INTERNET MAIL SCANNER

[babycham]

PLEASE HELP.... INTERNET MAIL SCANNER IS SCANNING OUTGOING MAIL, ALL THE TIME, LAST COUNT WAS 3086!!! I AM NOT SENDING ANY MAIL, I USE OUTLOOK EXPRESS. THIS IS INTERFERRING WITH MY OUTLOOK EXPRESS, AND SLOWING MY COMPUTER DOWN. I AM RUNNING WIN XP SP2, ALSO I KEEP GETTING A WARNING ABOUT 24EXMODULE.EXE AND LOADS OF OTHER XXEXMODULE.EXE [UPX]

[ardvark]

Hi babycham...

Without delay, download and/or run these three programs...

http://housecall.trendmicro.com/

http://www.f-secure.com/blacklight/try.shtml

http://www.ewido.net/en/download/

It's possible that your copy of Avast has been compromised by what appears to be a trojan or virus.

Please post back with the results and we'll go from there.

Best Regards...

[DavidR]

You might not think your sending email but it does appear that you have a trojan spambot on your system. Running Ewido from safe mode I would say should be your first option followed by a firewall.

What is giving the warnings, if avast, What was the virus name, what was the file name, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
What actions (move to chest, etc.) have you taken to try and resolve the problem ?

Please switch off the CAPS LOCK key.

A firewall with outbound detection should be able to detect unauthorised outbound connections. What is your firewall (not XP's I hope, which doesn't have any outbound protection). Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

[babycham]

Hi Ardvark

Many Thanks For Your Reply.

http://housecall.trendmicro.com/ - No Luck, When I Clicked Scan Now, Page Just Loaded With There Website Name Only, No Links Blank.

http://www.f-secure.com/blacklight/try.shtml - Scanned And Found Nothing.

http://www.ewido.net/en/download/ - ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   01:29:46 22/06/2006

 + Scan result:   



C:\Documents and Settings\Mum\My Documents\My Downloads\RegistryFix\RegistryFix.v5.5.Incl.Keymaker-EMBRACE.rar/keygen.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Documents and Settings\Mum\Cookies\mum@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.


::Report end

Still The Internet Scanner Continues To Send Mail, I Have Now Terminated It, Don't Know What Else To Do.

[babycham]

Hi DavidR

Many Thanks For Your Reply.

Have Run Ewido, Not In Safemode However, How Do I Run Safemode? Will Try That Next.

This Is The Report When I Ran Ewido Not In Safemode:

ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   01:29:46 22/06/2006

 + Scan result:   



C:\Documents and Settings\Mum\My Documents\My Downloads\RegistryFix\RegistryFix.v5.5.Incl.Keymaker-EMBRACE.rar/keygen.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Documents and Settings\Mum\Cookies\mum@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.


::Report end

Avast Is Giving Warnings Re: xxexmodule.exe [UPX] In Temp. Have Checked It Out And Scanned The Folder And Avast Found Nothing!

I Always Move To Chest If Alerted. Sorry For CAPS.

I Have Always Had XP Firewall, And Until Now, Things Have Been Fine.

I Am Also Getting Firewall Blocking Things I Wish To Be Kept Unblocked.

Also, Automatic Updates Keeps Turning Off And Microsoft Website Keeps Asking Me To Run services.msc and start it manually. When I Set Updates To Auto I Have Several Copies Of It Set It Self In Firewalls Exceptions!!


Am Now Going To Go To zonelabs, Maybe This Will Fix The Problem.

Inter Mail Scanner Still Sending, Have Now Terminated It, Don't Know What Else to Do.

[Spiritsongs]

   Hi Babycham :

      We have 1 or 2 threads in the past dealing with
      "Exmodule" and its "cousins"; have you use this forum's
      "search" to find them; there's an "involved" process in
        getting rid of this .
       If the info in our threads do not help, I recommend you
       ask for help on the forums of your antiSPYWARE provider;
       if you know of none, I recommend www.landzdown.com .
       It is going to take more than running Ewido in "Safe
       Mode" .

[ardvark]

Hi  babycham...

Part of the "involved" process that Spiritsongs is speaking of will include downloading and running a copy of Hijack This (HJT) which can be found here...

http://www.majorgeeks.com/download3155.html

You can post the log at the site Spiritsongs mentioned or at these two other sites...

http://spywarewarrior.com/index.php

http://castlecops.com/forums.html

You will need to register to use their sites. A firewall will help stop the SPAM that's eminating from your machine but it will not cure the infection and it may end up getting compromised as it appears your copy of Avast has been.

Please post back with any results.

Best Regards...

