Cant fint virus ! Is it a new?

[Eriksen]

Hi !
I got a virus Avast can't find.
The virsus gets mail adresses from :
http://ftp.quotes-info.cc/GetDoze?magic=43b5559e-000d3124-f2a432fc
(Used Ethereal logger)
Then it starts sending mails from my WinXp SP2.

Everything starts up when I get online.

Avast comes with a warning, too many identical EMails.

How can I find this virus and delete it?

Plz help!!

[DavidR]

Do you have a firewall?

If you haven't already got this software (freeware), download, install, update and run it.
1. Ad-Aware
2. Spybot Search and Destroy
3. Spywareblaster Don't install this until you are clean.
4. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2

[Eriksen]

Hi!
I have tried them all.
Yes, I have a firewall. That does'nt help me much now.
A system is now running on my computer getting this mail addresses from a web server, and sending it from my computer.

[Lisandro]

Yes, I have a firewall. That does'nt help me much now.

Well, which process is sending mail, outlook express (msimn.exe)?
If you have a firewall, you can see the connections alive. If you're not using one, maybe using TCPView from www.sysinternals.com.
To get clean, did you run all programs posted by David?
Did you run avast at boot time?

[Eriksen]

Of cause, I did the avast boot time, Also tried Norton Intenet security with full scan. Norton just turned off http:80 for all use to stop it.

Winlogon is the process, I think. I had to turn off avast to get the process list right. Otherwise the ashMaiSv.exe is the process.

Tried TCPView - but i got no new information here.

I tried Ad-Aware, found some cookies, but not related to this problem.
Tried Spybot - found nothing new.
Tried to use HiJackThis, but that did not help me find anything

Im gonna trie Ewido Security Suite now, let's hope it can fint it!

[DavidR]

Norton doesn't play nice with other AV if this is installed, avast may not be fully installed to avoid conflict. It isn't reccommended to have two resident AVs installed. You may need to Uninstall the anti-virus element of NIS, you may be able to run this program removal tool, which can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
 
HJT doesn't find anything it just reports on what it running, you have to analyse the log or use one of the on-line analysis sites. You could also post the contents of the log file here.

[polonus]

Hi Eriksen and DavidR,

There should never be hyperlinks to actual malware left clickable in this forum. Render the link harmless (dot for . or remove part) or remove it completely. Some people might be tempted to click through, and might get infected.

polonus

[Lisandro]

There should never be hyperlinks to actual malware left clickable in this forum.

The link posted is harmless... I suppose by Dr.Web scanning...
I mean, it's a direct link for downloading...

[DavidR]

DavidR,

There should never be hyperlinks to actual malware left clickable in this forum. Render the link harmless (dot for . or remove part) or remove it completely.

I'm well aware of that, but there are no active links to any malware in the links I've posted here. I'd be happy if you could indicate them.

[scottegan]

I have the same virus.

It seems to be related to winlogon.exe located in the windows/system32 folder. It constantly sends emails to various addresses and the only way I can overcome it is to block net access for that file using zone alarm.

Does Avast have anyway to submit the file for analysis?

Cheers

[DavidR]

Yes, If you are not getting a virus warning that and you believe it is a new, undetected virus, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem (possibly a link to this thread or your other one), the fact that you believe it to be a either a new, undetected virus or false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[scottegan]

I seem to have found a way to remove the mailer which is causing the problem.

Refer to this site

http://vil.nai.com/vil/content/v_137439.htm

Basically I booted into safe mode with no netwrok support and removed this registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon\Notify\ "msctl32.dll" = "C:\Windows\System32\msctl32.dll"

Then I deleted the file
C:\Windows\System32\msctl32.dll

It has fixed my problem - hopefully it will work for you too.

Cheers

Scott