Author Topic: potential virus detected.  (Read 9473 times)

0 Members and 1 Guest are viewing this topic.

Offline Olórin

  • Newbie
  • *
  • Posts: 6
potential virus detected.
« on: February 03, 2006, 12:23:32 AM »
I'm quite new to avast anti-virus. upon using it, i noticed that 'Internet Mail' under on-access scanner is constantly scanning e-mail messages by the thousands. i do not recall having used any internet mail client in my computer and i do not use outlook. now i'm wondering where all these e-mails is coming from. and recently it has been detecting suspicious mail. below is the message given. there's 3 buttons, delete, continue and don't send, whereas delete is unclickable.


Suspicious whitespace sequence

Sender:  Duane Bishop <22len@abercrombiekent.com.au>
Recipient:  altimeter@narod.ru
Subject:  Ñîçäàíèå ñàéòîâ, ðàñêðóòêà, ïðîäâèæåíèå


i need help in countering this problem. where is the source of all these e-mails? how, if possible, can i stop this unnessary scanning? and what tips could i get in configuring avast?

the problems i had before i reformatted my computer seems to be coming back. [unable to minimize certain programs,  error in explorer.exe upon shutdown] if anyone would know how to correct these errors, i would much appreciate the help. :) thank you.

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7085
  • Be alert for error code - ID 10T
Re: potential virus detected.
« Reply #1 on: February 03, 2006, 01:39:36 AM »
***

Welcome to the forums, Olorin !    :)

Please give us a little more info about your computer ... such as OS, any past av program, have you done a virus scan with avast, do you have a firewall? Also, do you have any other anti-malware programs such as Ad-Aware, Spybot-S&D, ewido, a-squared, etc?    ???

Please reply as soon as possible with more info.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #2 on: February 03, 2006, 11:08:37 PM »
I may be having a similar problem. 
Not a new user.  On-Access Scanner is busily popping up the blue note at bottom right for two days solid now, continuous.  Well, sort of continuous....it spurts up 2, 5, 10 existing message subject lines, or so, then releases them, one after another until the blue note disappears.  Then it takes another gulp and repeats.  It seems to be working through all outlook folders, currently working in Sent Items folder, so it has come quite a ways thus far.  I do not know if it is in Archives/Sent Items or Personal Folders/Sent Items, as there is no such indication.
Appears to be scanning each and every piece of mail though I can't say for sure.  I have no idea where to spy on this process' origin or stage of completion, or even whether it is actually expected behavior or not.
If it is running some sort of deliberate maintenance, perhaps seeking Kama Sutra evidence?, which is what I first imagined upon seeing it in process.
If the behavior is expected, I would prefer that it do this work in the background without the perpetual messaging.

Thinking back, the sequence of events was that
1.  I became aware of the kama sutra situation a few days ago.
2. I immediately started a disc scan using the tray icon Start-avast-antivirus path.
3. Eureka, perhaps I should be CERTAIN that I have the latest updates.
4. Stopped the scan.
5. Forced the updates from the system tray.
6. Received message to restart computer
7. did so
8. Working along for several hours when
9. bluenote bluenote bluenote gang-o-bluenotes.

 ;D
Wat givs?  How to proceed ?

XP Pro SP2,  OL2003Pro, Dell Lat C840,   more?  ask.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
VIRUS?? : On-Access Scanner Message keeps scanning Outlook mail
« Reply #3 on: February 04, 2006, 01:35:28 AM »
Details above.PLEASE RESPOND! ???

I am going now to update my system details, as the signature line is not current yet, I see.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline Olórin

  • Newbie
  • *
  • Posts: 6
Re: potential virus detected.
« Reply #4 on: February 04, 2006, 01:47:53 AM »
i'm using win2000..i used mcafee before this. and i'm using spybot s&d and spyware blaster. but i already delete the previous programs registry..it that might be the cause..

and duff...what do you mean by "1.  I became aware of the kama sutra situation a few days ago."??
just curious here.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: potential virus detected.
« Reply #5 on: February 04, 2006, 04:47:05 AM »
Please be aware that the Internet Mail scanner does not ever scan the folders of your mail client.  The internet Mail scanner has absolutely no idea what mail client you use or where the folders for your mail client are.

What the Internet Mail scanner does scan is mail that is being read into your system from an external mail server, as it is being read, and also outgoing mail as it is being created by your system and going to an external mail server. 

What this sounds like - in both your reports - it that you have probably become infected with an email "spambot" that is using your system to generate mass mailings of spam.

You may wish to look at the recommendations in this thread:

http://forum.avast.com/index.php?topic=18648.msg158086#msg158086

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #6 on: February 04, 2006, 07:42:07 AM »
Okay, well.  The thread mentioned bore no resemblance whatsoever to the problem I have described above.

It is indeed the Avast On-Access Scanner blue-topped pop-up (same as the one that always has popped up with subject line when an email comes in; same as the one that has always popped up with subject line as I move through my mailboxes within Outlook).   What is happening is the popup, instead of just signalling and scanning new mail as it arrives (as usual), is pretty much continuously flipping through my Outlook folders, as noted.  I can see the folder titles and message subjects in the popup, and the title bar of the pop-up is (as in the two just-described ordinary circumstances) Avast On-Access Scanner.

