Consumer Products > Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier)

Help, email scanning all the time!

<< < (2/3) > >>

DavidR: Do a search for services.exe and (tell us where it is located ?) upload offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners. Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Please report the findings here If many other AVs detect it, send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. Do a check of the startup items, it may be being run on start-up, Windows Start, Run, type msconfig and click OK. Click the startup Tab and see if there is an entry for services.exe, if so, uncheck the entry and click OK. That should store it running.

hurders: Look like I have fixed the issue. I noticed there was some strange entries when I ran hijackthis and deleting them seemed to stop the spam email being sent. I think what I probably had was something like this - http://vil.nai.com/vil/content/v_140181.htm as the only services.exe on my computer is the legitimate windows one in the system32 and servicepack/i386 directory. Also there wasn't/isn't anything in the startup items except for avast and an nvidia entry. I am going to run a few more spyware scans and a full avast scan again today to make sure there isn't anything hanging around still.

hurders: Whoops, think I spoke to soon, it seems that my problem is not fixed. When I booted this morning it looked like everything was ok, then about 20mins after booting, avast starting email scanning showing me random spam was being sent again, then after 111 bits of spam had been sent it seems to have stopped. This is very odd and I am unsure how to fix it?

mauserme: See if this helps: Download - rustbfix.exe ...and save it to your desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (c:\avenger.txt & c:\rustbfix\pelog.txt). Post the content of these logfiles along with a HijackThis log. Click here to download HJTsetup.exe [*]Save HJTsetup.exe to your desktop. [*]Doubleclick on the HJTsetup.exe icon on your desktop. [*]By default it will install to C:\Program Files\Hijack This. [*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue. [*]Put a check by Create a desktop icon then click Next again. [*]Continue to follow the rest of the prompts from there. [*]At the final dialogue box click Finish and it will launch Hijack This. [*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad. [*]Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. [*]Come back here to this thread and Paste the log in your next reply. [*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. [/list]

hurders: Rustbfix.exe disn't find anything unfortunately. However, I am thinking my problem is the xpdt rootkit, see the xpdt entries in the rootkitreveal log below: HKLM\SECURITY\Policy\Secrets\SAC*   9/7/2005 3:30 PM   0 bytes   Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI*   9/7/2005 3:30 PM   0 bytes   Key name contains embedded nulls (*) HKLM\SYSTEM\ControlSet001\Services\xpdt   5/27/2007 12:38 PM   0 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet002\Services\xpdt   5/28/2007 12:20 PM   0 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s0   11/26/2005 11:14 PM   4 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s1   11/26/2005 11:14 PM   4 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s2   11/26/2005 11:14 PM   4 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\g0   11/26/2005 11:14 PM   32 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\h0   11/26/2005 11:14 PM   4 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4   8/26/2006 12:45 PM   0 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\Vax347s\Config\jdgg40   10/6/2006 10:15 PM   0 bytes   Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\xpdt   5/28/2007 12:20 PM   0 bytes   Hidden from Windows API. I tried to delete these entries from the registry but it won't let me, it says 'error while opening key' when I try to click on or delete the xpdt folder. I also have an xpdt.sys entry in my system32 folder but when I try to delete that it says 'cannot find the specified file'. I ran SDFix from safe mode and it said in the logfile it detected the xpdt rootkit but it didn't actually delete it and says to use a rootkit scanner. I have tried avg rootkit scanner but that doesn't detect any rootkits on my system. Surely this xpdt must be the problem but I just can't get rid of it!!! I have put a hijackthis log below also: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 14:24:50, on 28/05/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Archives\Utilities\HijackThis\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{D1375BD9-73D3-49A3-943E-0AB1A0C2C274}: NameServer = 212.87.64.7,212.87.64.10 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 3667 bytes

Navigation

 Message Index

Next page

Previous page

Go to full version