Author Topic: Problem with virus/e-mail provider  (Read 5198 times)

0 Members and 1 Guest are viewing this topic.

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Problem with virus/e-mail provider
« on: April 13, 2007, 01:49:29 AM »
Hello.

For the past few days, I've been having this really annoying problem on my computer. Apparently I'm infected with some kind of spyware/virus that keeps sending emails in the background, and Avast's mail protection keeps scanning them all, which severely slows down my computer and internet speed, sometimes even making it reboot itself (not sure if the rebooting is avat's doing or the virus/spyware, though). I've attached a pic of it. And yeah, it's all in portuguese. :p


Anyways, could someone be so kind as to give me some hints on how to get rid of this? I've already tried system restoring to about 15 days ago, running full Avast and Spybot scans, but nothing seems to work. Whenever I go online, its always the same thing..  :(

Any help would be greatly appreciated.  :D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Problem with virus/e-mail provider
« Reply #1 on: April 13, 2007, 03:01:37 AM »
Avast's mail protection keeps scanning them all, which severely slows down my computer and internet speed, sometimes even making it reboot itself (not sure if the rebooting is avat's doing or the virus/spyware, though).
Anyways, could someone be so kind as to give me some hints on how to get rid of this?
I suggest, when a virus is replicant (coming and coming again):

1) Disable System Restore on Windows XP. After boot you can enable System Restore again.

2) Clean your temporary files. You can use the Windows Advanced Care features for that. Or CCleaner, or any other tool for cleaning.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run other trojan remover tools: a-squared and/or Free AVG Antispyware (trojan removers).

5) Use the immunization of SpywareBlaster.

After that, if the problem persists, can you post again.
Better, can you post in any condition 8)
Welcome to avast forums!
The best things in life are free.

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #2 on: April 13, 2007, 03:42:47 AM »
Thanks a lot.. I wasn't really expecting such a helpful reply so fast.  :o
I'm downloading all those tools now, gonna run them afterwards and hope for the best. I'll post the results here later.  ;D

Thanks again.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Problem with virus/e-mail provider
« Reply #3 on: April 13, 2007, 05:19:54 AM »
If you find nothing positive from these scans then some extra avast logging may be needed to identify the process that is or has become infected as the spambot sending these emails.

Do you have a firewall that requires outbound permission active on your system (ie something better than the Windows XP firewall)? 


Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #4 on: April 13, 2007, 07:25:42 AM »
Well.. I'm totally surprised now.. I got all those programs, updated them all and ran complete scans for each of them. They all found a couple spywares and removed them, then after the final avast boot scan, I turned my modem on and.. the thing was still there! :o The activity led on my modem doesn't stops blinking like crazy, telling me there is internet activity even though I'm not doing anything. And if I turn on avast resident protection, same thing goes on again.. email provider keeps on scanning things and eventually kills my connection/CPU speed.

Do you have a firewall that requires outbound permission active on your system (ie something better than the Windows XP firewall)? 

Hmm nope.. I'm a real klutz regarding internet security, that's why I never browse suspicious sites to avoid getting owned by these things.. I have no clue how I got this one now. Would it be too hard to setup a firewall on my own?
« Last Edit: April 13, 2007, 07:27:38 AM by Skyler »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Problem with virus/e-mail provider
« Reply #5 on: April 13, 2007, 07:43:15 AM »
Zone alarm is quite easy to setup as are others. A search of this forum for "firewall" without the quotes, will return a lot of hits for free firewalls.

The advantage of a firewall with out bound protection is that you can control what is able to connect to the internet. You may be able to block/isolate the culprit that is using your internet connection.

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Problem with virus/e-mail provider
« Reply #6 on: April 13, 2007, 08:05:34 AM »
To better identify what is happening and to identify the process actually sending this email it will probably be useful to create (for a while) a more detailed avast! log of your mail connections.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

If you are then willing to share the log ... please first obscure any personally identifiable information in it ... we shall have a better chance of understanding the cause of your problem.

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #7 on: April 13, 2007, 08:36:51 AM »
The first thing that came to my mind when I saw the word Firewall was actually ZoneAlarm, so I went and got it. Only problem is that my computer is kinda slow for it apparently.. having Zonealarm slows things down to almost unbearable levels while its active. Not to mention there was a couple error windows stating compatibility issues among Zonealarm and avast on the first time I ran it.. I uninstalled it but kept the installer here if that's going to be the only way to get rid of the problem though.

