My computer is infected but Avast can not find a thing

[doront99]

Hi,

My computer is infected in some kind of malware/spyware.
I have checked one of the options in Avast to notify me (display a message) when scanning outgoing emails.

When Windows loads, I can see many messages of outgoing spam messages  sending out from my machine.

This malware or apyware (whatever) stops me from doing anything since it uses many resources and actually "stuck" my network.

Avast did not recognize anything, and by Avast my computer is clean.

HELP!!!! HOW DO I GET RID OF THIS HELL?!!!!!!!

:-)

Many thanks,
Doron Tal

[ardvark]

Hi doront99...

First, see if Trend Micro can give you a hand with an online scan of your system...

http://housecall.trendmicro.com/

Please post back with the results.

Best Regards...

[DavidR]

You would appear to have a spambot trojan of some sort, check out the programs below which specialise in trojan detection and removal.

I'm surprised that avast isn't detecting multiple identical emails in a specific duration, part of the heuristics checks in the Internet Mail provider, even if it can't detect the originating spambot. Are you sure that your Internet Mail  provider is running ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

[doront99]

I have tried both of them, and none of them suspected anything 

AVAST PEOPLE - PLEASE HELP ME!!!!

Thanks,
Doron Tal

[Lisandro]

If a-squared and ewido and avast did not detect anything... the only you can do is a full on-line scanning.
But I'm almost sure you're with other problems than infection in this case.
TrendMicro is a good on-line scanner.

[DavidR]

And "Are you sure that your Internet Mail  provider is running ?"

What Operating System are you using ?
What is your email program ?
Do you have a firewall ?
As a firewall should be able to block unauthorised outbound connections.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

[Spiritsongs]

   Hi Doront99 :

      If your computer is infected with malware/spyware, you
      should be asking for help on the forum of your
      antiSPYWARE provider ; if you know of none, I
      recommend www.landzdown.com .

[suemccartin]

If you have a second machine or a friend, try pulling your hard disk and having the second machine or your friends machine scan your C: drive I just defeated one tonight that way, Avast couldn't see it and whatver this thing was it disabled both trendmicro and another online scanner I found.......that's what these little *&^%$# 's do these days they write viruses that beeline for the antivirus and malware utilities and shut them off.  I used earthlink's utilities (infineon?) on my shoebox machine and it found something that nothing else was finding.  Some viruses get going and nothing can see them, so it's necessary to have your c drive scanned in a situation where nothing is running on it. Not that I've gotten rid of the virus I still don't think avast is updating correctly or adaware se either, so I think it also changed some stuff in the registry.

[doront99]

Hi All,

I have tried almost everything you said, including scaning the hard drive from another computer - but nothing.

The Ewido tool did not find anything also.

I have now tested the machine with the HiJackThis, and this is the report:

Logfile of HijackThis v1.99.1
Scan saved at 08:02:40, on 04/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://service.pelephone.co.il/WebPhone/jsp/Client/CfxIEAx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\firebird\firebird_1_5\bin\fbserver.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Unknown owner - C:\Program Files\firebird\bin\ibguard.exe (file missing)
O23 - Service: InterBase Server (InterBaseServer) - Unknown owner - C:\Program Files\firebird\bin\ibserver.exe (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

I do not understand why I can not trace the application that sends this emails - isn't that something that a simple firewall should tell me?

Many thanks,
Doron Tal

[ardvark]

Hi doront99...

Also, try downloading and running a copy of F-Secure's Blacklight...

http://www.f-secure.com/blacklight/try.shtml

If we exhaust every option, you may simply have to reformat your hard drive and reinstall the OS.

Best Regards...

[alanrf]

I hope that we can find a bit more about what is happening in your system before you resort to reformatting your system disk.

To better identify what may be happening it will probably be useful to create (for a while) a more detailed avast! log of your mail connections.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

If you are then willing to share the log ... please first obscure any personally identifiable information in it ... we shall have a better chance of understanding which process may be creating any spam email being sent from your system.

[DavidR]

I do not understand why I can not trace the application that sends this emails - isn't that something that a simple firewall should tell me

Which is why we asked if you had a firewall and what it was ?

This is a link for the on-line analysis of your log, http://hijackthis.de/logfiles/b1e0e2f768ee0bf920850b2f8dc8a2a3.html The question about a firewall being very relevant (see below), there a couple of unknown and one possibly nasty entry so you should confirm that you installed them and you know what they are. Other than those things at first glance look OK.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

So it doesn't appear that you have any active firewall that can check outbound connections.
Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

The BackLight tool is worth trying to see if there any hidden processes and also Alan's suggestion to gather more information should help in tracking down the problem, which according to your HJT log has also overcome many on-line scanners (watch out for future detections related to Panda's unencrypted signature files).

[suemccartin]

You might just have an infection that's so new nothing recognizes it yet but that seems unlikely.  Maybe leave it for a few days and check next week. 

[doront99]

Hi alanrf,

This is the report from Avast.
Just to mention that I have installed ZoneAlarm and the log file reports that the intrusion comes from svchost.exe and services.exe.

BTW, I'm registered user of Avast Pro.

Thanks,
Doron

[alanrf]

The log you posted confirms that services.exe is the process sending out all these emails - which that process should, of course, not be doing. 

Services.exe is a normal windows system process but it would appear that yours has been replaced by an email worm to include itself.

A quick scan shows that a number of email worms (a number of Sober variants included) replace the services.exe file.

For what it is worth this file appears on my system in  Windows\System32 only and its size is 108032 dated 08/04/2004 03:00

Since you have now installed ZoneAlarm you should deny outbound access to services.exe.  Tha will stop the emails going out but it will not remove the malware.   

If you have not already tried all the scanners recommeded in this thread then now is the time to try them all.  Other than that I hope that someone here in the forum may  have more knowledge of this type of infection and provide you guidance in clean up.