I have noticed recently that my computer (XP SP2) tries to send multiple e-mails to various addresses. Zone Alarm seems to be blocking them and points to ashMaiSv.exe. I have Avast v4.7.827 HE with VPS 620-3.
I suspect I got some kind of virus, but so far I was unable to figure out what it is. Scanning my computer with Avast, Ewido, SpyBot, Micro Trend didn’t produce any results. 
Any suggestions?
Hello and welcome to the forums PLD.
http://www.kaspersky.com/virusscanner This is a good online scanner.
http://www.bitdefender.com/PRODUCT-14-en–BitDefender-8-Free-Edition.html This is an on demand only av that will not conflict with avast! Hope this helps, tim
Zone Alarm seems to be blocking them and points to ashMaiSv.exe.Since ashMaiSv.exe can't initiate email connections it can't be ashMaiSv.exe sending them, just that ashMaiSv.exe intercepts, scans and allows email traffic through its proxy.
Well it seems that ZA isn’t correctly identifying the parent program/process that is sending the email which is intercepted by ashMaiSv.exe in the localhost proxy. Check your logs for activity at the same time as the ashMaiSv.exe.
Did you run ewido from safe mode ?
Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
Thanks for your suggestions guys.
I do not think that AshMaiSv would normally do it. Can it be infected?
I tried to reinstall Avast but it didn’t help.
I ran Ewido in normal XP mode. I’ll try it in safe mode. I also will try to scan with Kaspersky.
I am not sure I understand which log files to check.
I ran Hijackthis and didn’t noticed anything suspicious. Maybe I do not know what to look for.
BTW this virus apparently watching for Internet connection as it won’t start if network is disconnected.
I thought it unlikely that ashMaiSv.exe was infected and the reinstall would tend to confirm that if the condition continues.
I believe there should be activity logs in ZA for traffic accessing the internet and also inbound activity. Sorry I can’t be more helpful I don’t use ZA but Outpost Pro.
It would probably be better to use one of the on-line analysis site I gave links for and use that for a guide, the first of which allows for the checking (multi-engine scan) of suspect files.
Obviously to keep a low profile as any process trying to connect would attract attention. Also see Hidden things http://invisiblethings.org also RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden.
Here is an update.
I ran Ewido in safe mode and caught some mass spammer. I’m still watching my system, but it looks like it stopped email attempts.
The culprit was windows/system32/drivers/sysbus32.sys.
Thanks a lot for great suggestion DavidR.
You were right AshMaisv.exe was not a problem.
My Outlook is relaying email spam also. I gave tried various suggestions I have read on these posts. Avast! HE has not caught this Malware, but my autoupdate is turned on. So, maybe Avast! HE will eventually detect something. Meawhile I would like to try the Ewalt or something like that you mentioned. How do I find it or get it? Thank you.
Your welcome.
If you happen to have a sample of it (ewido quarantine, etc.) can you send it to avast, if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
avast doesn’t detect it primarily because it isn’t a virus but a spambot trojan and there are tools that specialise in trojan detection, such as ewido. If samples are sent to avast they will be analysed and possibly included in the VPS updates.
You don’t mention what OS you have Ewido will only work with XP, win2k and NT.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.
Thank you. Yes, I should have provided that system information.
I am WIN XP Pro with Avast 4.7 HE, VPS 0623-2 (VPS 0623-4 just downloaded about 4 hours ago, but not yet used). Also, MS AntiSpyware Beta 1, which detection does not seem to work very well. Also, it fails to update and upgrade properly. So, I think I will deInstall it. I just finished on line scan with Ewido. It detected 210 threats. But the log said they were medium level threats. I had Ewido remove them, anyway. I saw 2 suspicious processes running in Windows Task Manager. So, I killed them, although they may return to active process status when I boot again. So, I will take your advice and install Ewido. Ewido notes that it is compatible with Avast. So, I can run them both. I appreciate your assistance. Best Regards.
No problem, welcome to the forums.
Good luck with uninstalling MS AntiSpyware Beta 1, some had difficulty in getting rid of the original beta 1 version.
Ewido works fine with avast and adds to a multi-level approach to security.
Some more software if you haven’t already got this, also freeware.
OK, I downloaded Ewido AntiMalware 3.5 and ran it. It found & removed 14 threats, all of them, so called, “Tracking Cookies”.
I can tell my system is relaying spam because I get reports from Daemon Mailers that some email could not be delivered. The attached returned message is spam, not something that I sent out.
My last Daemon Mailer message was 1001 Z (GMT) this morning 09 June 2006. That was before I started working on the problem.
So, now we shall see if one or more of these 14 threats is responsible and see if, therefore, Ewido stopped this spam relay through my machine.
DavidR, thank you for all your help and advocacy. It looks like PLD, who started this post, was successful in stopping his email relaying, with your assistance too.
Also, I acknowledge the additional AntiMalware software references you gave me in the above post. I’ve saved them off locally.
I’ll let the system run for awhile. Then post here the result whether or not I got the email relaying stopped.
Regards to you DavidR and PLD.
What is your firewall as that should in theory be able to block unauthorised internet connections ?
If the only thing that Ewido found was tracking cookies, they aren’t responsible for the spambot activity. Did you run it from safe mode, this is important as once loaded it could be masked.
I can tell my system is relaying spam because I get reports from Daemon Mailers that some email could not be delivered.This isn't 100% that the email originated from your system, two things could be happening: 1. someone whom has your email address in their address book is infected and sending out email to all in thier address book and uses one of the email addresses as the from email address. When an email arrives at a recipients email server if the address is not recognised it is bounced, or if his allocated space is full it is bounced. Guess where it is bounced to the faked from email address. 2. This can at times be used to trick a user to open an attachment, supposedly containing the bounced email/data and bingo, infected. Or likely in this case spam with a faked from address (yours) being bounced to the supposed sender by a dumb email server.
So it is difficult to say for certain where the email originated from without looking at the full headers of the email. You could temporarily have your firewall ask permission for Outlook to access the internet and if a request comes in that you didn’t originate, that is also confirmation.
I saw 2 suspicious processes running in Windows Task Manager.Playing catch-up, what were they called, try a google search and see if it returns some more info.
No, I did not run Ewido from Safe Mode. So, I will do that. I guess you just boot up in Safe Mode, find Ewido on the Desktop and run it.
1 process I saw that I was unsure of was SOUNDMAN.EXE. I need to kill it and see if that is actually the soundmanager for my WIN XP or not.
The other process I saw either disappeared in some program removal I was doing or I forgot it.
But I read that current malware can bypass Process Viewer anyway, by attaching to a known process (for example IE) through a .DLL. So I probably waste time by looking at the processes.
I use MS Outlook and I don’t seem to get full access to the Headers. I get some detail, but maybe not all I need. Do you know the procedure to look at Outlook Headers? I will compare what you say with what I do and see if I can get more.
My Firewall is Windows XP Firewall which is set to block all Incoming Internet connections except the usual - I have 13 exceptions. Perhaps the questionable ones are for VPN: L2TP & PPTP , IP Security (IPsec - IKE) , UPnP Framework (which I don’t know what that is).
The Windows Security Center indicates the Firewall is ON, Windows Automatic Update is ON, and Avast is Up to Date and ON.
OK, that is a good point you make - about the origins of the email spam from someone else’s address book. I did not know that is a possibility.
That makes it impossible to prove that there is something on my machine causing the spam relays. If I do prove something locally, then maybe still somebody else can also be adding to the relays.
I would not even know that email relays were happening if it was not for the Daemon’s reporting back to me an occasional failure.
So, this is a tough problem.
Please give me your comments again on this reply.
Thank you.
I forgot to comment on this item:
You could temporarily have your firewall ask permission for Outlook to access the internet and if a request comes in that you didn't originate, that is also confirmation.
OK, did I do it right? I just selected the executable file OUTLOOK.EXE by using the Add Program button in the Exceptions TAB. OUTLOOK.EXE shows up as an exception now. I will let it run that way for awhile. I am not sure how to tell if an incoming request is one that I didn’t originate. What am I looking for in this test?
Thank you.
Google is your friend and a valuable tool http://www.google.co.uk/search?q=SOUNDMAN.EXE there are many hit some suggest malware others a sound file, so you would have to investigate the files location and purpose.
If you don’t have Outlook automatically check for email then you shouldn’t get any inbound email without your having initiated a check for email or send email.
I don’t use Outlook so I can’t say much on its function, in OE right clicking on the email in the list and select properties can give access to the email source, which includes headers. Unfortunately you need to be looking at the header information of the actual email that was bounced not the Daemon’s mail. So it isn’t easy, it is more important to ensure that you aren’t sending out emails.
The windows firewall is better than no firewall, I wouldn’t give it the time of day as it doesn’t provide any outbound protection and that is what you need to stop unauthorised access to the internet. Zone Alarm free http://www.zonelabs.com works fine with avast and has a reasonably friendly user interface. There are others, Comodo, Jetico, Sunbelt Kerio, etc.
See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
DavidR, I want to acknowledge receipt of your latest information. Thank you for that, including the explanations and suggestions.
I am using this information for continued analysis and troubleshooting.
Regards,