emission de mails multiples

[guitou]

avast ouvre une fenetre pour me dire qu'il pense qu'un virus a infecté mon ordi qui se met à envoyer des mails
avast me demande  : continue, ou ne pas envoyer, et les fenêtres s'ouvrent les unes après les autres
je ferme les fenêtres en cliquant sur "ne pas envoyer"
je ferme incredimail
je déconnecte mon ordi de internet
je viens sur le forum avec un autre ordi
je fais quoi maintenant ?
merci à ceux qui ne dorment pas et qui savent ce que je dois faire

[Lisandro]

This is an English-only forum. Sorry.
Please, go to on-line translators and try to make it easier for all the volunteers here 

[NVolvo]

Hi, I have the same problem, I will try to translate, sorry for my bad english!

Avast open a window who it's indicate that a virus try to send mail from my computer, we doesn't known both address (sender and receiver).
In this window we can select "Continue" or "Not send"
We select "Not send"

We can see this alert once a week or once a day or every 10 minutes.

We can seen icon "Courrier électronique" (Email) with a strange message when the pointer is on.
Sometimes the message change, with another address. We doesn't know this address.

Can you help us?

another topic about this problem, but in french
http://www.commentcamarche.net/forum/affich-2436512-avast-courrier-electronique

[NVolvo]

[Lisandro]

Hi, I have the same problem, I will try to translate, sorry for my bad english!

Your English is ok. Don't worry about that.

You could have an infected system and mail is being send by the trojan.
Are you sending/receiving mail when that icon appears? I mean, any email or spam application opened at that time?

I suggest
1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) It will be good if you download, install, update and run other trojan remover tools:
    a-squared
    Free AVG Antispyware
    SUPERantispyware
    Spyware Terminator

[NVolvo]

Thanks,

The message appears at any times, when Thunderbird or Outlook are running or not.

I will try what you say

[mreynes]

Hello, I have the same problem. I tried your solution but no result... The problem is still there.
Strange mails are sent even when outlook and internet explorer are closed.
What can I do ?

Thank you.

[DavidR]

Thanks,

The message appears at any times, when Thunderbird or Outlook are running or not.

I will try what you say

As Tech says, you are probably infected by an undetected trojan spambot, responsible for the out going emails. These spambots often come with their own very small email program.

The programs listed by Tech are anti-spyware and more likely to find this undetected trojan responsible for the emails.
What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.

Hello, I have the same problem. I tried your solution but no result... The problem is still there.
Strange mails are sent even when outlook and internet explorer are closed.
What can I do ?

Thank you.

What solution have you tried there are a lot of different applications to try to clean up in item 4. If you too can answer the firewall question.

[mreynes]

I tried Tech's suggestion. With AVG free spyware and Scan Spyware. They both found some spams and destryed them but the problem came back after.
I use xp firewall.
I got this virus after openning an email saying I had received a postcard from the site qvsworn.hk
Don't go to this site ! 

Do you have any suggestion ?

[alanrf]

It should be capable of blocking unauthorised outbound Internet Connections.

In sending email through a firewall avast's Internet Mail provider makes no distinction between good email and bad email, it helps them all get through because it does not recognize any email program.

So, to stop a spambot it is necessary to turn off all mail scanning by avast and deny permission for ashmaiSv.exe at the firewall.  Unfortunately even this may not stop the spambot if (as is so often the case now) it is hiding behind a Windows service that needs outbound permission to do its job. 

If this poster wants to know the service that is sending the spam email then it would be best to create (for a while) a more detailed avast! log of the mail connections.  This must be done before the steps I have mentioned above.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:
[MailScanner]
add the line:

Log=20
and save the updated file.

Allow a little time for the spam to record in the log.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log
Before posting the log you should mask any personally identifiable information. 

[DavidR]

It isn't avast that should make the distinction between good and bad.

A competent firewall should be able to make the distinction between the avast email proxy and the program using it, the same is true of the misuse or abuse of a windows service through anti-leak or component control.

[Lisandro]

but the problem came back after.

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2) Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6) After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

7) Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

[mreynes]

Tech, I've already tried your solution with no result. 
I'll try to put here the log connections as alanrf suggests.

I've found in another forum a program called "kill_autorun_vbs.bat" it seems to solve the problem for a moment (no more avast icon of sending mails) but after a few hours or a reboot it comes back...

[alanrf]

David,

I simply do not know where you are coming from.

When avast intercepts an email send/receive is is avast plain and simple that is receiving or sending the email not the good client or the bad spambot it is avast istself.

No firewall I know of goes back down the chain of callers to see if they have permission. 

I'm sorry to say that avast does now and always has abetted spambots and this is not the first time I have posted so.  Only running the Internet Mail provider on high sensitivity has any chance of catching spambots but  I never see this recommended by avast - but then they did shoot themselves in the foot by themselves disabling the best detection of spambots a few releases ago.   

[DavidR]

Well my firewall does seem to be able to identify program and associated avast proxy, see image.

You can see I tried to download email, it shows msimn.exe (outlook express) connecting through the localhost 12110 and you can also see the associated pop3 connection. Now if this were an unknown application which hadn't previously received permission it would be blocked and you would be able to see the parent application responsible for the attempt.

I see the same for firefox connecting through the localhost 12080 proxy and the associated web shield entry.