Stopped
when i started this thread, i resolved the issue by stopping the internet mail totally. so there wasn't any activity since. and i just started it just now to check whether it is infected with the spambot.
-
i'm using windows 2000 sp4. i'm not using any firewall. and i do not use any email program on my system.
Unfortunately some malware comes with its own email program, so if avast's Internet Mail provider has been detecting suspicious outbound email, it would appear that you have a malware spambot installed on your system.
So disabling the Internet Mail provider because you don't have an email program installed, just stops you getting the warnings and doesn't stop the outbound email. A good firewall would be able to stop unauthorised outbound connections. You absolutely need a firewall.
Download, install and run this program, Ewido Security Suite (http://www.ewido.net/en/). However, without a firewall you will be fighting an uphill battle.
If you haven't already got this software (freeware), download, install, update and run it.
1. Ad-Aware (http://www.lavasoft.de/support/download)
2. Spybot Search and Destroy (http://www.safer-networking.org/index.php?lang=en&page=download)
3. Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) Don't install this until you are clean.
-
***
I really have a difficult time understanding why so many have an aversion to using a firewall. ???
Most of the free ones run fine just as they are installed without modifing the settings. :)
***