Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: doront99 on June 03, 2006, 07:04:12 PM
-
Hi,
My computer is infected in some kind of malware/spyware.
I have checked one of the options in Avast to notify me (display a message) when scanning outgoing emails.
When Windows loads, I can see many messages of outgoing spam messages sending out from my machine.
This malware or apyware (whatever) stops me from doing anything since it uses many resources and actually "stuck" my network.
Avast did not recognize anything, and by Avast my computer is clean.
HELP!!!! HOW DO I GET RID OF THIS HELL?!!!!!!!
:-)
Many thanks,
Doron Tal
-
Hi doront99...
First, see if Trend Micro can give you a hand with an online scan of your system...
http://housecall.trendmicro.com/
Please post back with the results.
Best Regards...
-
You would appear to have a spambot trojan of some sort, check out the programs below which specialise in trojan detection and removal.
I'm surprised that avast isn't detecting multiple identical emails in a specific duration, part of the heuristics checks in the Internet Mail provider, even if it can't detect the originating spambot. Are you sure that your Internet Mail provider is running ?
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode. Ewido Security Suite (http://www.ewido.net/en/) If using winXP. or a-Squared free (http://www.emsisoft.com/en/software/free/) if using win98/ME.
-
I have tried both of them, and none of them suspected anything >:(
AVAST PEOPLE - PLEASE HELP ME!!!!
Thanks,
Doron Tal
-
If a-squared and ewido and avast did not detect anything... the only you can do is a full on-line scanning.
But I'm almost sure you're with other problems than infection in this case.
TrendMicro is a good on-line scanner.
-
And "Are you sure that your Internet Mail provider is running ?"
What Operating System are you using ?
What is your email program ?
Do you have a firewall ?
As a firewall should be able to block unauthorised outbound connections.
Also useful as a diagnostic tool - Download HiJackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html) or HiJackThis Tutorial 2 (http://www.tomcoyote.org/hjt/#introduction)
For an on-line analysis - HiJackThis Log file - On-line Analysis (http://hijackthis.de/index.php) OR On-line Analysis 2 (http://hjt.iamnotageek.com/)
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
-
:) Hi Doront99 :
If your computer is infected with malware/spyware, you
should be asking for help on the forum of your
antiSPYWARE provider ; if you know of none, I
recommend www.landzdown.com .
-
If you have a second machine or a friend, try pulling your hard disk and having the second machine or your friends machine scan your C: drive I just defeated one tonight that way, Avast couldn't see it and whatver this thing was it disabled both trendmicro and another online scanner I found.......that's what these little *&^%$# 's do these days they write viruses that beeline for the antivirus and malware utilities and shut them off. I used earthlink's utilities (infineon?) on my shoebox machine and it found something that nothing else was finding. Some viruses get going and nothing can see them, so it's necessary to have your c drive scanned in a situation where nothing is running on it. Not that I've gotten rid of the virus I still don't think avast is updating correctly or adaware se either, so I think it also changed some stuff in the registry.
-
Hi All,
I have tried almost everything you said, including scaning the hard drive from another computer - but nothing.
The Ewido tool did not find anything also.
I have now tested the machine with the HiJackThis, and this is the report:
Logfile of HijackThis v1.99.1
Scan saved at 08:02:40, on 04/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\firebird\bin\ibguard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\firebird\bin\ibserver.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
I do not understand why I can not trace the application that sends this emails - isn't that something that a simple firewall should tell me????
Many thanks,
Doron Tal
-
Hi doront99...
Also, try downloading and running a copy of F-Secure's Blacklight...
http://www.f-secure.com/blacklight/try.shtml
If we exhaust every option, you may simply have to reformat your hard drive and reinstall the OS.
Best Regards...
-
I hope that we can find a bit more about what is happening in your system before you resort to reformatting your system disk.
To better identify what may be happening it will probably be useful to create (for a while) a more detailed avast! log of your mail connections.
You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).
In the section headed:
[MailScanner]
add the line:
Log=20
and save the updated file.
The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
If you are then willing to share the log ... please first obscure any personally identifiable information in it ... we shall have a better chance of understanding which process may be creating any spam email being sent from your system.
-
I do not understand why I can not trace the application that sends this emails - isn't that something that a simple firewall should tell me
Which is why we asked if you had a firewall and what it was ?
