« previous next »
Pages: [1]   Go Down

Author Topic: avast email icon in the notification bar  (Read 3162 times)

0 Members and 1 Guest are viewing this topic.

Crock

  • Guest
avast email icon in the notification bar
« on: March 12, 2006, 11:02:10 PM »
Hello !

I'm using Window XP Home Edition and Avast 4.6 Home.

I use on a rare basis Outlook Express (using mainly yahoo & hotmail email services), and have not accessed my POP3 mail in a long time.

I have a new Avast notification icon (next to the clock) saying I have a mail, 61.49.119.4 and it repeats the same (IP?) adress...

After checking all my email adresses, plus my POP3 mail on OE, no new mail... especially from this adress (I verified every recent header).

What can this be ? bug, unknown function,... your opinion please ?

Thanks in advance
Logged

Crock

  • Guest
Re: avast email icon in the notification bar
« Reply #1 on: March 12, 2006, 11:18:40 PM »
Further to this, I've checked with a /whois and received the info shown below. I never received any e-mail from this organisation/person.  Any insight from Tech Support ?  ???

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS-SEC.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1997-04-25
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2006-03-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Logged

CharleyO

  • Guest
Re: avast email icon in the notification bar
« Reply #2 on: March 13, 2006, 12:27:29 AM »
***

Welcome to the forums, Crock.    :)

The icon you mention is most likely the avast email scanner. You may have email leaving your computer that you do not know of. Do you have a firewall and if so, which one?

Have you run any malware programs?

Windows 2000, & XP:                Windows 98 & ME:

Ad-Aware                                   Ad-Aware
Spybot-S&D                                Spybot-S&D
Ewido                                        a-squared


***
Logged

Crock

  • Guest
Re: avast email icon in the notification bar
« Reply #3 on: March 13, 2006, 10:51:14 AM »
Thanks for your reply, CharleyO  :)

I'm using SP2 firewall atm. Here are the scanning reports I received today.

Concerning Ewindo, I did not know the program until today. After installing/scanning with it, I found 10 malware. Here is the report :

---------------------------------------------------------
 ewido anti-malware - Rapport de scan
---------------------------------------------------------

 + Créé le:      10:29:13, 13/03/2006
 + Somme de contrôle:   CF063123

 + Résultats du scan:

   C:\Documents and Settings\Administrateur\Cookies\administrateur@casalemedia[1].txt -> TrackingCookie.Casalemedia : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@com[1].txt -> TrackingCookie.Com : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@estat[1].txt -> TrackingCookie.Estat : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@hotlog[1].txt -> TrackingCookie.Hotlog : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@overture[1].txt -> TrackingCookie.Overture : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@weborama[1].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder
   C:\Documents and Settings\Administrateur\Cookies\administrateur@wreport.weborama[1].txt -> TrackingCookie.Weborama : Nettoyer et sauvegarder
   C:\Program Files\RealVNC\VNC4\winvnc4.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4110 : Nettoyer et sauvegarder
   C:\Program Files\RealVNC\VNC4\wm_hooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.4 : Nettoyer et sauvegarder


::Fin du rapport

Ad-Aware SE found the following :

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@www.cibleclick[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:30
    Value              : Cookie:administrateur@www.cibleclick.com/
    Expires            : 10-04-2006 19:59:48
    LastSync           : Hits:30
    UseCount           : 0
    Hits               : 30

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@hotlog[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:3
    Value              : Cookie:administrateur@hotlog.ru/
    Expires            : 12-03-2007 23:32:54
    LastSync           : Hits:3
    UseCount           : 0
    Hits               : 3

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@estat[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:2
    Value              : Cookie:administrateur@estat.com/
    Expires            : 07-03-2016 22:52:30
    LastSync           : Hits:2
    UseCount           : 0
    Hits               : 2

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@cgi-bin[2].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:administrateur@1zz.cqcounter.com/cgi-bin/
    Expires            : 01-01-2037 01:00:00
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@overture[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:3
    Value              : Cookie:administrateur@overture.com/
    Expires            : 08-03-2016 17:38:36
    LastSync           : Hits:3
    UseCount           : 0
    Hits               : 3

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@cgi-bin[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:2
    Value              : Cookie:administrateur@www6.addfreestats.com/cgi-bin
    Expires            : 28-02-2015 01:00:00
    LastSync           : Hits:2
    UseCount           : 0
    Hits               : 2

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@casalemedia[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:5
    Value              : Cookie:administrateur@casalemedia.com/
    Expires            : 28-02-2007 11:50:06
    LastSync           : Hits:5
    UseCount           : 0
    Hits               : 5

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@wreport.weborama[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:administrateur@wreport.weborama.fr/
    Expires            : 12-05-2006 17:49:28
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@tradedoubler[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:administrateur@tradedoubler.com/
    Expires            : 08-03-2026 09:38:54
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

 Tracking Cookie Object Recognized!
    Type               : IECache Entry
    Data               : administrateur@weborama[1].txt
    TAC Rating         : 3
    Category           : Data Miner
    Comment            : Hits:1
    Value              : Cookie:administrateur@weborama.fr/
    Expires            : 11-03-2006 18:19:28
    LastSync           : Hits:1
    UseCount           : 0
    Hits               : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 10


And finally, Spybot found the following :

HotsearchBar:  Fichier temporaire (Fichier, fixed)
  C:\Documents and Settings\Administrateur\Local Settings\Temp\nsz77.tmp

Nevertheless, these reports show I had tracking cookies but no real virus/trojan, as far as I understand it... I can be wrong of course as my understanding is still limited !  ;)

So, any opinion ?

Thanks in advance for your help
Logged

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3870
  • Just an avast user
Re: avast email icon in the notification bar
« Reply #4 on: March 13, 2006, 12:11:06 PM »
I would have to agree with CharleyO that the main concern is that you have been infected with a spambot that is using your system to generate outgoing email without your consent.

Unfortunately the Windows firewall (which is better than no firewall at all) does not provide any protection against unwanted outbound access from your system.

To better identify what may be happening it will probably be useful to create (for a while) a more detailed avast! log of your mail connections.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

If you are then willing to share the log ... please first obscure any personally identifiable information in it ... we shall have a better chance of understanding if a spambot has infected your system.
Logged

CharleyO

  • Guest
Re: avast email icon in the notification bar
« Reply #5 on: March 13, 2006, 05:30:56 PM »
***

Hi Crock,

I hope you let Ewido, Ad-Aware, and Spybot delete those that were found. If not, run those again and delete what they find. None of that you listed is good. The base of the problem seems to be Win32.WinVNC.4110 which seems to be a backdoor trojan downloader with remote capibilities.

Please add another software firewall other than the SP2 firewall. With this, you will also have outbound protection to be able to stop unknown email from being sent. As alanrf states, SP2 will only give your computer inbound protection and will not prevent unwanted programs of this type from leaving your computer.

Free Firewalls:
Zone Alarm, Kerio, Jetico, etc.
(a search of this forum for firewalls will result in many more that work without conflict with avast) With any firewall, you should let all avast services through the firewall.

I agree with alanrf that creating a mail scanner log will help solve this problem. Please follow his advice also.


***
Logged
Pages: [1]   Go Up
« previous next »