help

i just got this virus earlier today i ran av and microsoft antispyware program’s deleted the stuff that was detected and restarted my computer. it turn’s out that i haven’t gotten rid of the virus and there are message’s popping up saying"

Suspicious Message!

There are too many identical e-mails in appointed time

Sender: “Candy Corley” jjmold@1-cs.com
Recipient: Massimo massimo.castoldi@york-transport.com
Subject: Visit our new online pharmacy store and save upto 85%There are too many identical e-mails in appointed time

Sender: “Hilary Knight” badetempel@100000books.com
Recipient: Massimo massimo.castoldi@york-transport.com; Massimo massimo.catalani@securpolvigilantes.it
Subject: Visit our new online pharmacy store and save upto 85%There are too many identical e-mails in appointed time

Sender: “Steven Landers” alpq@0451.com
Recipient: Massimo massimo.castoldi@york-transport.com; Massimo massimo.catalani@securpolvigilantes.it; Massimo massimo.casazza@plibrico.it
Subject: Visit our new online pharmacy store and save upto 85%There are too many identical e-mails in appointed time

Sender: “Jordan Austin” jskeith@0rg.com
Recipient: Massimo massimo.castoldi@york-transport.com; Massimo massimo.catalani@securpolvigilantes.it; Massimo massimo.casazza@plibrico.it; Massimo massimo.cattaneo@sitis.it
Subject: Visit our new online pharmacy store and save upto 85%

there are other window’s popping up saying Suspicious Message! and all that 18 window’s of the come’s. i’m new here and using av and unfortunatly i didn’t think of writing down the file infected and the name of the virus. sorry there is also a different pop up window saying"

avast!: Connection timeout

Internet connection timeout elapsed. Continue waiting?
[ svchost.exe - > 195.110.124.34:25]

it come’s up 2 or 3 time’s at once please help.

Hi qaz79,

It sounds like you might have one of the mass mailing worms.

If you right click the avast! icon in your system tray, then click avast! Log Viewer there should be some lines showing what was identified. Please post this information.

You didn’t just get a virus as mauserme says you have a mailing trojan resident using svchost (or copy/infected version of it) to send out email, avasts outbound email check has stopped this because of multiple emails heuristics check (so you won’t find much more in the log viewer) and a timeout has occured as a result.

First do you have a firewall (I hope you don’t say windows XP), if so what? Block outbound connection for svchost.exe as a temporary measure whilst we deal with this.

Second download this and run it Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

here is the information it’s a lot.

1/26/2006 3:45:29 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:45:30 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:45:49 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 3:46:24 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 3:46:40 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame2[1].exe” file.
1/26/2006 3:46:48 PM SYSTEM 1120 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 3:46:57 PM SYSTEM 1120 Sign of “Win32:Cws-M [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\YHIVUDMB\zgame3[1].exe” file.
1/26/2006 3:47:25 PM SYSTEM 1120 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 3:47:37 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 3:47:49 PM SYSTEM 1120 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 3:47:56 PM SYSTEM 1120 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\gdnOT2341[1].exe” file.
1/26/2006 3:48:12 PM SYSTEM 1120 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.
1/26/2006 3:48:25 PM SYSTEM 1120 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\zgame2[1].exe” file.
1/26/2006 3:54:19 PM SYSTEM 1120 Sign of “VBS:Malware [Script]” has been found in “” file.
1/26/2006 3:54:27 PM SYSTEM 1120 Sign of “VBS:Malware [Script]” has been found in “” file.
1/26/2006 3:54:31 PM SYSTEM 1120 Sign of “MS06-001 WMF Exploit” has been found in “” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\KZ9VQEZP\st_v46[1].exe[UPX]” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\system32\mspostsp.exe” file.
1/26/2006 4:07:29 PM SYSTEM 1120 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 4:11:33 PM name 2708 Sign of “Win32:Trojano-2997 [Trj]” has been found in “c:\winxp\system32\msupdate32.dll” file.
1/26/2006 8:06:25 PM name 3276 Sign of “Win32:Inject [Trj]” has been found in “C:\System Volume Information_restore{BD211675-8ADC-4424-9357-5624BF8FEDE0}\RP12\A0008952.exe” file.
1/26/2006 8:43:49 PM name 3276 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINXP\system32\nostalgia.dll[UPX]\MSVprep.exe” file.
1/26/2006 8:43:54 PM name 3276 Sign of “Win32:Trojan-gen. {VC}” has been found in “C:\WINXP\system32\nostalgia1.dll[UPX]\MSVprep.exe” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\1ZZFT1WE\gdnOT2341[1].exe” file.
1/26/2006 8:49:15 PM name 1136 Sign of “Win32:Dialer-407 [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\maxdd.game” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame2[1].exe” file.
1/26/2006 8:49:17 PM name 1136 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx2.game” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\HBVJDP4E\zgame3[1].exe” file.
1/26/2006 8:49:18 PM name 1136 Sign of “Win32:Cws-M [Trj]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\vx3.game” file.
1/26/2006 8:49:19 PM name 1136 Sign of “Win32:Trojano-2997 [Trj]” has been found in “C:\WINXP\System32\msupdate32.dll” file.
1/26/2006 8:49:19 PM name 1136 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 8:49:20 PM name 1136 Sign of “Win32:Inject [Trj]” has been found in “C:\WINXP\System32\mspostsp.exe” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\Documents and Settings\name\Local Settings\Temporary Internet Files\Content.IE5\K5MFGHY3\st_v46[1].exe[UPX]” file.
1/26/2006 8:49:22 PM name 1136 Sign of “Win32:Agent-EZ [Unp]” has been found in “C:\DOCUME~1\name\LOCALS~1\Temp\qvxt2.game[UPX]” file.

