Author Topic: Suspicious Message Alerts! Lots of them!!  (Read 14506 times)

0 Members and 1 Guest are viewing this topic.

Yox

  • Guest
Suspicious Message Alerts! Lots of them!!
« on: October 20, 2006, 12:08:36 PM »
Hi Folks,

I hope that someone can help me ......

I've been using Avast now for nearly a year, and over the past two days I've had a problem:

I keep getting Suspicious Message alerts - one after another after another - until I pause the Internet Mail provider.  I have no idea why this has suddenly started happening ....

An example of one of these the alerts reads:

"Suspicious extension(s) of attachment
*update of KB9046-x86.exe

Sender:       Serv@phazen.net
recipient:     T@paypal.com
"

The sender is always unknown to me, the recipient is often someone to whom I have sent mails in the past.

Today, I have run a full Avast scan, along with Spybot & AdAware ... no issues.  I have also tried reducing the sensitivity of the Internet Mail provider from 'high' to 'normal' ... but with no change ....

Anyone got any ideas???

Thanks

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Suspicious Message Alerts! Lots of them!!
« Reply #1 on: October 20, 2006, 12:12:37 PM »
What buttons are there in the bottom of the warning window? (specifically, does the third one say "Block it", or "Don't send"?)

Yox

  • Guest
Re: Suspicious Message Alerts! Lots of them!!
« Reply #2 on: October 20, 2006, 12:21:13 PM »
Hi Igor ....

There's 3 buttons in the bottom of the warning window - delete (which is greyed out), continue and dont send!

I can email you a pic if uits any help!!

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Suspicious Message Alerts! Lots of them!!
« Reply #3 on: October 20, 2006, 12:42:58 PM »
Hmm, it means that they are outgoing e-mails - i.e. there's some (possibly undetected) piece of malware active on the computer sending out other infected e-mails (according to the filename, I'd say it's a variant of Win32:Warezov).

First, I'd sugges to make sure you are using the latest avast! virus database (i.e. invoke a VPS update), perform a scan of the system (possibly a boot-time scan) and remove the detected files (or move them to Chest).

If it doesn't help, get HijackThis and post its log here...

Yox

  • Guest
Re: Suspicious Message Alerts! Lots of them!!
« Reply #4 on: October 20, 2006, 01:24:41 PM »
Hi Igor,

Avast! scan running now .... I've downloaded and run Hijack This, and the log file is here:

Logfile of HijackThis v1.99.1
Scan saved at 13:20:10, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrafficSeeker 7.0\Scheduler.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Documents and Settings\El Loxy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DRL Sheduler] C:\Program Files\TrafficSeeker 7.0\Scheduler.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O20 - AppInit_DLLs: e1.dll w3sskbda.dll
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Hope this makes sense to you, because it don't to me!!!!

Spyros

  • Guest
Re: Suspicious Message Alerts! Lots of them!!
« Reply #5 on: October 20, 2006, 01:38:29 PM »
"C:\WINDOWS\system32\FreezeScreenSaver.exe"
I would delete this one, if I were you. It's adware.

Igor will tell you about the rest.

---
@Igor:
I think e1.dll (O20 - AppInit_DLLs: e1.dll w3sskbda.dll) is usually connected with warezov/stration, as is "update of KB9046-x86.exe" of course.
« Last Edit: October 20, 2006, 01:43:59 PM by Spyros »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Suspicious Message Alerts! Lots of them!!
« Reply #6 on: October 20, 2006, 04:33:17 PM »
Analysis of your your Log shows that there aren't bad items...

c:\program files\alwil software\avast4\aswupdsv.exe - Avast's anti-virus update service
c:\program files\alwil software\avast4\ashserv.exe - Avast's anti-virus main module
c:\program files\alwil software\avast4\ashmaisv.exe - Avast's anti-virus mail protection service
c:\program files\alwil software\avast4\ashwebsv.exe - Avast's anti-virus webshield
c:\progra~1\alwils~1\avast4\ashdisp.exe - Avast's anti-virus tray icon
c:\program files\common files\real\update_ob\realsched.exe - Real Player update checker
c:\program files\mozilla firefox\firefox.exe - Mozilla FireFox - browser
c:\program files\microsoft office\office11\winword.exe - Microsft's Word
o23 - service: avast! iavs4 control service (aswupdsv) - c:\program files\alwil software\avast4\aswupdsv.exe
o23 - service: avast! antivirus - c:\program files\alwil software\avast4\ashserv.exe
o23 - service: avast! mail scanner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing) - Avast's mail provider running as a service
o23 - service: avast! web scanner - c:\program files\alwil software\avast4\ashwebsv.exe" /service (file missing) - Avast's webshield provider running as a service

Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for 'C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service' (including double quotes and '/service' parameter) as a file, this causes 'file missing', because only present is 'C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe'.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious Message Alerts! Lots of them!!
« Reply #7 on: October 20, 2006, 06:29:47 PM »
Besides what Spyros mentions, to me these are also suspect:
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll

A google search for these fails to return any hits, which to me is suspicious.
Whilst as Tech mentioned there are no positively detected bad items there are many unknown items that require further investigation (google the file names, etc.) you can also submit the files at the on-line analysis site for unknown/suspect files (copy and past your log here http://hijackthis.de/index.php).