Finally, one odd note.  I ran Hijack this (and yes, it's current) and I got these four lines, TWO OF THEM VERY ODD, referencing Avast:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Please Advise

Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #7 on: February 04, 2006, 07:45:32 AM »
Olorin-
Kama Sutra is a bad worm, set to go off today.  News about it was released all during last week.  Google it, for sure you will find much to gather on the details.  Surely Avast has some resources on it here???  I only mentioned it because it was my awareness of the threat, and my action to avert the threat, which initiated my current drama.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: potential virus detected.
« Reply #8 on: February 04, 2006, 07:49:25 AM »
Duff,

The "hijack this" lines you report happen for every user of avast and represent no problem.

It might prove useful to create (for a while) a more detailed avast! log of your mail connections.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

If you choose to share the log with us then please be sure to edit the log first and obscure any information personally identifiable to you.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: potential virus detected.
« Reply #9 on: February 04, 2006, 07:55:39 AM »
Duff,

by the way on which provider(s), in the advanced tab, do you have "show detailed info on action performed" checked?

Are you using the Outlook plugin of avast or the Internet Mail provider?


 
« Last Edit: February 04, 2006, 08:03:02 AM by alanrf »

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #10 on: February 04, 2006, 08:34:56 AM »
Could you be a little more specific as to the advanced tab to which you referred?  I don't know where to gather that information for you.

When I open Outlook, the Alwil/Avast green & orange splash screen pops up, indicating that I am using the plugin.  Also, there are 7 providers running in the On-Access Scanner.  I don't know if that answers your question adequately.

Here is the log content, after making the log=20 change you proposed.  Hopefully I have struck a balance between privacy & usefulness:
02/02/06 15:53:53 00000378:   Started as service, Log = 1(0x00000001)
02/02/06 15:53:53 00000378:   Build 4.6.763
02/02/06 15:53:53 00000378:   Windows XP Workstation (Service Pack 2)
02/02/06 15:53:53 00000378:   Using WinSock 2.0
02/02/06 15:54:09 00000378:   AutoRedirect settings changed 1(0x00000001)
02/02/06 15:54:28 00000378:   IgnoreLocalhost settings changed 1(0x00000001)
02/02/06 15:54:28 00000378:   POP Start settings changed: 1
02/02/06 15:54:29 00000378:   POP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378:   POP RedirectPort: xxx
02/02/06 15:54:29 00000378:   SMTP Start settings changed: 1
02/02/06 15:54:29 00000378:   SMTP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378:   SMTP RedirectPort: xx
02/02/06 15:54:29 00000378:   IMAP Start settings changed: 1
02/02/06 15:54:29 00000378:   IMAP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378:   IMAP RedirectPort: xxx
02/02/06 15:54:29 00000378:   NNTP Start settings changed: 1
02/02/06 15:54:29 00000378:   NNTP Listen settings changed: xxx.x.x.x xxxxx
02/02/06 15:54:29 00000378:   NNTP RedirectPort: xxx
02/03/06 23:02:17 00000378:   Log settings changed 20(0x00000014)

Also, it's still behaving as described.
Is it possible that a particular specialized avast scan is underway, and is that something that I can confirm or monitor?

Please advise.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #11 on: February 04, 2006, 08:40:33 AM »
The messages (below the blue bar labeled avast! On-Access Scanner Message) read:

Scanning\Inbox\whatever subfolder\<Subj:whatever the subject is

or, depending on who-knows-what, perhaps

Scanning\Sent Items\<Subj:whatever the subject is

Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: potential virus detected.
« Reply #12 on: February 04, 2006, 09:51:20 AM »
Duff,

if you select the Outlook/Exchange provider click "Customize" and then go to the "Advanced" tab do you have the "show detailed info on action performed" box checked? 

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #13 on: February 04, 2006, 10:03:48 AM »
Yes I do have that box checked.  Also:  THIS IS THE PROCESS that is scanning as described.  AH!  that was also the solution.  Turning of that switch.
Now then.
MESSAGE TO PROGRAMMERS:
How did it get switched on?
Was that a default that got reset with the program update, and if so, why?  SEVERAL HOURS OF WASTED TWEAKING INVOLVED HERE!
As well as screen interruptions making all other programs and work that I've been trying to focus on, FAR more difficult to use.  I strongly recommend not flipping that switch in future program updates.  Thank You.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.

Offline duff

  • Jr. Member
  • **
  • Posts: 31
    • electduff.org
Re: potential virus detected.
« Reply #14 on: February 04, 2006, 10:07:57 AM »
As I look back over that hijack this log, more sense emerges.
Please advise what other settings switches have been altered.
I can't bear any more unscheduled chaotic behavior from my antivirus product.  I promise that I will seriously consider the paid version (which I already had been moving toward when this happened) if you will please identify what mysteries have been altered, or ppoint me in the direction where those CHANGES TO SETTINGS are specifically detailed.
Dell Latitude C840 / XPSP2 / ZoneAlarm 6.1.737.000 / Avast 4.6.763 Feb2006 / Privoxy 3.0.3 / HiJackThis 1.99.1 / SpywareBlaster 3.5.1 (5440 items) / SpybotS&D(adv.mode) 1.4 LDU 2006-01-27 / AdAwareSEP build1.06r1 / TCPView 2.40

Too many roads are paved with yellow cake.
My memory is a memory.