H! E! L! P!

[daronmiller]

Ok, I'm going to go and buy an abacus. Do they make games for those?

[DavidR]

I'm not entirely sure about that beta of HijackThis.  The log is very short.

I have been using the beta 2.0 version and even though my system is fairly buttoned down, my log file is larger, it is almost like 1.99 being run from safe mode. If anything the beta lists more things than 1.99.1 does.

So was this beta version of HJT 2.0 run from safe mode ?

[daronmiller]

No, I just ran it within "normal" windows. I have to reboot now to install the comodo firewall. I'll be back.

[mauserme]

Upload these files to Virus Total for analysis and post the results if anything is found:

C:\WINDOWS\system32\drivers\amathsifvidv
C:\WINDOWS\system32\vrsyeutj.exe
C:\752151790
C:\xxxcwainda.exe

[daronmiller]

The xxxcwainda.exe is infected. I added the "xxx" to try and hide it, BUT, more importantly, I can't connect to that site (VirusTotal).   HELP!

[daronmiller]

According to Comodo, the file ashMaiSv.exe and svchost appears responsible for all the network traffic (emails). Is it possible one of those is infected? I can't get over how hard it is to track down an application sending email....

[kojta]

I found Sophos anti-rootkit very usefull removing some rootkits that other tools couldn't find.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

[mauserme]

The xxxcwainda.exe is infected. I added the "xxx" to try and hide it, BUT, more importantly, I can't connect to that site (VirusTotal).   HELP!

How do you know its infected, and by what?

I can't connect to Virus Total right now either.  Same or Jotti.  It must be a busy day for them.

According to Comodo, the file ashMaiSv.exe and svchost appears responsible for all the network traffic (emails). Is it possible one of those is infected? I can't get over how hard it is to track down an application sending email....

ashMaiSv.exe is the avast! proxy that scans your email.  It will look like this is the source of the problem in the firewall but its actually an underlying process that we haven't identified yet.  And its normal for svchost.exe to have some internet access, but constant access is not normal.  Please check the spelling and file location for this one - make sure its not something like scvhost.exe with the "v" transposed with the 'c", or SVCH0ST.EXE with numeric "0" where the  alpha "o" should be.

Did you install Simple Soduko on 24 May?  That date matches the file creation date for some of the suspicious files and also matches many of the detections in the avast! log.  It could be this

http://www.pctools.com/mrc/infections/id/Yazzle+Sudoku/


EDIT:  Lets get your Java up to date.  You can install the latest version here

http://www.java.com/en/download/manual.jsp

Then make sure to uninstall all older version in Add/Remove Programs as the update process will not do this for you.

[daronmiller]

The spelling was correct on the svchost file. The soduku program has been on the PC for a while. The original CAUSE of the infection was my own momentary stupidity in running a file I KNEW i shouldn't have. Actually, there is no more room on my a** for footprints right now as I have been kicking myself for my momentary stupidity.

I will update the Java. All scans from the software I can find show clean, but, every now and then I still see pop-ups from avast scanning outgoing email. I realize that the processes using time may not be the originators, it was just something I noticed on the display. The hard drive appears to be clean (if I can trust the X programs i keep scanning with). And yet...emails get sent.

The rest of the PC appears to be functioning OK. Maybe I just have something new, and I will just have to wait till databases get updated and someone finds somthing to remove this?

BTW, ran the rootkit tool, and nothing was found (except a few hidden registry entries). And thanks for letting me know the scan sites aren't working right now. I ... honestly was hoping it was a "second" symptom.

Before I GIVE UP... I want to thank EVERYONE who has made suggestions or offered any kind of help or effort in trying to help me. I really appreciate all your efforts, and I hope someday I can be as nice and return the favor to someone else.


Daron

[daronmiller]

I'm beggining to think that maybe a computer virus is just God's way of saying "Hey, been a while since you cleaned up your PC and got rid of all those programs you never use anymore. Maybe you should start over, like when you BOUGHT the PC.".

[Lisandro]

I'm beggining to think that maybe a computer virus is just God's way of saying "Hey, been a while since you cleaned up your PC and got rid of all those programs you never use anymore. Maybe you should start over, like when you BOUGHT the PC.".

Sometimes the penitence for opening/running a 'bad' file is trying to get clean again: you can learn, test, etc.
Reformating is a radical option. Works, but you don't learn. You won't be prepared to avoid such a situation in the future.
Just my 0.01.

[mauserme]

Before I GIVE UP...

Gosh, you don't look like a quitter 

Just be patient.  Virus Total will be back up in a while.  I actually did get their email submission option at one point so it is a matter of being really busy. 

In the meantime scan with SuperAntiSpyware (unless you've already tried it)

http://www.superantispyware.com/

Do a complete scan and quarantine at the end.  Then post the log that you will find in Preferences> Statistics/Logs.


EDIT:  And what is xxxcwainda.exe ?

[daronmiller]

OK folks, here's the latest status.

Still scanning with various programs. Only thing found seems to be suspicious tracking cookies. NOT the cause of the emails I'm sure.

The xxxw... file was originally name cwainda.exe. I don't know what app it was for, and I don't recall what software found it had a virus, but I renamed it to be safe.

I scanned the four files. xxxcwainda.exe was found by 8 scanners to be infected, so it's getting destroyed.
The amathsifvidv.sys was clean, the vrsyeutj.exe file was found infected by 7 scans, so I'm renaming it and then destroying it if all appears ok. The 752151790 file was only suspected by 1 of the scans, so I'm going to guess it's probably safe, though I have NO idea what software it's associated with. I might rename it and see what happens.

So... the hunt continues.

[DavidR]

If any of the files uploaded are confirmed as infected ensure samples are sent to avast if avast doesn't detect them, this will help improve detections for everyone, don't just delete them.

You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

[daronmiller]

I havn't deleted them yet, though I did rename them. I'll send them soon. Why can't avast mail scanner advise me what application is sending the mail. Wouldn't THAT make this a bit easier to trace.

I renamed/moved the files, rebooted, and emails are still getting sent. )@(#)(@*#)(*@%)(@*#)(@#