You will also notice that the analysis concludes that it doesn't find an active software firewall, if you haven't got one you are going to be fighting an uphill battle to get clean.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Yox

  • Guest
Re: Suspicious Message Alerts! Lots of them!!
« Reply #8 on: October 20, 2006, 07:29:49 PM »
Firstly, my thanks to Igor, Tech, Spyros & David R for their help!

I'm not sure what it all means though!! .... from the bottom up - I've succesfully deleted C:\WINDOWS\system32\FreezeScreenSaver.exe.  The (second today) full Avast! scan has now finished, and it found a virus - Win32-Warezov-ME, which is now in the chest.

I then switched the internet mail provider back on, and have had no recurrance of the original problem.

I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe, but have deleted C:\WINDOWS\sserrvv.exe .....

Do I need to do anymore?

David - I'm puzzled - I have Windows Firewall running??

Thanks again guys ....

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious Message Alerts! Lots of them!!
« Reply #9 on: October 20, 2006, 07:43:59 PM »
Quote
I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe,
What reason is given for this ?
Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use.
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html

Well the analysis tool isn't perfect but als the XP firewall provides no outbound protection. As fast as you get rid of them they could be downloaded again.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Sunbelt Kerio, Jetico, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml

If you haven't already got this software (freeware), download, install, update and run it.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
2. Ad-Aware SE Personal Edition
3. Spybot Search and Destroy
4. Spywareblaster Don't install this until you are clean.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Suspicious Message Alerts! Lots of them!!
« Reply #10 on: October 20, 2006, 08:05:59 PM »
I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe, but have deleted C:\WINDOWS\sserrvv.exe
Yox, KillBox is a very strong delete tool (www.killbox.net).
But, probably, it won't be enough. You need to follow other suggestions from David.
The best things in life are free.

Spyros

  • Guest
Re: Suspicious Message Alerts! Lots of them!!
« Reply #11 on: October 20, 2006, 08:15:47 PM »
Besides what Spyros mentions, to me these are also suspect:
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll

DavidR ,
I've noticed those too but didn't want to say more because Igor was the one who asked for the HJT log. I'm 99% sure that these files are from the Warezov/Stration, as I've already cleaned one system from an undetected sample.

I am unable to delete C:\WINDOWS\System32\jgdwadsn.exe, but have deleted C:\WINDOWS\sserrvv.exe .....

Do I need to do anymore?

I couldn't delete Warezov/stration worms with any AV or AntiSpyware I've tried if they were active in the memory. What I used was the free version of "Security Task Manager" (http://www.neuber.com/taskmanager/index.html) to find and delete those. An ecxellent tool, even in the feature-limited free version.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Suspicious Message Alerts! Lots of them!!
« Reply #12 on: October 20, 2006, 08:25:13 PM »
O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
concur mass e-mailer trojan

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Suspicious Message Alerts! Lots of them!!
« Reply #13 on: October 20, 2006, 08:52:49 PM »
Analysis of your your Log shows that there aren't bad items...

O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
concur mass e-mailer trojan

Sorry, I've missed this one  :'( :-\
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Suspicious Message Alerts! Lots of them!!
« Reply #14 on: October 20, 2006, 08:56:13 PM »
Besides what Spyros mentions, to me these are also suspect:
C:\WINDOWS\System32\jgdwadsn.exe
C:\WINDOWS\sserrvv.exe
O4 - HKLM\..\Run: [sserrvv] C:\WINDOWS\sserrvv.exe s
O20 - Winlogon Notify: jgdwadsn - C:\WINDOWS\system32\jgdwadsn.dll

DavidR ,
I've noticed those too but didn't want to say more because Igor was the one who asked for the HJT log. I'm 99% sure that these files are from the Warezov/Stration, as I've already cleaned one system from an undetected sample.

I rather think Igor was hoping other would also help once the log was posted here ;D

Something that we didn't mention to 'Yox' was these suspect files should also be sent to virus@avast.com in a zipped password protected email, before disposal/deletion.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security