This is a link for the on-line analysis of your log, http://hijackthis.de/logfiles/b1e0e2f768ee0bf920850b2f8dc8a2a3.html The question about a firewall being very relevant (see below), there a couple of unknown and one possibly nasty entry so you should confirm that you installed them and you know what they are. Other than those things at first glance look OK.
We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
So it doesn't appear that you have any active firewall that can check outbound connections.
Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
The BackLight tool is worth trying to see if there any hidden processes and also Alan's suggestion to gather more information should help in tracking down the problem, which according to your HJT log has also overcome many on-line scanners (watch out for future detections related to Panda's unencrypted signature files).
-
You might just have an infection that's so new nothing recognizes it yet but that seems unlikely. Maybe leave it for a few days and check next week.
-
Hi alanrf,
This is the report from Avast.
Just to mention that I have installed ZoneAlarm and the log file reports that the intrusion comes from svchost.exe and services.exe.
BTW, I'm registered user of Avast Pro.
Thanks,
Doron
-
The log you posted confirms that services.exe is the process sending out all these emails - which that process should, of course, not be doing.
Services.exe is a normal windows system process but it would appear that yours has been replaced by an email worm to include itself.
A quick scan shows that a number of email worms (a number of Sober variants included) replace the services.exe file.
For what it is worth this file appears on my system in Windows\System32 only and its size is 108032 dated 08/04/2004 03:00
Since you have now installed ZoneAlarm you should deny outbound access to services.exe. Tha will stop the emails going out but it will not remove the malware.
If you have not already tried all the scanners recommeded in this thread then now is the time to try them all. Other than that I hope that someone here in the forum may have more knowledge of this type of infection and provide you guidance in clean up.
-
It is disturbing that Avast Pro did not prevent or cannot find and remove the worm.
I would try both Bib Defender and Kaspersky online scans at Jotti's.
http://virusscan.jotti.org/de/
Jerry
-
Other than sending out spam and doing a very good job of hiding it doesn't appear to be harming the computer, which would draw attention to it.
If you had checked the HJT log you would have seen that it numerous entries for on-line scanners, such as, Symantec, McAfee, TrendMicro, Panda and has also ran Ewido one of the best trojan hunters not to mention avast and BackLight, all of which have found nothing.
So I suppose disturbing would be appropriate if it wasn't directly aimed at avast!
We have been trying to help and now that doront99 has an active firewall that checks outbound activity he can do something to block it where previously he couldn't.
@ doront99
Did you run Ewido from safe mode ?
-
Hi David,
{So I suppose disturbing would be appropriate if it wasn't directly aimed at avast!}
But is it not the job of an AV to prevent worms, etc from getting on the computer? I would find it disturbing whatever AV was being used.
I would like to see how it makes out with the scanners I mentioned. Maybe no difference, but I do have some problem believing that it has been around for more than a day, and none detect it.
It would be interesting to submit it to Jotti's and see if any recognize it.
Worms are not Avast's strongest point according to AV Comparatives. Not especially weak, but less than some others by 15% or so.
Jerry
-
What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven't found anything. So I don't feel avast alone should come in for your criticism "It is disturbing that Avast Pro did not prevent or cannot find and remove the worm."
No one AV is ever going to catch everything and new variants will have a lifespan before detection. Jotti may turn up something possibly in the generic of heuristic AV scanners.
@ doront99
You could also send the services.exe to avast.
If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
-
Hi David,
[What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven't found anything. So I don't feel avast alone should come in for your criticism "It is disturbing that Avast Pro did not prevent or cannot find and remove the worm."]
But that slew of AVs did not include the one with the best detection rates, KAV. I will withdraw my criticism if he runs an online scan with KAV and/or Bit Defender. I am convinced that one or both will find it. Sure I may be wrong, but until I have tried the best AVs, considering the detection rates, I will continue to think that it is the primary fault of the AV.
I am using Avast Home on my laptop. However, I am not wedded to any software, and that includes KAV 6 which I use. I just want to find out if an AV with higher detection rates would find the worm. I believe it would.
It is not like I am insulting a member of your family, but trying to find out whether Avast should have caught it if it had better detection rate of worms. Why is that something that you should be defensive about?
I realize and agree that the immediate problem is to help get rid of the worm, but it should be of interest to improve the AV.
It is obvious that Avast is inferior in the area of detection to several others. Maybe one uses it for years and does not have an infection. That is great, but when one does I do not believe in excusing the primary tool to prevent that infection, until I find that the best ones also would not have prevented an infection.
Regards,
Jerry
-
Hi All,
I will try now also the Kasperski and Bit defender.
I did not run Ewido from safe mode, but I know that though I am in safe mode, this malware is still running.
I tried to overwrite the services.exe and svchost.exe from a clean computer (by taking out the hard drive to another computer), but it did not help. So the virus is not in the services.exe or svchost.exe.
I will come back soon with results...
Many thanks,
Doron
-
Hi All,
Both, the BitDefender and Kasperski, were found nothing at the online scan (this time in safe mode).
The machine is still infected of course.
Doron
-
Hi doront99...
My personal opinion is that unless you want to send the services.exe file to Avast for review and wait for a signature update that includes the new detection, then you might have to just format the hard drive and reinstall your OS.
Best Regards...
-
I don't have a problem to send the file to Avast, I just don't think that this malware is in this file, since I replaced the file with a one from a clean machine and the malware is still active.
Doron
-
I'm at a bit of a loss as to how this is hiding, but to be able to run during safe mode it would have to be a service I believe. Usually we say you should run HJT in normal mode to see what is running, but if this is running in safe mode, try running HJT in safe mode (and post contents here), which should reduce some of the clutter and see if it narrows down the field.
Also see Hidden things http://invisiblethings.org
Some other tools you could try:
UnHackMe - Claims to fix this Hacktool rootkit: http://www.greatis.com/unhackme/ let us know how you get on.
RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden. Now this tool is a little like HJT in that it only provides data and not an analysis, so you would have to investigate the results.
-
I think you may be right, it is something else that is infected.
When u said u tried kaspersky, were u on about their online scanner and not jotti?
http://www.kaspersky.com/virusscanner
Try a online scan of your hard drive with Authentium,
http://www.authentium.com/
For those who didnt know about authentium, you can add it to your favourites :)
-
:) Hi "Duke" ( & others ) :
"Authentium" will definitely NOT be added to my favorites;
as I posted on May 19 : "I visited the "authentium" site and
saw they used 'Aluria' ( the antiSPYWARE Experts avoid
this company ) & 'Pest Patrol', which has a 'history' of
false-positives. "
-
David,
My apologies to you, and I withdraw my criticism of Avast.
BOY! This is a hard one.
Regards,
Jerry
-
No problem Jerry, this has all the hallmarks of a rootkit hiding the spambot trojan and very difficult to resolve. I think MS even state that the only real option is to reformat and start again from scratch, something which I don't agree with because that process for most is fraught with problems/hassle/difficulty.
I wouldn't like to have to embark on that option, so this is why I have Drive Image and take weekly hard disk images as a system back-up/recovery strategy. It would take a few minutes to go back to the last good image.
-
Thanks, David.
Not to hijack this thread, but I wonder what anti-malware programs doront99 had on his machine.
It is of first importance to help him get rid of the malware. But I also think in terms for all of us as to what layering might have prevented it.
In addition to an AV I have Ewido plus, Snoopfree, UnHackMe, Win Patrol, Spyware Guard, and LooknStop firewall.
It is always interesting to me to learn what one had on his machine when he got infected. I know that MS has said that when some of that stuff gets on the computer it cannot be removed, and reformat is necessary. Or whatever.
So it is most important to keep the stuff off, if we can determine the best combination of layering. It is a given that no one application, no matter how good, will always protect.
Jerry
-
First, give McAfee AVERT Stinger a try.
http://vil.nai.com/vil/stinger/
Second, give McAfee Command Line Scanner a try.
http://vil.nai.com/vil/virus-4d.aspx
Download: win_betaengdat.zip
- extract to "C:\Scan\" you will have to create that folder
- click Start, Run, type "cmd" without quotes and click OK
- type "cd\" press enter
- type "cd scan" press enter
- type "scan /ad /all /analyze /clean /mime /program /unzip /winmem /html c:\results.html" press enter
The scan may take a while. It will provide you with the results in the command line as well as create an HTML file of detailed results on the C drive.
Cheers,
Dave
-
Not a large amount I would suspect as we have now pointed him in the direction of a number of them.
However, with XP many are logged in using accounts with administrator privileges. Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc. This may have stopped this malware from getting a foothold.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.