Hi qaz 79,

You should not put clickable links to malware here.
Dr.Web hyperlink scanner finds Exploit MS05-053 here.
Always make it these links don’t work, write dot = . for instance.
There are young users here, that like to experiment, and they get there computers infected. Here is the info on this trojan:
http://vil.mcafeesecurity.com/vil/content/v_136912.htm

polonus

polonus,

Are you suggesting qaz79 submit something to Avert?


Welcome to the forums, qaz79! :slight_smile:

I find that "Win32:Trojano-2997 was added to the avast VDB on 07.12.2005, 0549-3 and so should have been stopped by avast.

http://www.avast.com/eng/vps-content-2005.html (scroll down to the above date)

Are you sure your avast is up-to-date? ???

And David asked about a firewall … do you have one other than Windows Firewall? ???


CharleyO i check for updates every day for some reason it didn’t catch it.

polonus sorry about that i didn’t know how else to do it.

i think ewido did the trick it seem’s to be running better.

Firewall?

If these infections are related to the exploits that Polonus mentioned they will be back unless you ensure your OS is fully up to date and ensure you have a working full firewall, not just windows XP’s half a firewall.

i’m still getting the avast!: Connection timeout message though.


AND … you still have not answered … do you have a firewall other than Windows firewall??? ???


And we are still waiting for answers, I can only assume you don’t have a firewall, otherwise you could have added svchost.exe to the exclusions/exceptions as I suggested in my first reply. If you don’t have a firewall or one that doesn’t give out bound protection, then you are fighiting an uphill battle because as fast as you remove it something will take its place.

We ask questions to try and help with a solution/work around, etc. If you don’t answer we can’t help.

I don’t even know if you downloaded and ran ewido.

CharleyO i don’t have a firewall other then Win XP Home Edition.

DavidR yes i did download and ran ewido. how do i block svchost.exe?

Well as I said windows XP firewall doesn’t give outbound protection and is extremely inflexible in blocking applications, XP’s firewall allows for exceptions, which as I read it allow access rather than deny access, so you can’t so it with XP. That is why we are all banging on about getting a proper full firewall.

svchost.exe when blocked doesn’t usually cause a problem until you try do do a windows update as it is required. This was a temporary measure until you dealt with the problem, which you say is still there.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR - Post your hijackthis-Log here for a diagnosis: tomcoyote.org/hjt

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.

i couldn’t post the log result’s so i attatched them.

Cut and Paste into the thread is fine, there are also two links to on-line analysis sites, that way you don’t have to wait.

  1. your OS is way out of date now XP SP2 with many security update safter that. These have patched many vulnerabilities which have been exploited. You need to update your system to close these vulnerabilities.

  2. Your browser is also out of date but you can’t get IE6 SP2 until you have XP SP2 installed, this has many security improvements.

  3. You don’t appear to have a software firewall, this is an absolute essential, otherwise you are playing Russian Roulette with an automatic.

Fix all the 01 HOSTS entries, I doubt that you put them there, this redirects c3314.z1306.winmx.com to multiple web sites so you could be getting multiple pop-up windows.

Fix:
O3 - Toolbar: (no name) - {AFA5C569-B040-4500-8078-A4CC0A120E79} - (no file)
O4 - HKCU..\Run: [WindowsUpdate] C:\WINXP\System\svchost.exe /s

This is an on-line analysis of your log, you can use it to check out the nasty/unknown entries, you can also scan those files with their scanner using the paper clip icon - http://hijackthis.de/logfiles/7c34bfae3ed09d4b0058ddc0a61a3e1e.html