Help, email scanning all the time!

Help, avast has just started constantly scanning mail, but not mine! The mail scanner is constantly scanning and finding things to scan but when I look at the details of the mail its scanning its nothing to do with me and is just random spam with a complete random phrase as the subject sent by randomname@random.random to randomname@random.random. Whats going on? I don’t have my email client open and it still does it and it is scanning a new bit of random mail every 5-10 secs. Why is it scanning random spam that is neither being sent by or sent to me?

It will be good if you scan your system against virus (avast) and spywares (AVGas, SuperAntispyware, SpywareTerminator, etc.).

If you download TCPView from Microsoft (ex Sysinternals) you’ll be able to see which application is trying to send emails from your computer…

I should have said, I already did a spyware scan with ad-aware and spybot aswell as doing a scan with avast before I posted the problem on this fourm.

There is something seriously wrong tho, I downlaoded tcpview as you suggested and can see there is a lot of unknown activity going on which I don’t know how to stop. Have a look at the screenshot I took - http://img150.imageshack.us/img150/2448/tcpviewxm6.jpg

Please help!

You appear to have an undetected trojan spambot on your system.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. AVG anti-spyware (formerly Ewido) If using winXP. or a-Squared free if using win98/ME.
    Or SUPERantispyware
    Or Spyware Terminator

What is your firewall as that should be capable of blocking unauthorised outbound Internet Connections ?

Spybot and adaware really are light weight when compared to AVGas, SuperAntiSpyware, etc.

CPview just lists activity, from that you try to identify what application/file name is sending the email, see image example.

The application that is sending the email is services.exe:772, that is what is flashing at the bottom of the list in TCPView everytime there is some activity from the Avast email protection.

I am going to try those programs you suggested to see if that helps.

Do a search for services.exe and (tell us where it is located ?) upload offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Please report the findings here

If many other AVs detect it, send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Do a check of the startup items, it may be being run on start-up, Windows Start, Run, type msconfig and click OK. Click the startup Tab and see if there is an entry for services.exe, if so, uncheck the entry and click OK. That should store it running.

Look like I have fixed the issue. I noticed there was some strange entries when I ran hijackthis and deleting them seemed to stop the spam email being sent. I think what I probably had was something like this - http://vil.nai.com/vil/content/v_140181.htm as the only services.exe on my computer is the legitimate windows one in the system32 and servicepack/i386 directory. Also there wasn’t/isn’t anything in the startup items except for avast and an nvidia entry.

I am going to run a few more spyware scans and a full avast scan again today to make sure there isn’t anything hanging around still.

Whoops, think I spoke to soon, it seems that my problem is not fixed. When I booted this morning it looked like everything was ok, then about 20mins after booting, avast starting email scanning showing me random spam was being sent again, then after 111 bits of spam had been sent it seems to have stopped.

This is very odd and I am unsure how to fix it?

See if this helps:

Download - rustbfix.exe …and save it to your desktop.

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
After the reboot 2 logfiles will open (c:\avenger.txt & c:\rustbfix\pelog.txt). Post the content of these logfiles along with a HijackThis log.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Rustbfix.exe disn’t find anything unfortunately. However, I am thinking my problem is the xpdt rootkit, see the xpdt entries in the rootkitreveal log below:

HKLM\SECURITY\Policy\Secrets\SAC* 9/7/2005 3:30 PM 0 bytes Key name contains embedded nulls ()
HKLM\SECURITY\Policy\Secrets\SAI
9/7/2005 3:30 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\xpdt 5/27/2007 12:38 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\xpdt 5/28/2007 12:20 PM 0 bytes Hidden from Windows API.

HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s0 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s1 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\s2 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\g0 11/26/2005 11:14 PM 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\h0 11/26/2005 11:14 PM 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 8/26/2006 12:45 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\Vax347s\Config\jdgg40 10/6/2006 10:15 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet003\Services\xpdt 5/28/2007 12:20 PM 0 bytes Hidden from Windows API.

I tried to delete these entries from the registry but it won’t let me, it says ‘error while opening key’ when I try to click on or delete the xpdt folder. I also have an xpdt.sys entry in my system32 folder but when I try to delete that it says ‘cannot find the specified file’.

I ran SDFix from safe mode and it said in the logfile it detected the xpdt rootkit but it didn’t actually delete it and says to use a rootkit scanner. I have tried avg rootkit scanner but that doesn’t detect any rootkits on my system.

Surely this xpdt must be the problem but I just can’t get rid of it!!!

I have put a hijackthis log below also:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 14:24:50, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Archives\Utilities\HijackThis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] “RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{D1375BD9-73D3-49A3-943E-0AB1A0C2C274}: NameServer = 212.87.64.7,212.87.64.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


End of file - 3667 bytes

Try booting into safe mode and see if you can rename the file xpdt.old

Then boot back to normal mode and post a fresh HJT log.

Ok, everything may (fingers crossed) be sorted.

I ran combofix and like sdfix it found xpdt rootkit and said to run a rootkit scan. Then I ran a couple of regcleaners I have just for the sake of it and deleted all the entries that came up. I then went back to the registry where the xpdt folders were and I was then, to my surprise, able to delete them all no problem. I also then went to the system32 folder and tried to delete the xpdt.sys file and it let me do that too without any trouble, this wasn’t in safe mode either.

I haven’t had any spam e-mails being sent out since deleting the xpdt reg entries/file so I really hope everything is sorted, will have to wait and see!

With the rootkit gone a fresh HJT this would be good now.

New HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:17:28, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Archives\Utilities\HijackThis\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip..{D1375BD9-73D3-49A3-943E-0AB1A0C2C274}: NameServer = 212.87.64.7,212.87.64.10
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


End of file - 3806 bytes

Your log looks good. Are there any more symptoms?

Just a few suggestions -

You have no third party firewall and should consider installing one

Your Java is a bit out of date. Here’s a link to the current version. Make sure you uninstall old version in Add/Remove programs as the update will not do this

http://www.java.com/en/download/manual.jsp

You Adobe Reader is old and should be updated

http://www.adobe.com/products/acrobat/readstep2.html