[CharleyO]

***

Hi Ardvark

Many Thanks For Your Reply.

http://housecall.trendmicro.com/ - No Luck, When I Clicked Scan Now, Page Just Loaded With There Website Name Only, No Links Blank.

http://www.f-secure.com/blacklight/try.shtml - Scanned And Found Nothing.

http://www.ewido.net/en/download/ - ewido anti-spyware - Scan Report
---------------------------------------------------------

 + Created at:   01:29:46 22/06/2006

 + Scan result:   



C:\Documents and Settings\Mum\My Documents\My Downloads\RegistryFix\RegistryFix.v5.5.Incl.Keymaker-EMBRACE.rar/keygen.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Documents and Settings\Mum\Cookies\mum@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.


::Report end

Still The Internet Scanner Continues To Send Mail, I Have Now Terminated It, Don't Know What Else To Do.

Babycham -

It is not Interent Mail Scanner (IMS) that is sending out email. Instead, IMS is just scanning the email that is being sent out by a trojan or other email program. Most likely, the program doing this is a spambot on your computer. Turning off IMS will not stop the email from happening ... it only stops the way of letting you know this is happening. 


***

[DavidR]

Have Run Ewido, Not In Safemode However, How Do I Run Safemode? Will Try That Next.

When you boot keep tapping the F8 key this should interupt the boot and give you the option of a safe mode boot.

[babycham]

Hi E1

You Guys Have Been *STARS*. However, I Became So Compromised By All What Was Happening That Win XP Finally Said NO MORE And Shut Me Out Completely.

I Have Had To Completely Format My Hard Drive And Start From Fresh, What A Nightmare!!!! Thankfully I Had Backed Up. Avast Seems To Behaving Now, No More Outgoing, Just Scanning My Incoming Mail Etc.

Can I Ask, I Am Running Win XP Firewall, Auto Updates, Avast, And Ad-Aware. Daily These Are Updated, But Still I Had This Problem, Am I Not Doing Enough? Is There More? If So Can You Help Me Out With Suggestions.

I Also Run Clean Up And Defrag Once A Week.

Once Again, So Glad I Came Here For Help And Advice, Many Many Thanks To You All. 

[ardvark]

Hi babycham...

Well, let me, in part, answer your question by asking you a question. What precipitated this particular infection? What event started the constant outgoing e-mails and error messages? Was it opening an e-mail or visiting a website?
Did you accept a file from an IM or P2P program?

If we can get a more of an idea what actually happened, we can give you more detailed suggestions on what to avoid.

The 'net is a risky place and there is no security program out there that is 100% foolproof or makes your system "impenetrable." View them as partners, using them alongside with common sense and awareness.

Best regards...

[babycham]

It Seemed To Start With These xxexmodule.exe files that avast was picking up as trojans, Then It Was The Outgoing Mail Avast Was Picking Up As Suspicious, 1000's Of Them At A Time.

Then It All Went Away, Then Started Again, And So On Up To Present Day. This Went On Over 3 Weeks, In This Time I Was Trying Everything I Could To Reslove The Problem, But Everytime I Removed Them To Chest, Then Re-Booted, Back They Came.

This was after i had installed and joined MSN Messenger, now i not saying that this was the main reason, but i cannot think i anything else that i had done, or site i had been to, that i had then got any problems from. I Have Gone Threw Many Things And I Seem To Come Back To This Everytime.

[ardvark]

This was after i had installed and joined MSN Messenger, now i not saying that this was the main reason, but i cannot think i anything else that i had done, or site i had been to, that i had then got any problems from. I Have Gone Threw Many Things And I Seem To Come Back To This Everytime.

If you accepted a file (like a picture or a game, as an example) through the messenger from someone you were chatting with,
this could easily be the source of the infection. Or, if you clicked on a link that was offered through a particular message, whether you knew the person or not.

Also, there was a virus posing as a BETA release of MSN 8 that turned infected systems into "clients in a botnet network of compromised PCs." See here...

http://www.theregister.co.uk/2005/12/28/messenger_virus/

I have no idea of the exact method of infection in your case but I do know whatever the virus was, it got past Avast (seemingly) quite easily.

Best rule(s) of thumb with IM programs are (others are invited to correct or add to them)...

1. Do NOT solicit or open files that sent through a messenger.
2. Do NOT click on links that appear in the chat box, no matter how
    appealing they might sound or who sent the message.
3. Exercise caution in who you pick to be your "buddy." 

Hope this helps

Best Regards...

[polonus]

Hi babycham,

You have fallen victim to lavits worm, see here: http://startup.networktechs.com/srch-SystemCheck.html
and here: http://www.auditmypc.com/process/module.asp

polonus

[DavidR]

All I can say is firewall, the biggest disservice MS ever did was to call that lash-up a firewall, it is like a fire door that only provides protection from one side. Please re-read my first reply on firewalls and outbound protection.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.