Hi I have a problem with the on access protection, particularly the internet mail shield. For the past two days it pops up every few seconds scanning outgoing mail. The email addresses are not known to me nor the recipients. My outlook mail box is closed. I have no idea of where these emails are being sent from or why Avast is scanning them. I have run virus scans both with Avast and online virus scanners, I have run adaware, spybot and a couple of others and there is no evidence of spyware, trojans, worms. Nothing and yet the email scanner keeps popping up regular as clockwork scanning outgoing mail, can anyone tell me what might be going on?
Thank you, I have downloaded those programs, Superantispyware was one I had already used which came up with nothing, but I will run it again and post the logs, I also have hijack this if you want that log as well.
What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections. That should dtop unauthorised outbound connections. It probably isn’t using Outlook but its own very small smtp program.
Try running SAS from safe mode and see if it makes any difference, then try some of the other ones Tech gave links for probably in the order he gave also.
Windows Firewall - I only recently installed Sygate Personal Firewall, trouble is I am an amateur, I have no idea of what should be blocked adn dwhat should be allowed. As Avast is my usual outgoing mail scanner, I didn’t block it. Which is just as well otherwise I would not have known that I had an infection.
During the boot scan 5 infected files were found. Funny how none of the other scans found them at all. I will run the other scans and post the logs tomorrow, but not tonight its time for me to sleep.
One of the problems with Sygate is that it has a vulnerability that you accidentally discovered for yourself, it can’t cope with what is called the localhost loopback, sygate challenges the localhost proxy of avasts, internet mail provider (ashMaiSv.exe) and you correctly allow it. The problem is, all email traffic using ports 25 (smtp), 110 (pop3), etc. is intercepted by the internet mail provider so that it can be scanned and then dispatched goes through the proxy and sygate can’t tell the difference, so it goes unchallenged.
So in both cases XP firewall (it doesn’t check outbound connections) and sygate, it has a weakness and allows stuff through unchallenged if it uses a localhost loopback. So you need a firewall that provides that outbound protection and can differentiate between the proxy and the program using it.
There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
Also see http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php later set of results
There are many forum members using both PC Tools Firewall Plus and the Comodo firewall.
Wow, thanks for you help. Its been a long evening, scan after scan…it appeared as if those programs had removed things and I was quite pleased, I ran them all in safe mode and as soon as I restarted the computer and it connected to the internet, the Avast email scanner immediately came online and started sending emails seems as if my optimism was short lived. But here are the logs of all those scans hopefully something can be pin pointed.
I meant funny as in unusual, I have run multiple scans over the past couple of days and nothing has been found until now.
As far as advice on firewalls, thank you again. I have already uninstalled Sygate and shut down Windows Firewall, I have downloaded PC Tools to the lap top and Comodo to the desktop to see which is best.
Avast Boot Schedule Log:
06/08/2007 16:57
Scan of all local drives
File C:\WINDOWS\system32\max1d1641.exe is infected by Win32:Dialer-407 [Trj], Deleted
File C:\WINDOWS\system32\xpdx.sys Error 0xC0000034 {Object Name not found.}
Scanning aborted
Number of searched folders: 4025
Number of tested files: 53381
Number of infected files: 1
06/23/2007 03:03
Scan of all local drives
File C:\WINDOWS\system32\faatekhy.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\gmumeogf.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\lnjggpuy.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\ootnpuxo.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\sfbkqjvo.dll is infected by Win32:BHO-ES [Trj]
File C:\WINDOWS\system32\xpdx.sys Error 0xC0000034 {Object Name not found.}
File D:\Lee’s Files\Desktop\UXTheme Multi-Patcher 1.01.exe%SYS32%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Desktop\UXTheme Multi-Patcher 1.01.exe%SYS32%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Setups\Desktop\nw_uxtheme.zip\UXTheme Multi-Patcher (Neowin Edition) 2.5.1.exe%SYS%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
File D:\Lee’s Files\Setups\Desktop\nw_uxtheme.zip\UXTheme Multi-Patcher (Neowin Edition) 2.5.1.exe%SYS%\dllcache\uxtheme.dll Error 42146 {Installer archive is corrupted.}
Number of searched folders: 5391
Number of tested files: 156068
Number of infected files: 5
AVG Spyware Log:
AVG Anti-Spyware - Scan Report
Created at: 5:58:11 PM 23/06/2007
Scan result:
C:\Documents and Settings\Lee\Desktop\EvID4226Patch223d-en.zip/EvID4226Patch.exe → Not-A-Virus.Hacktool.EvID : No action taken.