I did the log thing, and it created a rather huge file.. in about 15 seconds running it, it made a 409 log file, so I can't attach it here since the limit is 200 kb. I'll cut it in half though and attach it here, please let me know if that's enough, if not I can make a second attachment with the rest. (actually now that I saved it, it wasn't nearly 1/5 of the original log file.. but it seems to just repeat the same things over and over)

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Problem with virus/e-mail provider
« Reply #8 on: April 13, 2007, 09:32:39 AM »
The same thing that is being repeated, over and over, is the logging by avast of the sending of thousands of spam emails by your system which has become a spambot.  You should remove the logging option from the avast4.ini if you have not already done so.   

The process on your system (as seen frequently in the past) that is showing up as sending all this spam email is C:\Windows\explorer.exe. Unfortunately a lot of other components hook into explorer.exe so it may well take some more effort to find the source of the infection.    It may well show up in the startup processes of your system and may appear in a Hijackthis report.  Have you heard of this disgnostic program? 

There no conflicts with avast and the free version of Zonealarm.  If you install the free version of ZoneAlarm and do the following:

1) turn off outbound mail scanning by avast in the SMTP tab of the Internet Mail provider
2) deny outbound access by explorer.exe when requested via ZoneAlarm

then you will stop the spam email going out of your system while you track down the real source of the problem. However, it will not stop the infection in your system or the overhead of creating the messages, just stop it being sent out until you find and remove the infection.  I think that the Hijack this report is a good starting point.  I would also suggest that (free) online scans  by:

Panda
Ewido (now part of AVG)

would also be worthwhile.

Others here may well have better experience in removing spambots and I hope that they will add their advice.
« Last Edit: April 13, 2007, 09:40:46 AM by alanrf »

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #9 on: April 13, 2007, 02:56:41 PM »
Thanks for all the help. I did the online checks, but they couldn't detect anything either.  :( I'm close to taking the final step and actually reformat my computer to get rid of this..

edit: I see where I went wrong now. I installed ZoneAlarm with the Pro features enabled before, and that caused the conflicts/major slowdown on my computer. I re-installed now with the Free features only and it's running smoothly after I blocked Windows Explorer from using the Internet.. still looking for a way to remove the little thing from there though instead of only blocking it.  :D
« Last Edit: April 13, 2007, 04:43:16 PM by Skyler »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Problem with virus/e-mail provider
« Reply #10 on: April 13, 2007, 08:00:02 PM »
I'm wondering if you have received and opened any warning email that provided a so-called patch in the last couple of days.  This new trojan is flooding the network right now and (among other nasty side effects) sends out self replicating messages.  Part of this trojan is a rootkit to hide itself.

If you have opened any such email and activated "the patch" then it would make sense to run a root kit scan.  One that has been recommended in this forum is Blacklight from F-Secure.  They have extended the period of making this scanner freely available and it can be found here:

http://www.f-secure.com/blacklight/ 

 

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #11 on: April 13, 2007, 09:11:57 PM »
Hmm no, not that I remember.. I never really open or install things from emails.. I got the Blacklight program and ran it here, but he didn't detect anything, could it be because Zonealarm is blocking it?

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3867
  • Just an avast user
Re: Problem with virus/e-mail provider
« Reply #12 on: April 13, 2007, 10:08:19 PM »
Blacklight is only performing a scan inside your system, ZoneAlarm does not block its activity.

I think you will need to produce a HijackThis log to show us a bit more of what is happening on your system.

You can find out more about HijackThis here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Offline Skyler

  • Newbie
  • *
  • Posts: 7
Re: Problem with virus/e-mail provider
« Reply #13 on: April 14, 2007, 07:28:23 AM »
That's the log Hijackthis made when I ran it. I actually had no idea there were so many processes running in the background even though I'm not doing anything at the moment..  :o

I hope the darn thing is showing in there now..

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 83800
  • No support PMs thanks
Re: Problem with virus/e-mail provider
« Reply #14 on: April 14, 2007, 02:44:36 PM »
First you need to create a folder for HiJackThis 'HJT'  will do as if you make any changes 'fixes' there will be no backup made (it shouldn't be on the desktop or a temporary location). So if you make a mistake you will be unable to rectify it.

Create the new folder and drag the hijackthis.exe into it, there are many who also suggest changing the name to hijackthat.exe or donthijackthis.exe as some malware is on the lookout for the hijackthis.exe file name.

Now run HJT again, this time copy and paste the contents into your post if it is to large paste it into two consecutive posts. This means those trying to help, don't have to download a file to view it.

To me this looks suspicious and there are no hits on google for it, in itself suspicious, don't do anything about it yet until you have HJT in its own folder.

O10 - Unknown file in Winsock LSP: c:\windows\system32\aidlg.dll (why this has 12 occurrences is also strange unless it is because it is using 12 ports).

O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe (this is a mash-up of a legit file lsass.exe so most suspicious)

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
« Last Edit: April 14, 2007, 02:49:24 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.598) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro