According to Comodo, the file ashMaiSv.exe and svchost appears responsible for all the network traffic (emails). Is it possible one of those is infected? I can’t get over how hard it is to track down an application sending email…
I found Sophos anti-rootkit very usefull removing some rootkits that other tools couldn’t find.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
How do you know its infected, and by what?
I can’t connect to Virus Total right now either. Same or Jotti. It must be a busy day for them.
ashMaiSv.exe is the avast! proxy that scans your email. It will look like this is the source of the problem in the firewall but its actually an underlying process that we haven’t identified yet. And its normal for svchost.exe to have some internet access, but constant access is not normal. Please check the spelling and file location for this one - make sure its not something like scvhost.exe with the “v” transposed with the 'c", or SVCH0ST.EXE with numeric “0” where the alpha “o” should be.
Did you install Simple Soduko on 24 May? That date matches the file creation date for some of the suspicious files and also matches many of the detections in the avast! log. It could be this
http://www.pctools.com/mrc/infections/id/Yazzle+Sudoku/
EDIT: Lets get your Java up to date. You can install the latest version here
http://www.java.com/en/download/manual.jsp
Then make sure to uninstall all older version in Add/Remove Programs as the update process will not do this for you.
The spelling was correct on the svchost file. The soduku program has been on the PC for a while. The original CAUSE of the infection was my own momentary stupidity in running a file I KNEW i shouldn’t have. Actually, there is no more room on my a** for footprints right now as I have been kicking myself for my momentary stupidity.
I will update the Java. All scans from the software I can find show clean, but, every now and then I still see pop-ups from avast scanning outgoing email. I realize that the processes using time may not be the originators, it was just something I noticed on the display. The hard drive appears to be clean (if I can trust the X programs i keep scanning with). And yet…emails get sent. 
The rest of the PC appears to be functioning OK. Maybe I just have something new, and I will just have to wait till databases get updated and someone finds somthing to remove this?
BTW, ran the rootkit tool, and nothing was found (except a few hidden registry entries). And thanks for letting me know the scan sites aren’t working right now. I … honestly was hoping it was a “second” symptom.
Before I GIVE UP… I want to thank EVERYONE who has made suggestions or offered any kind of help or effort in trying to help me. I really appreciate all your efforts, and I hope someday I can be as nice and return the favor to someone else.
Daron
I’m beggining to think that maybe a computer virus is just God’s way of saying “Hey, been a while since you cleaned up your PC and got rid of all those programs you never use anymore. Maybe you should start over, like when you BOUGHT the PC.”.
Sometimes the penitence for opening/running a ‘bad’ file is trying to get clean again: you can learn, test, etc.
Reformating is a radical option. Works, but you don’t learn. You won’t be prepared to avoid such a situation in the future.
Just my 0.01.
Gosh, you don’t look like a quitter
Just be patient. Virus Total will be back up in a while. I actually did get their email submission option at one point so it is a matter of being really busy.
In the meantime scan with SuperAntiSpyware (unless you’ve already tried it)
http://www.superantispyware.com/
Do a complete scan and quarantine at the end. Then post the log that you will find in Preferences> Statistics/Logs.
EDIT: And what is xxxcwainda.exe ?
OK folks, here’s the latest status.
Still scanning with various programs. Only thing found seems to be suspicious tracking cookies. NOT the cause of the emails I’m sure.
The xxxw… file was originally name cwainda.exe. I don’t know what app it was for, and I don’t recall what software found it had a virus, but I renamed it to be safe.
I scanned the four files. xxxcwainda.exe was found by 8 scanners to be infected, so it’s getting destroyed.
The amathsifvidv.sys was clean, the vrsyeutj.exe file was found infected by 7 scans, so I’m renaming it and then destroying it if all appears ok. The 752151790 file was only suspected by 1 of the scans, so I’m going to guess it’s probably safe, though I have NO idea what software it’s associated with. I might rename it and see what happens.
So… the hunt continues.
If any of the files uploaded are confirmed as infected ensure samples are sent to avast if avast doesn’t detect them, this will help improve detections for everyone, don’t just delete them.
You can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
I havn’t deleted them yet, though I did rename them. I’ll send them soon. Why can’t avast mail scanner advise me what application is sending the mail. Wouldn’t THAT make this a bit easier to trace.
I renamed/moved the files, rebooted, and emails are still getting sent. )@(#)(@#)(@%)(@*#)(@#
Maybe you can add the following line to the [MailScanner] section of \data\avast4.ini:
Log=20
Then generate some traffic, simulate the problem (i.e. force the avast mail scanner to time out by sending an email with attachment) and then post here the contents of the file \data\log\aswMaiSv.log
Details: http://forum.avast.com/index.php?topic=12234.msg103474#msg103474
-
What is your Internet Mail sensitivity, High would be best as that can detect multiple identical emails being sent.
-
Spam being sent isn’t infected so won’t be detected, avast isn’t an anti-spam it won’t know if these emails are legit or not. The email scanner doesn’t know what email program is sending email as it operates outside any email program and only scans content using the email protocols and ports, 25, 110, 119 and 143.
What is your firewall ?
That should be your first line of defence for blocking unauthorised outbound Internet Connections. Though some firewalls don’t provide outbound protection such as XP’s firewall.
You could also try TCPview which should show what connections are present.
Could you post the scan results for the infected files. There might be clues there.
OK, I changed the “Log” entry. I can’t generate mail traffic as I don’t use any mail clients on this PC. (I use internet mail normally). Although, I suspect the virus will take care of generating traffic (but I doubt there are any attachments).
The virus has to be connecting somewhere to get the subjects/addresses, etc, I just don’t know how to trap and find it (or what I would look for).
The mail settings ARE set for high. I just installed comodo firewall (replacing Windows Firewall) at the advice of this thread. If someone can inform me how to stop outbound emails from my PC, I would be thrilled. As I don’t use this PC to send mail, I don’t see any impact to closing the mail door, and I would feel better by not adding spam to the internet-network (and SOMEONES inbox). So far, I haven’t seen any other impacts of this infection.
I have TCP view, but I’m not sure what to look for. Wouldn’t the final outbound process for the email be Avast?
I really am tired of spending the whole day waiting on scans to finish. I wonder how long it would take me to scan every dll on the PC via TotalVirus. lol
You shouldn’t have to generate email traffic if as you say something on your system is sending email, if using prot 25 then the Internet Mail will be scanning it (Internet Mail icon should appear when email being scanned) so traffic will be being generated. Check the log file Tech Mentions after some activity.
If you don’t use an email client then it will have its own very small SMTP application probably less than 16KB. Sorry I have no personal experience of comodo firewall.
It can get the email addresses sent by the controlling botnet host.
You would have to be fairly quick of the mark when you see the avast Internet Mail icon to run TCPview or have it running but minimised.
You may need to do a before and after check to identify the application, see images.
(OK, I know this is dumb…but…)
I think I might have just found the bug. I used a program called Blacklight to scan for rootkits, and it found a hidden file called xpdt.sys in the system32 directory. I made 2 attempts to clear it (as an internet search led me to believe this was a real-bad file) but blacklight was unable to make the file visible so it could be renamed/deleted.
THEN…I used a program called RustbFix, and it removed the file. Here is it’s logfile…
************************* Rustock.b-fix v. 1.01 – By ejvindh *************************
Sat 05/26/2007 20:21:18.89
******************* Pre-run Status of system *******************
Rootkit driver xpdt is found. Starting the unload-procedure…
Rustock.b-ADS attached to the System32-folder:
:xpdt.sys 64156
Total size: 64156 bytes.
Attempting to remove ADS…
system32: deleted 64156 bytes in 1 streams.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************* Post-run Status of system *******************
Rustock.b-driver on the system: NONE!
Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.
Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32
******************************* End of Logfile ********************************
It might be a little early, but I’ve rebooted twice and …knock on wood, steel, aluminum, plastic, marshmellow, everything else, so far, no email scans have popped up.
Not dumb at all. Its a very good find.
I suggest a scan with SuperAntiSpyware (see link on page 2) or AVG AntiSpyware at this point since the root kit may have stealthed a number of files
http://free.grisoft.com/doc/20/lng/us/tpl/v5
Follow this with a fresh HJT log.
The dumb part was saying I think i got it, cause of Murphey’s Law and all. :0
I will be running scans overnight to try and make myself feel secure that I got it all, but, I’m not seeing anymore outgoing emails (SO FAR!!!) Lets hope. (I’ll post the HJT log tomorrow.)
Again, thanks to all those who have been helping me.
Daron
Finding the root kit is key to solving this. Even if you have other infections now they should be fairly easy to remove.
See you tomorrow…
OK All, It appears I am now ROOTKIT FREE! No more email scans. Also rescanned with all available software, and now I find nothing. (Whew!) Here is the HJT Log now…
Logfile of HijackThis v1.99.1
Scan saved at 11:44:29 AM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)
Now all thats left is to figure out which detecters to leave operation on a day-to-day basis.