C:\Documents and Settings\Lee\My Documents\Other\EvID4226Patch.exe → Not-A-Virus.Hacktool.EvID : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@atdmt[2].txt → TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@bs.serving-sys[1].txt → TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@serving-sys[1].txt → TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Lee\Cookies\lee@toplist[1].txt → TrackingCookie.Toplist : No action taken.
Hi guys, I only managed to get half the logs posted as I have suddenly developed a new problem, as I was posting the logs from my desktop computer (the nasty one) I suddenly got this popup, saying that the services application (??) had a problem and needed to close. Then a second window popped up saying something (and I cannot remember the exact wording) NT/authority was shutting down C:/windows/system32/services.exe was shutting down error code 203. It rebooted, to immediately pop up the same window, but this time the error code was 1073741819 each time the computer reboots, it pops that error and shuts down in 40 seconds, I cannot get it to boot up and stay booted so at this point I cannot post the rest of the logs, I will persevere with it for a little bit longer, but I am afraid I can see a format, reinstall windows coming on…
And in case you are wondering, I am posting this from the laptop, if I can keep the desktop up and running for more than 40 seconds, I will try and transfer the logs to my USB stick and post here.
I noticed on one of the actions you chose delete, deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
You also have dealt with a number of infected files in the system folders prevention is better than cure. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Cookies for the most part aren’t a problem, you should periodically clear your browser cache and cookies, so much so in the Settings of AVG-AS I have tracking cookies unchecked, as I have the firefox CookieSafe extension. With that I have a greater control over cookies anyway.
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
Logfile of HijackThis v1.99.1
Scan saved at 10:31:09 PM, on 23/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
2) Clean your temporary files. You can use [url=http://www.stevengould.org/downloads/cleanup/]CleanUp[/url] or the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html]Windows Advanced Care[/url] features for that.
Done, several times in fact.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in [url=http://support.microsoft.com/default.aspx?scid=kb;en-us;315222]SafeMode[/url] (repeatedly press F8 while booting).
Done, I posted the log
4) It will be good if you download, install, update and run [url=http://www.ewido.net/en/]AVG Antispyware[/url]. Some users recommend [url=http://www.superantispyware.com]SUPERantispyware[/url], [url=http://www.spywareterminator.com/]Spyware Terminator[/url] and/or [url=http://www.emsisoft.com/en/software/free/]a-squared[/url] (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Done and yeah admittedly I goofed, I deleted the files.
5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with [url=http://www.antirootkit.com/software/index.htm]anti-rootkit applications[/url]. I suggest [url=http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0]AVG[/url], [url=http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx]Panda[/url] and/or [url=http://www.f-secure.com/blacklight/try_blacklight.html]F-Secure BlackLight[/url].
Will certainly do that, its the only thing I have not yet done…
6) After you're clean, use the immunization of [url=http://www.javacoolsoftware.com/spywareblaster.html]SpywareBlaster[/url] or, which is better, the [url=http://www.iobit.com/AdvancedWindowsCarePersonal/index.html] Windows Advanced Care[/url] features of spyware/adware cleaning and removal.
I was already running Spywareblaster, which is one of the annoying aspects of this. It seems whatever has happened, slipped through and from what I can gather it was in a so called clean file, which I scanned when I downloaded it.
7) Finally, when you're clean, check for insecure applications with [url=http://secunia.com/software_inspector/]Secunia Software Inspector[/url] to update insecure applications and avoid reinfection.
Will do. Now onto the next step. Thank you for your time and patience.